Written by Katherine Bennett
Cybersecurity processes and technologies allow us to protect our systems from unauthorized access and cyber crime. But, what exactly is Cybersecurity? Cybersecurity is the protection of devices, applications and data that are part of an interconnected system. But, it goes beyond that most basic definition. To help introduce the basic vocabulary used to define cybersecurity, we would like to share the following video* that includes a slightly different take on a cyber crime that gained attention a few years back.
Some Basic Vocabulary
The vocabulary terms presented in the video and a few more are defined below:
Asset: Any data, device, application or process that, if compromised, would result in loss to the business.
Threat: An event that has the potential to cause harm.
Vulnerability: A weakness in design, implementation, operation or controls that can expose the system to a threat.
Cyber Risk: The inherent risk in running interconnected systems; represented by the following equation:
Risk = Threat x Vulnerability x Consequence (of loss/compromise of asset)
Attack: An action taken with intent to access or control a computer system.
Back Door: A secret method of bypassing authorized access and security.
Trojan Horse: Malicious code that is disguised as being a legitimate software or application. Brute Force Attack: Prolonged and repetitive attack consisting of attempting every possible combination to decrypt an encryption code.
Threat Actors or Attackers: Hacktivist, Criminal, Insider, Espionage, Terrorism or Warfare
As you noticed in the video, the ‘organization’ had a few pitfalls in their cybersecurity efforts. While a brute force attack can be very difficult to withstand, there are ways that the ‘organization’ could have improved their cybersecurity policies to prevent the theft of their data:
First, the ‘organization’ was unprepared for the many threat actors that were responsible for the cyber crime incident. Taking the time to be aware of different threat actors will help enable you to better assess the threat to your assets when calculating your risk.
The ‘organization’ incorrectly assumed there were zero vulnerabilities in their systems and design. There are always vulnerabilities in a system as no system can be 100% perfect at all times. So, do not assume that your assets will never be exposed to a vulnerability.
The ‘organization’ did not have strong enough physical and personnel protections in place. How else could thinly disguised infiltrators gain access to a secure location? Make sure that you have a strong policy that all employees are aware of that defines exactly which personnel are authorized to access your most secure locations.
Finally, the ‘organization’ did not have strong password requirements, nor did they have multi-factor authentication. Strengthening password and file naming conventions can help prevent unauthorized users from easily guessing them. Passwords should never be a single word or be personally tied to an individual. Also, had multi-factor authentication been in place, simple guess work would not have been enough to gain access to the data; an authorization code or fingerprint scan would also have been required.
We hope you never encounter the same pitfalls in your cybersecurity plan. There are several resources available to you, including the NIST Cybersecurity Framework, NIST 800-171 Standards, and the IES Cybersecurity Awareness Toolkit. We recommend you use these resources as you strengthen your own cybersecurity plan.
Want to chat more about your cybersecurity plan? Drop me a line.