Standing still is not an option when it comes to security, as hackers find ever more ingenious and dangerous ways to access and use our information, reports Anthony Harrington
Historically one of the biggest challenges in IT security for many organisations was defending the organisation’s email against viruses and malware. In recent years, as Mark Overton, Information Security Manager at the IT solutions company Softcat explains, the major threat switched to attacks on individuals via phishing emails. To start this tended to be largely targeted at consumers and where employees came into the firing line, the hackers’ efforts were still usually directed at gaining access to the individual’s bank account or credit card details.
However, nothing stays still in the war between good and bad in IT and Overton points out that the focus has again shifted back to email attacks.
This time, however, the email attacks are highly sophisticated, with phishing emails posing as sites that a specific user tends to trust.
The emails themselves, he notes are frequently high quality rip-offs of the individual’s bank or a service such as a logistics delivery company that the individual under attack frequently makes use of.
The aim is often not so much to thieve from the individual but to get the individual to open up an attachment that can release malware into the organisation’s IT systems. The malware can then create a back door to the network that allows a hacker to gain access to whatever it is they are seeking.
“Where hackers are serious about getting into a company we see some very skilled feats of social engineering. I have seen emails that make reference to the individual’s co-workers, family members or friends, and that look very plausible indeed,” Over ton says. He adds that there is now so much personal data available online that skilled hacking attacks can personalise their approach with all sor ts of details that make the individual think: “Oh, this must be genuine…”
On top of coping with these sophisticated attacks midrange companies have their hands full simply dealing with routine but essential day to day IT security tasks. Operating systems and many applications require frequent “patching”. These “patches” are released by the software supplier and close exploitable weaknesses and loopholes that the supplier has discovered in their systems. As an aside, it is impossible to conceive of another product type that is sold to user organisations with such inherent weaknesses. IT is a special case in that very few individuals, even in the software developer community, have a sufficiently detailed grasp of the underlying code to be able to make a system hack proof against determined and highly knowledgeable hackers.
Exploits (areas of code that can be exploited to enable an outsider to gain control of the system) are being discovered all the time and the supplier then has to devise a “patch” to counter the exploit. Microsoft’s products, particularly the Windows operating system, are under constant attack and Microsoft is famous for releasing reams of patches, most of which are “must do” patches to keep the system safe. For a mid-market company’s IT person to keep all the systems patched while still attending to their day job is near impossible. To make matters worse, there have been plenty of instances when newly released patches have actually caused systems to fail.
“What companies have to do is to prioritise which systems they are going to patch, and which are too sensitive to expose to new patches until they have been properly tested and found not to be damaging,” Overton says. Companies need to do a propper IT audit of their systems and get a clear grasp of where the risk actually lies, he says. There is a lot of scare mongering in the press and simply reacting to headlines is not the way to go. “You can’t insure against every risk in business – it just would not make economic sense.
The same is true with cyberrisks. You need to sit down and look at what is happening, and perhaps take consultancy advice, so that you can ensure that where you spend money to defend your systems, you are d o i n g s o s e n s i b l y,” he comments. Throwing money at the problem just does not work. Softcat offers a wide range of security solutions. “Some clients like to manage everything in-house. Others want to outsource security as much as they can, and a third category is somewhere between the two. We design solutions to suit all requirements,” he comments.
He makes the point that all security solutions in the market are not alike. “This is a very fast moving field. New products are coming along all the time, while at the same time, some traditional suppliers are out there with some very aged products. Selecting appropriate systems is a complex matter and clients need to take advice here,” he warns.
As well as external threats, companies need to be aware of the possibility of internal threats as well. These are not always malicious, Overton notes. “In a number of incidents what we find is that the user organisations have been compromised by a staff member not out of malice, but because the staff member elected to use an application without consulting IT because he or she thought it would help them to do their job,” he comments.
When an online application is breached or downloaded software turns out to be hiding a piece of malware, the cost to the organisation can be off the scale by comparison with the slight benefit the application conferred. IT security has, of course, become a lot more complex over the last few years as organisations have relaxed their IT policies in order to allow staff to use their favourite smart phone or tablet at work. In a “bring your own device (BYOD)” world the IT department loses some of its ability to control what individuals have on their desktop or laptop. “The traditional boundaries between inside the organisation and outside have blurred irredeemably. What is needed today is for companies to identify what is important to them. They need to look at where the true value of the business resides and protect that segment as opposed to trying to wrap an impregnable wall around the whole organisation,” Overton concludes.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereComments are closed on this article