Minor Issues Leading to Major Cyber Incidents

Published on: 09 Jul, 2018
Minor Issues Leading to Major Cyber Incidents
IT has rapidly transformed our world into a global village. With numerous facilitations and automations our lifestyle has revolutionized. Today’s settled life is incomplete without Internet, connectivity, mobile phones, social media etc. On the other hand, IT has provided assistances to the criminals and negative forces as well. Numerous articles and blogs surface on a regular basis concerning cyber security and the controls to safeguard against cyber hackers.

Cyber security has attained more attention in recent years as compared to earlier times of the IT boom. Enterprises do not hesitate to spend handsome amounts on cyber defense because they realize the repercussions of overlooking the cyber security aspects. But the question arises whether cyber-attacks are due to cyber security controls being installed by enterprises? This is not the case. Enterprises are still being attacked resulting in loss of data, reputation and money.

In today’s article we highlight certain trivial aspects related to cyber security which are often overlooked or given little attention by management and executives.
 

Complacency

At times security controls are bypassed or not configured properly by employees on the incorrect notion that the threats are minimal or least likely or even a nuisance to set up the control. However, it should be noted that attackers always reconnoiter for weakest areas. Security is like a chain whose strength lies in the weakest link. Options to encrypt a communication not adopted, due to short delay and a tiny bit of extra effort, can lead to exposure and other attacks.
 
 

Unrealistic SOPs

Management devises standing operating procedures (SOPs) for various routine processes in an enterprise. While making the set of rules, sometimes people lose the track of practicability and rationale for implementation of those guidelines. Rules can be made strict but if they are not implementable due to some peculiarities then they become mere eyewash. Not only do they give a false sense of security to the executives but they also lead to a mockery of other realistic rules. Management should make a determined commitment to themselves that any rule or policy once approved will be enforced in letter and spirit. Therefore only doable actions should be expected from staff. For example, if management decides that enterprise will not allow staff to bring your own devices (BYODs) inside its premises then it should be implemented as per policy and defaulters should be taken to task. On the other hand, some alternate communication arrangement must be implemented for the employees to cater for their emergencies.
 

Bypassing Security in the Heat of Battle

A very common mistake made in the realm of cyber security is putting your guard down to deal with urgency. In routine work of the enterprise, almost every hour there is a situation requiring immediate action. Security mechanisms are cumbersome and a nuisance, without doubt. But they are not superfluous. Security cannot be left out as a useless waste of time. Attackers are on the lookout for such situations, when you will not follow the correct procedure of sending a sensitive document or storing a classified piece of information.
 

Bypassing Security for VIP Treatment

Quite related to the earlier point is the issue of bypassing security controls when giving extra protocol to some high profiles visitors or even own top executives. These actions not only downplay the SOPs but also give leverage to attackers. For example, if enterprise has a policy that no external IT equipment and portable media can be brought inside a particular laboratory, then the same rule should be applicable to visitors and executives as well.
 

Unpatched and Outdated Software

Updates and upgrades are a frequent issue which has to be tackled by administrators routinely. As a matter of fact there are hardly any enterprises which can claim to maintain updated software all the time. Reason being that there are many software requiring frequent updates. Vendors at times keep sending updates on a daily basis. There are instances when a running system is affected due to a buggy update. Due to such frictions and issues, administrators sometimes intentionally delay the installation of updates. On the other hand, at times updates address crucial vulnerability in a software. The moment such an update is released, attackers tend to exploit outdated software. Therefore it is essential that update/patches are immediately installed, especially the ones pertaining to security.
 

Hybrid Systems

Due to rapid advancements in the IT, upgrades to systems are a common feature. However many times enterprises do not go for a full scale upgrade but rather a portion of the system is upgraded and another portion continues to run on legacy technology. After sometime, due to such selective upgrades, the overall system of enterprise is a mix of various technologies. These hybrid systems are vulnerable due to security loopholes as a result of legacy systems interfacing. For example LTE or 4G mobile systems coupled with 3G and 2G systems tend to carry the vulnerabilities of legacy generations. Similarly, legacy protocols in old web applications may make a hybrid system vulnerable to attacks.
 
 

Supervision and Management Issues

Management’s job is not only to make rules and regulations and put safeguards in place, but to also put all these into action. This is only possible with continued interest and supervision. To enforce the setting up of security controls throughout the enterprise, the need for a system of surprise checks and associated admonishments/rewards cannot be over emphasized. Such systems can be put into action by the continued interest of management in cyber security matters.
 

Conclusion

Cyber security is a continuous process. There is no finish line for cyber defense. It requires perpetual interest of management and untiring efforts of information security departments coupled with the keen, quick response of all concerned.

About the Author
Abdul B. Subhani, is the founder and President/CEO of Centex Technologies, an IT consulting company with offices in Central Texas, Dallas, and Atlanta. He is also an adjunct faculty member of the Texas A&M University - Central Texas computer information systems department. Abdul is a Certified Ethical Hacker, a Certified Fraud Examiner, Certified in Risk and Information Systems Control, a Texas Licensed Private Investigator, member of FBI Infragard, member of Forbes Technology Council and the recipient of multiple other advanced IT credentials.

He has been recently recognized as one of the 40 under 40 by The Armed Forces Communications and Electronics Association for his significant contributions in the field of science, technology, engineering and math (STEM). Abdul has been a frequent keynote speaker, moderator, and panelist at leading international technology conferences, and he has given speeches to thousands of students at colleges and universities.