Introduction
The Internet has changed many companies’ business models, put some companies out of business, and spawned some of the world’s largest companies (for example Facebook, Google, and Groupon). Increased network connectivity with partners and customers, the explosion of Web services, commercial off the shelf and custom applications, the complexity of today’s IT systems, legacy systems spread throughout an organisation, and the increased threat of organised criminal cyber gangs makes keeping information assets secure more difficult than ever before.

With the launch in 2009 of the Australian government’s Cyber Security Strategy, it’s clear that cyber security is now one of Australia’s top tier national security priorities. In fact, the risk to the Australian economy from cyberattacks and the spread of malicious code by well-funded and highly organised cybercrime groups has been assessed as high. Australia’s national security, economic prosperity and social wellbeing are critically dependent upon the availability, integrity and confidentiality of a range of information and communications technologies. This includes desktop computers, the Internet, mobile communications devices and other computer systems and networks.1

Today’s Threat Landscape
Cybercrime is a term broadly used to denote a crime involving the use of computers and computer networks for hacking, unauthorised computer intrusions, and denial of service attacks against websites and other Internet facing systems. The largest computer network is of course the Internet. Cyberattacks have been around since companies first opened their networks to the emerging Internet and the World Wide Web.

There are four primary threat actors operating in cyberspace:

• Lone hackers who range from the curious to the hired gun professional
• Cyber hacktivists who are politically-motivated hackers and vandals
• Cyber criminals who are smart, skilled, well-funded, and highly organised
• Nation states who use their intelligence and security agencies for cyber espionage

In the beginning of the cybercrime explosion, cybercriminals usually operated alone or in a closed group of likeminded individuals. These were often young people who had developed skills through research into Internet technologies. Today, a highly sophisticated underground economy provides the malware to enable hackers with minimal computer skills to commit their crimes and sell to the highest bidder the financial information or intellectual property they’ve stolen from individuals, companies, and governments. The profile of these cybercriminals has also changed and many are not the youngsters that we have come to envision as being the proponents of cybercriminal activities. Today’s cybercriminals are often in their 30s or 40s.

Cybercriminals are successful for six primary reasons:

• The basic protocol of the Internet – TCP/IP – is inherently insecure and was not designed with security in mind
• There are approximately 2 billion people who use the Internet and this creates a massive array of potential victims
• The sheer number of machines with unpatched operating systems creates a massive array of potential targets to compromise with the latest malware
• Software programmers have not in the majority of cases considered security as a primary part of their software design leaving an unfortunately large number of vulnerabilities that cybercriminals exploit
• The Internet is an open network of networks with no central police or regulatory authority
• The Internet is boundary less in that cybercriminals can sit at their computers in one country and attack a person in another country, often covering up their tracks in the process.

As both consumer and business users continue to flock to social media and networking sites for immediate communications and data sharing, we expect to see increasingly more targeted abuses of personal identity and data. Social media connections will eventually replace email as the primary vector for distributing malicious code and links. The massive amount of personal information online coupled with the lack of user knowledge of how to secure this data will make it far easier for cybercriminals to engage in identity theft and user profiling than ever before. Spear phishing—targeted phishing attacks—will move to Twitter and like technologies because choosing users and groups to exploit through these channels is simple.2

We are already seeing targeted attacks on major corporate bodies that are being planned and developed in military style operations using intelligence that has been gathered using publicly available information on social media sites. This will undoubtedly increase in the next few years unless considerable effort is put in to the education of social media users. Social media needs to be included as a component of all security awareness programs and a national awareness program in order for some of these threats to be managed.

Protecting Yourself
Managing the risk posed to information assets requires:

• A clear and communicated policy
• Classifying and labelling information
• Identification and valuation of IT assets
• Procedures for use, distribution, storage, and disposal of information assets
• An awareness of the threats faced
• An awareness of your security state
• Periodic security awareness training for users at all levels of management
• Detection, recording, and reporting of intrusions and misuse
• Correction of problems
• Periodic assessment

An information security policy is the mandatory rules and practices to direct the organisation on how to manage, protect, distribute, and dispose of its information assets. Information security policy is an essential component of organisational governance as it’s a primary mechanism to enforce rules. Information security policy should be based on a combination of risk assessments, legislation, corporate governance requirements, applicable industry standards, and the organisation’s internal business requirements to protect information assets.

Information assets include all forms and types of electronic and paper-based business related information. One of the first critical steps to effective information protection is the appropriately classify and label information assets. To determine the level of protection that should be applied to varying types of information, an information classification scheme should be established based on the impact on the confidentiality of information should it be compromised or inadvertently put in the public domain.Information is classified according to its criticality (the importance of an information asset to the business) and sensitivity (the consequences of exposure of this information to unauthorised parties). Once classified, information should be subject to a documented and strictly applied labelling regime so that everyone who handles the information would be aware of its importance to the organisation and the protection it requires.

Information assets also include the physical assets (such as IT and communications equipment) and the services which support these physical assets (such as power, communications links, and air conditioning). The organisation should maintain an inventory of critical and supporting assets in order to recover from a disaster or for other business purposes such as insurance or financial asset management reasons. The process of developing an inventory of assets is an important first step in risk management. This inventory should be detailed enough to include the type of asset, business value, physical location, operating system (and patching level), software licenses, and other related information.

Information can be and often is compromised through the careless use, distribution, storage, or disposal of the information or through uncontrolled re-use or disposal of information processing equipment. To reduce this risk, a documented policy and operating procedures should be prepared for system activities associated with critical information processing and communications equipment. These documented procedures should be considered formal operating procedures authorised and enforced by management.

In order to properly defend yourself from the many, often clever, ways cybercriminals use to directly compromise your information assets or indirectly compromise your information processing systems through malware, you have to have an awareness of the threats you, your company, and your industry faces. Many sources of information related to threats and vulnerabilities are available via professional associations, industry groups, sector-based computer emergency response teams (CERTs) and national CERTs. One of the best sources for this information is the myriad information security and Internet threat reports published each year. Threat reports from Microsoft, SANS, Cisco, Symantec, McAfee, Verizon, Sophos, and others are available for download. These and other research publications provide analyses of attacks, reviews of known vulnerabilities, and the latest developments in malicious code. From this research, it is possible to learn what attackers are after and how they’ll go about attacking you and your assets. You’ll then be in a much better position to defend yourself Once you know some of the ways cybercriminals will go about attacking you (it’s impossible to know all the ways with ever evolving malware), you can then review your defences to determine how well prepared you are.3 Assessments should be performed on a regular basis to address changes occurring in the general business environment, information protection requirements, and evolving threats and vulnerabilities. One of the best resources for managing risk related to IT is the U.S. NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems. This guide provides a common foundation for experienced and inexperienced, technical, and non-technical personnel who support or use the risk management process for their IT systems.4

Awareness of the threats you face and the available safeguards to protect your information assets is the first line of defence for the security of information systems and networks. Awareness is the ‘what’ component of the education strategy for an organisation which tries to change the behaviour and practice of its targeted audience (for example employees, general public, etc.) and it is a distinct element from training. This is why the awareness activities occur on an ongoing basis, using a variety of delivery methods and are less formal and shorter than training.5 People are our last line of defence but can also be our weakest link if their training is neglected.

Awareness training allows individuals to recognise information security and IT risk concerns and respond accordingly. The detection and reporting of system misuse and unauthorised access and intrusions is critical to understanding what’s going on in your environment on a day to day basis and protecting your information assets. Cyber criminals understand human nature and play heavily on that in their attack methodologies.

Investigations contribute not only to subsequent litigation and support to law enforcement agencies (if appropriate), but also to asset recovery, identifying the root cause of the incident, preventing future occurrences, assessing the real damage or loss caused by the incident, identifying peripheral issues/problem areas, and recommending corrective actions. Appropriate investigative techniques should be used at all times and legal considerations taken into account when developing an investigative plan.6 Security managers must understand ‘chain-ofevidence’ requirements in order to assure that evidence is maintained in a usable format if and when the time comes.

Once the results of investigations and security assessments are known, corrective action can begin. It is operationally critical to ensure that effective corrective actions are taken to address identified weaknesses, including those identified as a result of potential or actual security incidents or through security alerts issued by vendors and other trusted sources. These actions must be planned, prioritised, and implemented in a controlled manner following the organisation’s testing and change management processes.

Routine self-assessments are an important means of identifying inappropriate or ineffective security procedures and controls, reminding employees of their security-related responsibilities, and demonstrating management’s commitment to security. Reviews of documentation, walk-throughs of facilities, and interviews with key personnel, while providing useful information, are not sufficient to ensure that controls, especially computer-based controls, are operating effectively. Examples of tests that should be conducted are network scans to identify known vulnerabilities, analyses of router and switch settings and firewall rules, reviews of other system software settings, and tests to see if unauthorised system access is possible (through penetration testing). Tests performed should consider the risks of authorised users exceeding authorisation as well as unauthorised users (e.g., external parties, hackers) gaining access.7

Identified risks and their factors (that is, the business value of assets, threat agents, vulnerabilities, likelihood of occurrence, and the magnitude of impacts) should be constantly monitored and reviewed to identify any changes. Changes can occur due to new systems deployments, retirement of legacy systems, new application and operating system vulnerabilities announced by the vendor, new malware attack vectors, and the constant threat of human error in system configuration and hardening.

Conclusion
Opening your corporate networks to the Internet to facilitate lightning fast communications with customers and business partners exposes your organisation to increased cyber risks. The alternative of operating a closed, isolated network just doesn’t make sense in the second decade of the 21st century.

No organisation can afford to eliminate all risks including cyber risks, the cost/benefit justifications just aren’t there. The trade-off between risk exposure and risk management is becoming increasingly complex, and there’s no silver bullet solution to managing risk.

Therefore each organisation needs to establish its own cyber risk tolerance threshold. Some cyber risks will be accepted because the exposure is so small or the cost too great to eliminate the risk. Other cyber risks must be mitigated because the potential damage is too great and the cost to bring this risk down to an acceptable level makes for a reasonable investment.

About the author: Keith Price, CISSP, CISM, CGEIT is the National Director of the Australian Information Security Association.

References

1. http://www.ag.gov.au/cybersecurity
   
2. 2011 Threats Predictions by McAfee Labs
   
3. Analysis by the Australian Defence Signals Directorate (DSD) revealed that 70% of intrusions targeting government information systems could have been prevented by following just four mitigation strategies listed in their Top 35 mitigation strategies document (available online at http://www.dsd.gov.au/ infosec/top35mitigationstrategies.htm).
   
4. http://csrc.nist.gov/publications/PubsSPs.html
   
5. The new users’ guide: How to raise information security awareness, European Network and Information Security Agency (ENISA), 2008
   
6. Information Asset Protection Guideline, ASIS International, 2007
   
7. Security Self-Assessment Guide for Information Technology Systems, US NIST Special Publication 800-26, 2001