ISO/IEC 27001 - Operational Threats

Operational Threats:

1)    Malware

Malware attacks are worldwide headlines catching news. The virus is an example of a piece of malware or malicious software that is designed to infiltrate or damage a computer system. This class of software also includes worms, Trojan horses, spyware and adware, to name but a few pieces of malicious software code.

Managing the Problem

Protection from malware needs proper management processes and controls in place. For a start, the organisation should produce a policy prohibiting the use of unauthorised software and then implement controls to prevent or detect the use of such software. The organisation should also have a policy regarding the downloading or receiving of files and software.

The organisation should conduct regular audits on the software that supports their critical systems and processes. Such exercises should search for the existence of any unapproved files or software.

2)    Unauthorised Access

Unauthorised access to information can lead to disclosure, modification or unauthorised use of the information. Such access might happen as a result of an internal compromise of organisational policy and abuse of privilege, or it might occur as a result of someone externally breaking through organisations security systems. Unauthorised access to information might occur by breaking through layers of physical protection or electronic protection, or a combination of both. Of course, access via the Internet or other network is a common problem. Whatever the means and method of access, once the unauthorised person has gained access to the organisation’s information, they have an opportunity to steal, modify or destroy this information.

Managing the Problem

The problem of unauthorised access to information can be managed at different levels. The organisation should have an access control policy, and it should have specific procedures for different access control methods and for covering different types of access (e.g.,access to information, applications, processes, IT and networks). The control methods implemented to manage access should be strong enough to prevent unauthorised access. Control of these methods and the information used for gaining access needs proper management and administration. Controls need to be in place relating to who has access, for what purpose and to what information is access given, via what devices can access be made: establishing authorized computer, system and network accounts, password and privilege management, access restrictions, reviews of access rights, disciplinary action regarding abuse of rights and training of users on access control methods, rights, and privileges.

3)    Insider Threat

The insider threat is a malicious threat to an organisation, which is becoming more and more a common occurrence. Such a threat could be from current staff and employees from within the organisation, but it might also be from ex-employees or even contractors or business associates that are working closely with the organisation and have certain internal access privileges because of the nature of the work and collaborative ventures, they are involved in.

Managing the Problem

The insider problem can be managed at different levels, with a combination of the following:

Ø Policies and procedures—include instructions and information regarding insider threat;

Ø  Training—include insider threat awareness into staff training;

Ø Recruitment process—check employment references, check for past criminal offences, review reports of suspicious or disruptive behaviour;

Ø Personnel management—manage conflicts; resolve disputes in the work environment; review working conditions of disgruntled staff; provide counseling and dispute resolution opportunities for disgruntled staff; be vigilant to unusual behavior and watch for unusual work patterns against what the organisation defines as standard, work-related activities, and patterns of normal work operations;

Ø  Ensure the risk assessment and risk treatment takes account of the insider threat problem;

Ø  Termination of employment—implement a secure employee termination process;

Ø  Implement controls for separation of duties and least privilege; enforce strict password practices; ensure secure backup and recovery processes; implement effective change control procedures;

Ø  Access control—implement strict access controls; enforce strictly access restrictions; ensure effective management of privileged users, including effective monitoring, logging, and audit of system access; impose restrictions on remote access; review access rights;

Ø  Online activities—be vigilant to online employees behaviour; manage usage of online services such as social networking through acceptable use policy; Enforce an appropriate policy and procedures for BYOD;

Ø  System vulnerabilities—keep the door closed to unauthorized access and exploitation of system vulnerabilities by fixing, repairing and safeguarding against system vulnerabilities.

4)    System Availability

If the organisation wants to keep its business running and to operate productively, then it needs to ensure the resources it needs to do so are available. This includes all types of resources: people, information, processes, services, networks, IT and facilities. A factor in this is how reliable, for example, is the organisation’s network in providing for its operational needs? Does the network fail? Does it slow down? Does it provide for 24x7 uninterrupted usage? The backbone of most businesses is that of IT. The organisation might suffer from a poor record of IT system failures. Why? Is it lack of adequate maintenance, failure to install the latest software upgrades and patches, or is it that the demand for a specific IT system far outweighs its capacity to deliver against these demands?

If an organisation’s IT system fails or its online presence is interrupted, it could suffer many hours of downtime, which translates into impacts such as loss of revenue, loss of customer confidence and possibly penalties due to a breach of contractual obligations if the loss of availability stops the organisation from being unable to honour such obligations.

Managing the Problem

The availability problem can be managed at different levels including the following:

Ø  Information— protecting information from unauthorized disclosure or modification, access to information, backups of information, information recovery in the event of system failure, procedures for handling information, ownership of information assets and authorization to access information;

Ø  Services—management of service delivery, service provider contracts and SLAs, managing the connections to services, access and usage of services (e.g., networks, web services, managed security services, disaster recovery services, outsourced services, teleworking services, media

disposal) and authorization to access services;

Ø    IT system usage—effective access controls, restrictions of usage to avoid misuse, policy for acceptable use and procedures for correct use, secure processing of information using IT, employee terms and conditions on the use of IT, network services and the handling of information,

authorization to access IT systems;

Ø   Software (S/W) management—restrictions on S/W installations and usage; control of S/W versions, upgrades, and patches; separation of private and business use; control of S/W support and maintenance; use of default/secure configurations, access to utility versus application S/W; restrictions on remote use of S/W, control of S/W licenses; separation of S/W in operational environments from S/W in development and testing environments; malware protection; S/W backups; secure control over operation S/W;

Ø   Vulnerability management—risk assessment and impact analysis of the vulnerabilities, understanding and identifying system vulnerabilities, assessing and reviewing the vulnerabilities, taking correct or preventative actions to remove or diminish the weaknesses or to improve

protection to avoid the chances of exploitation, improvements, and controls to manage vulnerabilities need to be tested, ensuring S/W patches are from an authentic source, assuring the vulnerability process works in collaboration with the incident handling and business continuity processes

5)    Social Engineering

Social engineering is a type of information security attack that exploits the psychological vulnerabilities of people by manipulating them to perform activities that result in divulging information—the “art of hacking into the human psyche.” This type of attack can be performed online (e.g., emails, phishing attacks, social networking) or offline (e.g., over the phone to obtain information or posing as officials or service technicians to gain access to company premises, facilities and information). This attack is a confidence trick that aims to obtain information to gain system access to steal commercially sensitive information or to commit fraud, a scam and so on.

Managing the Problem

The social engineering problem can be managed at different levels including:

Ø  Consideration of social engineering attacks in the risk assessment and risk treatment exercises;

Ø  Identification of information as sensitive, critical or personal, and evaluation of the exposure of this information to social engineering attacks;

Ø  Establishment of a policy and procedures for handling social engineering attacks;

Ø  Employee training to understand the problem of social engineering and to recognize situations that might be an indicator of, or a precursor to, a social engineering attack and understand how to apply company policy and procedures to social engineering attacks for protection information; 

Ø  Occurance of regular audits and reviews of the controls in place to counter social engineering attacks—people, processes, procedures, and access control methods;

Ø  Establishment of roles and responsibilities for handling sensitive, critical or personal information; 

Ø  Keeping up to date with the latest information on social engineering attacks, feeding this information back into the training programme and using this information in the revision of policy and procedures.

The Cybersecurity Framework Version 1.1

NIST.CSWP Core -

The Core is not a checklist of actions to perform. It presents key cybersecurity outcomes identified by stakeholders as helpful in managing cybersecurity risk.

Desired cybersecurity outcomes organized in a hierarchy and aligned to more detailed guidance and controls.

Functions:

Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

Protect – Develop and implement appropriate safeguards to ensure the delivery of critical services.

Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

Steganography

Steganography:
         Steganography is the technique to hide the data inside other data, or, in simple words it hides data in the plain image. It does not actually encrypt the data, that is the reason it can not be distinguished as a single-key (Symmetric) or multi-key (Asymmetric) encryption.