Jump to content

Interview: Could staff training help to guard against cyber attacks?

sincity

By sincity
in Technology

 Share

Recommended Posts

sincity Rookie

sincity

Posted
Posted

Interview: Could staff training help to guard against cyber attacks?

The latest headlines are awash with news of security breaches at major companies, including the likes of Morrisons, Target and Kickstarter.

We speak to Catalin Cosoi, Chief Security Strategist at Bitdefender, regarding how or whether businesses can better educate their staff to be security aware, and how businesses can simplify their security strategy.

TechRadar Pro: Could the enterprise do better when it comes to the education of staff as far as IT security is concerned?

Catalin Cosoi: The average enterprise does not train general staff in IT security matters and this is more or less as it should be. Training should be restricted to familiarisation with job-relevant security procedures, of which the fewer there are, the fewer there are to get wrong. IT staff on the other hand really should be more security-aware.

TR: How should training differ at different levels of the business? Should all employees receive the same level of education?

CC: Generally speaking, an attacker will aim for the 'low-hanging fruit' first and will look to spear-phish the director's secretary, not the director himself – at least not initially. One of the jobs of IT security is to ensure that the gains are similarly low and that "privilege escalation" attacks are hard.

That being said, a small dose of operational paranoia instilled into key personnel can work wonders. To give an example of why education at all levels is so important, the HBGary "hack" was only possible because an administrator was a bit too trusting and accepting.

TR: What would Bitdefender consider to be best practice when it comes to IT security education for businesses and their staff?

CC: Identify who needs to be educated and then think long and hard about what you want to teach. For example, training people to change their passwords often is pretty useless, while showing them how spear phishing works might be useful.

Keep in mind that normally there is a tension between security and convenience and a harried middle manager will always choose convenience, unless training has convinced him or her that it is necessary to make such decisions in a conscious manner and that taking on security risks is not "free".

TR: Should network security now be reliant on more than just passwords following the recent news that researchers in Liverpool have created a computer virus that can spread via Wifi?

CC: The Chameleon virus' potential to spread through networks "like a common cold" highlights the importance of having robust administrative security procedures in place; an area that is overlooked by many.

Organisations should take steps to ensure that critical infrastructure and routers are protected from this, and similar, virus threats and technology should be the element that makes the difference.

Home routers and networks are actually beyond most people's IT administration skills, and as such the need to secure them doesn't even register. This is why passwords are often not secure enough.

In order to achieve true protection, security and maintenance should be simplified and automated as much as humanly possible.

Things should just work securely out of the box, because most people don't have the time, inclination or indeed motivation to become network security professionals.

TR: What are considered industry gold standards in today's cloud security industry?

CC: Despite industry efforts, cloud providers have yet to establish a standard framework to guide the interactions between enterprises and cloud service providers.

There are a number of organisations that ratify proposals for open standards and develop cloud security guidelines. Cloud Security Alliance (CSA) provides one of the industry's most comprehensible set of best practices for secure cloud computing.

The CSA has developed a compliance standard known as the CCM or Cloud Control Matrix, which describes various areas of cloud infrastructure including risk management and security threats.

As cloud usage continues to evolve so should security standards; however it is extremely difficult to enforce a set of policies because of the very nature of the cloud – it is distributed within different geographic areas, with different regulations and even provided by different vendors based in multiple countries.

TR: Are there any security concerns that are exclusive to the banking industry?

CC: Obviously the banking industry has to deal with a host of regulations and laws that do not affect other industries – from PCI DSS or Basel III to various state-specific laws such as Sarbanes-Oxley. Not so obviously, to quote Willie Sutton, people rob banks because that's where the money is. An attack against a bank will make use of more money and technical expertise than a raid against a (comparatively) small credit card processor such as a chain store, for example.

Public clouds lure companies with the hope of standardisation and thus decreased costs, but this is also their biggest security downside. A breach in a cloud provider's security is a breach in all of its clients' operations.

TR: In what ways can hackers and cyber criminals make use of IT systems and social means to manipulate financial markets?

CC: There are quite a number of attacks that can manipulate financial markets. The most frequently encountered type of attack is pump-and-dump spam: a type of campaign that attempts to artificially inflate the price of cheap stock by presenting stock purchases as the best thing that the user could do.

Often, pump-and-dump spam messages claim that company X has just put together a product that is so revolutionary that it is going to increase the company's value thousands of times.

But pump-and-dump spam is not the only way to manipulate financial markets: a famous example being when cyber-criminals last year broke into the Twitter account of Associated Press, publishing fake news about the President of the United States being injured. Because of its wide reach, the news caused the temporary collapse of the stock market.

TR: What advice would Bitdefender give to businesses looking to simplify their security strategy?

CC: Online threats to small and medium businesses have never been so prevalent, or so complex. To counter the rising dangers of hacking, espionage, sabotage, phishing, viruses and data theft, we'd recommend businesses identify who needs to be educated, and then give them the correct tools to prevent real attacks by demonstrating what a cyber attack may actually look like, rather than just telling them to change their passwords often.

It is also advisable to consider a cloud security solution for businesses. Bitdefender Small Office Security cuts through the clutter by offering a simple, effective solution that can be deployed with complete efficiency by almost anybody working within an office environment. This solution also reduces server costs and frees up staff time, helping businesses to run more efficiently.

mf.gif


rc.img
rc.img
rc.img

a2.imga2t.img08mhuf-qdP8
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

About Us

We are glad you decided to stop by our website and servers. At Fearless Assassins Gaming Community (=F|A=) we strive to bring you the best gaming experience possible. With helpful admins, custom maps and good server regulars your gaming experience should be grand! We love to have fun by playing online games especially W:ET, Call of Duty Series, Counter Strike: Series, Minecraft, Insurgency, DOI, Sandstorm, RUST, Team Fortress Series & Battlefield Series and if you like to do same then join us! Here, you can make worldwide friends while enjoying the game. Anyone from any race and country speaking any language can join our Discord and gaming servers. We have clan members from US, Canada, Europe, Sri Lanka, India, Japan, Australia, Brazil, UK, Austria, Poland, Finland, Turkey, Russia, Germany and many other countries. It doesn't matter how much good you are in the game or how much good English you speak. We believe in making new friends from all over the world. If you want to have fun and want to make new friends join up our gaming servers and our VoIP servers any day and at any time. At =F|A= we are all players first and then admins when someone needs our help or support on server.

Player Gaming Stats for =F|A= Servers.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept