Page 31 - PWM2023_MAY
P. 31
TECHNOLOGY REPORT
solicitor, chartered engineer and part- “some operate in a more random fashion” as they look to prove Davis, on the other hand, would cre-
ner at Percy Crow Davis & Co, the their skills or develop tools in order to raise their profile within ate a budget and appoint someone at
Wikipedia definition, of “any attempt the hacking communities. board level to maximise its use. He
to expose, alter, disable, destroy, steal For the criminally minded, making money is always the goal would bring in an independent consult-
or gain information through unauthor- and they attack anything where it pays them to do so. “They ant to consider where the budget
ized access to or make unauthorised may,” says Davis, “adopt a scattergun approach, sending out mil- should be spent. He also cautions
use of an asset… that is a computer lions of scam emails in the expectation that only a few people against placing too much reliance on
information system, computer infra- will fall for the scam, alternatively they may target a particular specific security products, “many of
structure, computer network, or per- ‘rich’ target but in a more subtle, considered manner.” which are good, but which solve only
Of course, at the extreme, states such as China, Russia and
sonal computer device,” is one that he North Korea attack companies to steal technology. the security issue that the particular
agrees with. Worryingly, as Isbell points out, Covid-19 has altered the land- vendor advertises”.
He says that it “matches the broad scape somewhat because “we now have a more distributed busi- Staff training is something else to
definition of an offence under section 1 ness model with employees working from home, often on consider. While it’s not foolproof, the
of the Computer Misuse Act 1990 shared networks with only limited security implemented”. He more staff training, the lower the prob-
which criminalises any action that has seen a significant increase in attacks directed at organisa- ability that a staff member will intro-
‘causes a computer to perform any tions directly involved in dealing with the pandemic or involved duce harm to the business.
function with intent to secure access to in vaccine research. But as Davis warns: “Training needs
any program or data held in any com- Making a similar point, Davis has found that any newsworthy to be regular. There is little point in
puter where that access is unauthor- topic may be used to persuade a staff member or individual to only training during induction week
ised’.” click on a link that will take them to a compromised website. “In and then not following that training up
Roy Isbell, a cyber security specialist that sense, the pandemic is no different and has given malicious with regular reminders… staff may be
and advisor to the UK Forensic Science actors opportunity to create appealing false links, for example, sent a malicious email containing a
with offers of having an early vaccination.”
Regulator, agrees with Davis. He No system is perfect. But Davis knows “that the amount of spurious link at any time.”
Isbell too values training. He says:
defines a cyberattack as “fundamentally effort it takes to breach a system is proportional to the amount of “The most efficient and well under-
Terminating cyber attacks particular system with the intention of effort taken to secure the site in the first place”. He cites one of stood security environments I have wit-
the interaction of a threat actor with a
the first ever recorded security breaches where a website could
nessed are where the company has
achieving a particular outcome”.
be hacked by clicking on a certain part of the web page in a pub-
Of course, how the attack manifests
tomers’ details.
the culture of the organisation.
itself is dependent upon the outcome lic part of the site with the mouse. Doing so revealed other cus- worked to develop security as part of
that the threat actor is hoping to Moving on, Isbell talks of a process developed by Lockheed A combination of carrot and stick is
achieve, the level and type of access Martin that maps the stages of a cyberattack. Called the ‘Cyber used to great effect without defaulting
that they have been able to create, and Kill Chain’, he says that the steps involve reconnaissance, weap- to a punitive strategy on what happens
the skills and tools available to the onisation, delivery, exploitation, installation, command and should a breach occur.”
control, and ‘actions on object’.
threat actor. “Each step,” says Isbell, “is required for the subsequent step to And then there’s the option of plac-
Nevertheless, he’s aware that many have a chance of being successful. Therefore, a security breach is ing a warning on every email which a
believe that ‘cyber’ is just an alternative not a single event or tool, though it often appears this way, but a staff member receives warning them if
word for the internet and devices that combination of knowledge, skills and intelligence used in an email has come from an external
are connected to it. While this may be sequence to achieve the effect or outcome the threat actor wants source and that it may be malicious. On
true, he says “that this is not the whole to achieve.” this Davis thinks warnings are unlikely
scope of what the cyber environment For him, the only way to achieve 100% security is for a system to be of much assistance – “it is likely to
covers”. to not be connected to any form of external communications. be ignored as the staff member is anx-
Davis recalls an old information tech- He emphasises that cyber security is about managing risk: “This ious to read the email not the header,
nology saying: “There are two types of requires that we spend time evaluating and understanding the let alone the repeat warning in the
business: those who know they have cyber environment and what it is we need to protect; it is not header”.
been breached, and those who don’t yet always the data that requires protection, but the systems them- Crucially, Isbell recommends includ-
selves.”
know.” But as to where the threats orig- ing cyber security breaches as part of
inate, Davis says that some are per- Countering threats business continuity disaster recovery
formed by ‘script kiddies’ “who try and planning: “Whilst some firms have
As both Isbell and Davis detail, there is no easy way to counter
hack into a system for fun. They are cyber threats. been unable to continue after a cyberat-
mostly out to hack well-known sites, or Apart from a company’s own systems, Isbell would also look at tack, those that have had a robust inci-
ones that will give them some ‘pres- the supply chain, “especially where industrial processes may dent response plan have not only been
tige’”. He adds that non-monetary sites share data between firms”. For him, having a strategy is key, and able to recover but recovered faster and
include those that attract opposition, for that to work “an understanding of the firm’s cyber ecosystem as a consequence, minimised the over-
such as the sites of political parties. is essential... and not just focused on the data that resides on the all impact on the business and its opera-
Isbell takes a similar line but has seen various IT systems it may have”. tions.”
www.printweekmena.com May 2023 PrintWeek MENA 31