Why ‘we’ are cyber-security’s weakest link

Monday, 23 February 2015 00:00 -     - {{hitsCtrl.values.hits}}

Given the recent media coverage of the Sony Pictures security breach, there is no escaping the fact that Corporate Information Security is at great risk. Whilst hackers employ many sophisticated  means of exploiting potential security holes – in IT hardware, networks or applications – more and more exploits have been targeted towards another important element in the IT Ecosystem – i.e. the human factor. According to the National Centre for Cyber Security (SLCERT), Sri Lanka is not exactly immune to such Social Engineering threats. Therefore while we should be mindful of the implications, we also need to understand preventative measures against such threats. Social engineering is a technical term for tricking computer users into taking actions that they would have been unlikely to carry out of their own choice. As an example, a social engineering victim may be tricked into clicking on a link that promises entry into a get-rich-quick scheme but that actually redirects to a phishing site, where sensitive data such as location, account usernames and passwords may be collected. As an example,the recent eBay breach: This caused the online marketplace to request its approximate 128 million users to reset their account passwords, which was initiated by successful phishing of eBay employee login credentials. By this we can see that cybercriminals increasingly will go to extraordinary lengths to gain the trust of their targets and ultimately bypass network security. Securing down the hatches against the social engineering storm “The fundamental problem with addressing social engineering in the enterprise is that it only takes one slip-up for attackers to succeed. An organisation can have advanced cyber security solutions in place, but if one employee falls for a well-crafted social media post or becomes entangled in an elaborate online trap, then even these defences may become ineffective. Enterprises have to refocus their security efforts on humans, not just networks and databases,” says Kevin Mintick, an American computer security consultant who currently runs a security firm named Mitnick Security Consulting that helps test a company’s security strengths, weaknesses, and potential loopholes. He is also the Chief Hacking Officer of security awareness training company KnowBe4 – and conveys this in his recent article on ‘Human Factor is Truly, Security’s Weakest Link’. Learning from the experience, Chief Information Officers from enterprises should always try to improve their IT security by looking into strengthening their risk and compliance with an unbiased estimation. By deploying firewalls, anti-viruses, intrusive prevenention systems etc., such solutions may not be adequete. This is because we still need an independent in-house risk and compliance unit to ensure a consistent and proactive approach in this tide of social engineering. Just In Time Group provides consultancy, design snd implementation services to large enterprises on advance security centre soltions with 24/7 monitoring and preparations for any social engineering threats. (Navin Seneviratne is Chief Technical Officer at Just In Time Group and Sanjeeva Perera is CEO of Infrastructure and Security, Just In Time Group).In addition to being the JIT Group CTO Navin oversees operations as CEO of the IT consultancy and SW development of the subsidiary TechSys, under the Just In Time Group. Navin holds a Bachelors’ Degree in Information Systems from Manchester Metropolitan University (UK) and counts for over 20 years of Software Development experience under his belt. Navin has been involved in the development of Content Management, Customer Relationship and Rewards solutions for companies such as Toyota, Ford, Cisco, IBM, P&O Nedlloyd and Sodexo, amongst many others in the UK. Sanjeeva Perera brings a wealth of experience in the IT infrastructure and security solutions domain with strong corporate customer accounts and has over 20 years of managerial experience in the IT industry. He is instrumental in driving business development of Infrastructure and Security as a member of the core management team of the company. Sanjeeva is a Computer Science and Engineering graduate from University of Moratuwa and holds a Master of Business Administration from University of Colombo. Further he is an external lecturer for MBA and MSc programs at University of Moratuwa, Imperial Institute of Higher Education (IIHE) and SLIIT.

COMMENTS