http://datacenterattacks.trendmicro.com/
Week after week, headlines about the latest cybersecurity attack dominate the news agenda. Criminals continue to target high-profile organizations and individuals at scale and show no signs of slowing down. From personal data theft, to financial information leakages, to copyrighted material – these attacks occur time and time again. Time is not on our side as criminals need as little as nine minutes to use data posted to the dark web.
Regardless of the measures adopted to prevent breaches, criminals find increasingly innovative ways to bypass them. The sooner we recognize this won’t change, the better, so we can focus on what is truly doable: reducing the impact of cyberattacks.
In a world where criminals are becoming smarter, what can be done?
Thanks for sharing this, I like the idea, but I was surprised a little with the answers I had to choose to pass.
ReplyDeleteRegarding the main question/problem - many companies just ignore the security. Like totally and even on the basic level. This year there was a famous "WannaCry" attack. In order to address it, Microsoft had to create a patch for (officially unsuported) Win XP. Why do the big companies, airports, hospitals use old versions of the operating systems?
Once I heard that airplane manufacturer need to have technology with special "certyfication". They can't use newest technology as it should be well tested and staged well :) With this approach comapnies mitigate security risk _ I suppose.
DeleteWell it is obvious that the target of criminals will go directly into the most life or business threatening industries, so hospitals or how it was few days ago airlines. Taking control over plane or hospital system can be great for blackmailers. Let’s face truth - companies very often choose the cheapest option instead of secure one and the same with developer companies - they absolutely doesn’t care about doing their’s job with all the standard. They rather do it quickly and do more to get more money. As a developer I really have some standards and while working for some companies I had a lot of troubles with defending my point of view and raising standards.
ReplyDeleteThere is so many wholes in systems, websites, transaction portals and basically everywhere online that very often I am wondering who the hell was doing it and made such ridiculous mistakes. Honestly I don’t know how you can allow for instance successfully changing form in web inspector and not providing further validation.
I strongly agree with You. Nowadays we are lacking software engineers, and there are many code academies who do not teach how to secure your system. And then hackers can sneak by many backdors in not well secured applications
DeleteI think that options indeed are very limited. As far as I know usually the human is the most vulnerable part of any security system. That's why pentesters have a plethora of socio-technics to manipulate people with access to specific internal network elements to breach the system. Therefore even very well designed security system may fail due to a vulnerability of people being part of that system.
ReplyDeleteYes, 91% of cyber attacts starts from phising which is strongly connected with people behaviours
DeleteIt was very nice commercial I was enjoying it a lot.
ReplyDeleteI totally agree with Adam the weakest link in security is human. So first thing is to train people in security and later we need to repeat those trainings.
Even Mitnick oneced said something like this that he didn't brake passwords but humans (or maybe something similar).
When it comes to software I am not specialist in this field but I would not go with software provided by one team. If we are learning from past we can see that this solution is not the best way to go.
Some nice links:
Why Social Engineering Should Be Your Biggest Security Concern
Watch this hacker break into a company
I agree with You, thank You for sharing links. Nice read
DeleteThanks for this video.it is interesting kind of commercial but I a little bit naive and exaggerated because no doctor will worry about computers when people are dying. I think they are trained to treat people offline :)
ReplyDeleteI think one thing that we should do about cybersecurity is educating people about it. They should know the dangers and what is private what not. Sometimes they just do not know that i.e. they shouldn't share their password. This is obvious for us but not for people from different backgrounds.
I agree, we need to raise in people awarness about danger
DeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThanks for this article.
ReplyDeleteThis topic is very relevant and important today. Against the background of today's events, such as: breaking the election system in the USA and France. There are different theories to solve this problem. In my opinion, the most appropriate solutions are:
• Firstly, this is the most competent staff. There was such an example, hacker that hacked the IOS system, was hired by the IOS Security Department. So not all hackers, and cyber criminals need to be punished, some of them, can go to a deal, and help the development of your cybersecurity
• Secondly, the most really relevant software, to avoid cyber-danger - you can not save on software. Software should always be the best and the latest version
• Creating various additional security methods: for example «require two-factor authentication», and many others
If the firm does not have a lot of money to set up its cyber defense department, this firm can always work with another company to provide these services. that will allow it to avoid unnecessary difficulties in recruiting or updating software, and also to transfer all responsibility for cyberthreats to another company.
Thank you for sharing your opinion.
DeleteI do agree with Tomasz and Adam that the weakest link, as far as security is concerned, is human. But I'm not sure if anything can really be done about that. Of coure you can provide some trainings for those who are unaware of certain things, dangers and threats, but what about those who don't want to be trained? What about people who have cunning nature and all they do care about is themselves, their wealth and fortune? It is those people that cheat, lie and do not recognise the rules and obligations. They are the ones that increase risk of cyber attacks or even worse they are the ones who facilitate those attacks for the sake of money, position. Of course we can try to invent new security methods, programmes etc. But the weakest link will always be there.
ReplyDeleteThank you for sharing your opinion.
DeleteThanks for this interesting interactive video. As we have seen, humans are the weakest barrier in a process. I was a bit surprised that doctors cannot operate without the computer system. It is visible how it is important to train the employees to make them aware of the current and possible threats they are vulnerable to. Many companies just ignore the security issues and their systems are not not up-to-date. Many attacks could have been prevented if the systems were updated.
ReplyDeleteYes, I agree with You. Thank you for sharing your opinion.
DeleteI don't have significant experience in this area but intuitively I think in strategic companies key software should be offline. On the other hand private comanies has only one solution to became relatively safe - invest in newest security solutions.
ReplyDeleteMy friend was car designer in Lamborghini. Nobody who worked on new model was allowed to enter to the company with data carrier. Simple, but it works.
In Samsung they use similar security approach :)
DeleteSimple answer, disable internet connection :D For advanced users, learning is the key. Most users have no idea about certain threats, so teaching is a must. Especially in a big companies, banks etc. Most security policies can save laypersons. Anyway, as an off topic. It would be nice to have more than one question to answer :)
ReplyDeleteThank you for sharing your opinion.
DeleteJust like colleagues above said- the weakest part of every IT system would be end-user. We can have the best firewalls, up-to-date software and OS, every possible AV, yet having user that has his VPN login and password written on the post-it sticked to the screen. Funfact from our national defense field- I heard a story from military IT guy, who works at air forces, that they had a old-dated cleaner which liked to make her tea with Soviet heater (one of those which you keep in a glass to heat the water), every day; punctually at 3PM. This operation caused blackout of main network infrastructure and switching it into backup mode. Several days have elapsed until they found the reason of that failures :)
ReplyDeleteThank you for sharing your opinion.
DeleteI agree with the previous comments that usually the weakest part in IT system is human. I think that one of the most important method of preventing the attack is to educate the users, the company management, but also developers how important security is. It is not uncommon that the management would like to have complicated functionality in the IT system, but do not want to pay for its security, mostly because they don't understand what it is for. Also the users do the simple but very unsafe actions like sharing their passwords with others (or even writing passwords on a post-it and stick it to the monitor). Developers on the other side tend to forget about so broadly known ways of attacks as SQL injection or just simply do not change default passwords e.g. in database engine.
ReplyDeleteGood approach is to have pre defined tests which covers those scenarios
DeleteIt was a nice play :-) I'm aware of cyberattacks of different types. Moreover my research deals with cybersecurity and vulnerability to various attacks. How can we prevent cyberattacks? I think that every company should start with employee awareness about potential attacks. Many attacks exploit weaknesses not necessarily of IT systems but human. As we saw in the movie, employees do not feel responsible for the data and they don’t imagine the consequences that it entails. In my opinion prevention and awareness are crucial factors.
ReplyDeleteStrongly agree with You, I have a dream that companies will start true security training with some gamification parts so people will be more engaged in learning about cybersecurity threats
DeleteThank you for presenting a very interesting form and discussing an important topic. I agree with the previous speaker that the weakest part of the security system is the users. Human errors contribute to many course security threats. I also agree that a large part of the population is unaware of existing threats or methods which increase the level of security. Here is a very broad field for educational activities. The film is a little bit controversial and futuristic, but hospitals are sensitive spheres and may be exposed to cybercriminals in the future.
ReplyDeleteBeside it is good commercial, it raise awarness in people and make you think
DeleteI have a feeling that everything has been already told and done in this subject. Answering this question there are only two things not seriously considered yet as being not too serious alternatives ;-)
ReplyDeleteFirst one is to make an effort to organize data and cash in a way extremely avoiding IT systems. It sounds completely crazy, but sometimes it is possible to operate differently, I mean traditionally. Of course this is a step back in our civilization development, but we have to decide, what kind of price we are ready to pay for reducing our stress.
Another issue is more soft and naïve attitude to humans nature – I mean educating and spreading information about the results of such cyberattacking activity. Those, who cause the losses have to be ready to suffer damages also. I believe everything comes back to us sooner or later. I know such thinking is very naïve one, but I think we could discuss at the moment, what shall be more effective – such “education” or looking for new ways of struggling against cybercrimes, which seems to be a waste of time...
Thank You for sharing your opinion
DeleteWell, this was a nice interactive game. I didn't exactly try all the possible storylines, but I am still left with some bad aftertaste. I will get to it in a minute.
ReplyDeleteFirst - how to be secure against cyberattacks? Well, I think that absolute invulnerability is not attainable. Just like the Titanic was supposed to be unsinkable (a.k.a. the Olympic, if you prefer to call it this way - see conspiracy theories), but actually wasn't.
So, there is a number of measures which should be applied in concert:
- not "keeping all your eggs in one basket": by which I mean not having a single point of failure, and large centralized systems with all possible data
- having layers of trust, and providing systems only with the necessary information
- redundancy: if a system is compromised, there needs to be a backup which can kick in instantly
- not connecting all your systems to the Internet and GSM networks (may be a trade-off with user convenience, but the users' comfort should not take precedence over security)
- not using WiFi where not necessary, securing the physical infrastructure (optic fibre) against breach,
- using updated software, if necessary with third-party support.
The last item is very important, and it was somewhat present in the game, but they also used this for taking shots at "Open Source" (and thus, at Free Software indirectly), to present is as non-compliant and leading to data leaks. Well, there have been massive security incidents both in the Microsoft monoculture and in the FLOSS community. Recently there was the bug in WPA2 protocol (used to secure most WiFi networks) which actually affected everything - PCs, access points/routers and mobile devices.
So the next measure is hiring a security professional to be vigilant, analyze the current risks and introduce preventive measures as necessary.
A large part of the cyber attacks are preventable (human error, lack of separation of concerns, social engineering - psychological hacking). Security holes (like e.g. Heartbleed) cannot be easily prevented. This is where backups, separation of vital internal infrastructure and suspicious activity monitoring come in.