When it comes to online security for commercial concerns, most people tend to think of hackers sitting in darkened rooms, hammering away at a firm's firewalls or sending out virus-laden emails to break through online defences from the inside.
While these features are common enough in the digital space, in no way should they be allowed to form the be-all and end-all of a firm's security protection measures.
This is because a dedicated attacker is more likely to utilise a range of angles in order to gain as much information as possible before they take decisive action.
These stalking activities can include some truly innocuous approaches – phone calls asking for specific staff members, emails 'accidentally' addressed to the wrong employee and even direct social engineering attempts in face-to-face meetings.
In the busy work day these small details can easily get lost as employees focus on their tasks, otherwise unaware that they have given away a valuable piece of information to a malicious party.
To get a full-spectrum analysis of the weak points in a firm's security protocols, a security audit known as a "red cell" test can be undertaken that simulates a real-world approach to gaining access to privileged information – with the added bonus that the details will remain in confidence.
Technical Risk Assessment
Recent changes to corporations legislation and an increased focus on director due diligence and the importance at the board level on the development and oversight of the IT risk and security culture and management of an organisation.
In a recent article in the Sydney Morning Herald, Drazen Drazic, Securus Global Managing Director commented about what should be considered prudent risk management in IT and cloud security considerations and the importance of a strong board and director focus on IT Security Management.
Here is a a Overview of the article .
Prudent risk management should include IT and cloud security considerations.
Recent changes to the Corporations Act 2001 means that board members will increasingly scrutinise the IT risk and security culture of an organisation, which will impact CIOs in a number of ways, including the need to do due diligence when handing over sensitive corporate data to cloud service providers
Late last year a raft of regulations were pushed through to foster greater accountability among board members, according to SecurusGlobal founder Drazen Drazic, who said this was in response to the lack of corporate oversight that triggered the events leading up to the global financial crisis.
Security Due Diligence Assessments
At our February Breakfast Brief in Sydney and Melbourne, two of our Penetration Testers and Researchers presented to a select crowd on the importance of not overlooking the small vulnerabilities. When undertaking Vulnerability Assessments and Penetration Tests, these small, seemingly inconsequential vulnerabilities are often down graded or accepted and left to be exploited by hackers that are highly adept in finding, collecting and holding onto these vulnerabilities for future reference and to used together to compromise an organisation.
Here is a little of an article on the presentation from ZDNET.
At the Securus Global’s February security briefing, a pair of security researchers, demostrated how businesses accepting small securty risks may be leaving the door open to hackers who have realised that chaining small vulnerabilities together represents an easy way to destroy companies.
The researchers stated that organisations tended to look at vulnerabilities separate from other vulnerabilities, when the real issue was how these could be used in conjunction with each other to become potentially more dangerous. They then went on to demonstrate how a number of organisations they had previously worked with had fallen into the trap of considering threats to their business in isolation.
To read more: http://www.zdnet.com.au/are-small-vulnerabilities-the-real-enemy-339332377.htm
Securus Global’s Consulting Services