Information Security is your Job too

In today's day and age, electronic devices surround us from all directions. The fact that you are reading this article makes you attached to an electronic device that knows about you and can track your activities as well as behaviour.

In good old days, security was as easy as key-and-lock. With time there came bigger and complex locks but with the advent of the internet, the concept of security has moved on to software domain where everyone and everything seems to be connected to the internet. Everyone now not just needs to know superficially but needs to grasp the concept of internet security thoroughly to keep them and their data safe from prying hands. However, before diving into this further, let's go back and look at the basics.

The three fundamental concepts in regard to Internet security are Confidentiality, Integrity and Availability, otherwise also known as CIA triad. Information needs to be available only to authorised personnel, keeping it confidential from everyone else. Information should be maintained correctly, preventing unauthorized or accidental or malicious updates. Information should always be available to anyone and everyone that is authorized to access.

Early days of the internet gave birth to the concept of a data center. Servers were purchased, configured and installed in this centralized location where access was controlled and monitored. Over years redundancy requirements for disaster recovery meant multiple data centers and increased scrutiny for security in multiple locations. Organization's security expenses have constantly increased with constant patching of softwares, operating systems, audits and more.

Then, the last decade saw a popularity of cloud infrastructure, where companies can provision and manage computing infrastructure over the internet without the need to maintain a traditional data center.

Executive management at some organizations transitioning to cloud take provider compliance on the face value and assume that their services and servers are also compliant. This is a huge gap in understanding, which is often realized mid-way in the transition path. Every company getting onboard with any cloud provider needs to ensure their software and in many cases the hardware (aka EC2) are adhering to the security requirements and similar to on-premise, this is a constant process. Data residing on the cloud could be encrypted with various algorithms such as RSA, AES, Triple DES etc. Higher the complexity of encryption, better the security. Most cloud providers are certified under PCI-DSS, FIPS 140-2, SOC-2, NIST 800-171. These certifications will ensure that your software and processes are secured.

Now, you have ensured that your product has solid security measures, persistent data is secured with 256 bit encryption, every access is verified and tracked but can you now relax?

Well, even with newer stronger security measures and compliances, audits, hacks keep on happening. Every year a bigger, wider hack is reported in the news media affecting millions of users. This is due to overlooking the weakest link, You as a user, lets hold that thought while we revisit the past

A crucial example in the history of Internet security is the 1970s anti-Virus software reaction where a virulent strain of computer worm called Sobig caused thousands of viruses to proliferate in the pores of infected systems.

This procedure which is known as the worm binary infection or the blind hack is an example of how vulnerable computer systems can be to the infection of malicious software through a URL link. With this procedure, a computer worm finds its way into the targeted computer system by sending a copy of itself over a network to another computer system.

The protocol for dealing with this particular infection involves the use of a proprietary commercial download that provides the worm with a remote deployment wizard. Once the wizard is invoked, the operator of the infected computer is able to use an internet web browser to download and install the wizard. Once the wizard is installed, the power of the worm is unleashed via its malicious code to spread across the internet system.

Similarly over the years hackers have found "back door" and security vulnerabilities of operating systems to push their malicious code through your computer to get the keys of the kingdom, corporate server.

Now coming back to the user as you in regard to security. Every day over 300 billion emails are sent across the world reaching every internet user. Some getting few and others few hundreds. Email has become the favorite communication medium of marketing companies to reach you. This is because clicks from an email can reveal who you are, where you are, what you like and the relative area that you reside. There is so much information that can be embedded in a click from an email.

Emails are the favorite medium of hackers too. Sending bulk email is cheap, over 100K emails can be sent in as little as $10. Getting email addresses is easy too, 1M email addresses can be purchased for under $50. Hackers then use email phishing, which is a practice employed to make you believe that the email is from your bank, store, school, club etc. and antice you to click a link in the email. Once clicked, user is asked to provide personal information to verify their access, which seems fair as we understand from the CIA triad. Information such as your password, and account number can then be used to exploit your account and machine. If you use a company provided laptop or smartphone, clicking a link from a fake email can open up your company's system to the hacker.

Phishing has evolved and is now a category of attack including following types:

• eMail - Standard and most common phishing attack, spoofing organization's identity to steal personal information
• Smishing - Similar to email phishing where links are embedded in SMS messages.
• Malware - Clicking a link to download can install malware on your device.
• Spear - This is a targeted attack on employees of a given organization, celebrities or political figures.
• Search Engine - Fraudulent websites in search result (e.g. shopping) designed to collect personal information and direct payments to them.
• Clone - Such attacks happen in stages, the hacker first gets control of the subject's email account then sends a legitimate email with swapped links to the person in subject's contact list.
• Man-in-Middle Attack - Eavesdropper monitoring communication on your device. These are often carried out on unsecured WiFi networks.
• Malvertising - Creative and normal looking advertisements are embedded with malicious code.

Over the years hackers have been able to create sophisticated email campaigns that look and feel like original and at times even avid internet users are trapped by the appearance. Take a look at the email on the right, this is fake and the only difference from the real is an extra "s" in the email domain name.

It is difficult to constantly checking domain names for every email but there are few things that can be made as a habit, while checking emails.

1. Skeptical - If you were not expecting an email from your bank or investment broker than be skeptical before clicking any link or responding. Legitimate companies do not ask for sensitive information through email.
2. Check Name - Fraudulent emails usually have generic name as opposed to your real name while official emails will always have your real name.
3. Domain name - Before clicking the email, verify the domain name.
4. Beware of clicking buttons from email - Official emails would provide notification and ask consumers to go to their website, login and perform the action listed in the notification. Beware of emails asking you to click a button to update your account details.

This brings me to the conclusion that security is not just a concept and activity tied to corporate servers, software and systems. It is equally important to train, teach everyone in the organization about the importance of security and how to be vigilant when doing even the simple task of checking emails. You can be that weakest link that unsuspectedly opens up your company's secured door to the hacker.

Being aware and knowledgeable about security will be a constant process. As hackers get more sophisticated, we as users need to improve our understanding to keep us and our organization safe, security is a collective effort and it is our job too.