8 Steps to Better Security. Kim Crawley
Чтение книги онлайн.

Читать онлайн книгу 8 Steps to Better Security - Kim Crawley страница 7

СКАЧАТЬ needs an always-working web application. A dental practice needs their radiography machines to always work, and so on. Computers with downtime result in lots of lost revenue and customers. Your organization needs to fully understand and control all of your data assets to protect them from cyber incidents.

       Chapter 7, “Step 7: Understand the Human Factor”: Many laypeople believe that successful cyberattacks require intense computer wizardry from cyberattackers, but the sad truth is that most cyber incidents, including the most destructive attacks, involve social engineering at one point or another. Fooling the people within your organization who have access to your computer systems is the most common way that cyber threat actors gain unlawful entry into your organization's networks. Phishing is a primary means of social engineering exploits. What is phishing? Phishing is when a threat actor uses a web page, text message, email, or social media post to imitate a trusted entity, such as a bank, a utility company, the government, or a well-known business. Even us cybersecurity professionals sometimes succumb to phishing attacks. We must never get overconfident. This chapter will cover how employees and contractors should be trained to prevent phishing attacks, as well as how to prevent other social engineering attacks, such as downloading Trojan malware. This chapter is also designed to consider how organizations have evolved during the Covid-19 pandemic to support many employees and contractors working from home for the first time.

       Chapter 8, “Step 8: Build Redundancy and Resilience”: Any cyber incident or technical glitch that causes network downtime hurts your business's productivity. That loss of productivity has an immediate impact on your bottom line. Here's how to design networks with redundant capacity through the power of the cloud, how to properly back up your data and applications from threats like ransomware, and how to design hot sites and cold sites for business continuity in the face of potential disasters. Your organization needs backed-up data and extra computers to survive the cyber threats that can impact any entity.

       Once we cover all eight steps, we finish with Chapter 9, “Afterword.” I have advice for implementing all eight of these steps. But my knowledge is augmented with tips from some of the world's top business cybersecurity professionals. So, as you prepare to improve the cybersecurity of your organization, you'll benefit from an amalgam of the best advice available.

      Congratulations, you're ready to prepare your company for the evolving cyber threat landscape, no matter which country or industry you're in or the size of your business! Pat yourself on the back and then get to work. You can do it. I believe in you.

      People generally assume that cybersecurity is a technological area of study and take it for granted that cyber threat actors, called hackers by laypeople, must be computer geniuses. They have to have some mastery of computer programming code and an advanced understanding of how computer networks work. And if you take the Hollywood stereotype really seriously, then you probably believe that the most notorious cyberattackers work from an elaborate computer lab in their mom's basement, wearing a hoodie and typing at 400 words per minute. I imagine something like the movie War Games, but with a more 21st century–style presentation.

      So, surely, if you're learning about cybersecurity, it's all about computer science stuff, right? You likely bought this book because you're a businessperson who wants to improve the security posture of your company. So, maybe you expect this book is about hiring the right supernerds for your IT department, and then you just let them do their technical wizardry. Why do you need eight steps for that? Step 1: hire computer experts. Step 2: don't think about cybersecurity ever again.

      The first step to improving your company's security posture is to foster a strong security culture. Culture doesn't manifest in the firmware code on your PC's motherboard. Culture is about the ideas, attitudes, and styles people create and maintain in their interactions with each other. Your company could have the best security policies and the most expensive network security devices. But if the people in your company don't behave in a secure way, improving your security posture will be an uphill battle.

      From the balcony of my skyscraper condominium, I can see mighty maple trees thriving near Toronto's lakeshore. Those maple trees evolved over thousands of years to survive harsh Canadian winters. Their genes make them hardy, and they produce a resilient life-form. But if it weren't for the deep nutritious soil and sufficient annual precipitation in their environment, those maple trees wouldn't be able to grow and survive for hundreds of years. That's why you don't see maple trees growing in the desert.

      Your company's security culture needs to be the nutritious soil and sufficient precipitation for the seeds and saplings of your computer hardware, software, networking, security policies, and security staff to thrive to become the hardy maple trees of a resilient business with a strong security posture. Even though I don't intend for this to be a cheesy self-help book, I'm not going to stop with the flowery analogies. So, just hang on for the ride!

      Before I get further into explaining how to foster a strong security culture, I really need you to understand how important psychology and sociology are to cybersecurity. So, I will start with a really abridged version of the story of Kevin Mitnick, the man who may still be the world's most infamous cyberattacker.

      Kevin Mitnick is so notorious that you've likely heard of him, even if you've never taken an interest in cybersecurity. His name was mentioned in news headlines in the 1980s and 1990s.

      Mitnick is known for conducting two major cyberattacks. The first one was in the news throughout the 1980s: a penetration of Digital Equipment Corporation's (DEC's) network, called The Ark. DEC was a major manufacturer of computer hardware and developer of computer software from the 1960s to the 1990s, focused on the enterprise market. It was perhaps best known for its PDP line of minicomputers. The minicomputers of the era were definitely not “mini” by today's standards. Early PDP hardware consisted of large boxes the size of a few refrigerators stacked together. Even the later PDP models produced in the 1970s were at least the size of a single refrigerator. They were classified as minicomputers simply because they didn't require the space of multiple rooms of a building. Anyway, I'm going to refrain from rambling on and on about the history of computing. Just understand that PDP computers are very important when it came to large businesses being able to process thousands or millions of customer records, in areas such as the airline industry or public utility companies. This was the most frequent way computers were used in the years before PCs (known as microcomputers) entered most people's homes.

      In late 1979, a teenaged Kevin Mitnick acquired access to DEC's own computer system that he was not permitted to have. This was widely reported in the news during his criminal trial in the 1980s.

      Mitnick intended to describe how he maliciously accessed DEC's computer system in his book, The Art of Deception, published by my own book's publisher, John Wiley & Sons, in 2002. This material didn't end up in the first edition of Mitnick's book, but he confirmed СКАЧАТЬ