How to protect your organisation from the top 5 security risks
Computing's top tips for safeguarding your data
Data breaches are rarely out of the headlines, with a seemingly endless parade of large organisations left red-faced and out of pocket following embarrassing security failures.
And what's perhaps most surprising is how often these breaches would have been easily preventable with a bit of a best practise.
Despite the number of safeguards that exist, many firms still suffer catastrophic data breaches, and end up in the headlines for all the wrong reasons.
Computing now brings you the top 5 security threats today, and how to guard your organsation against them.
5. Cross-Site Scripting
Cross-Site Scripting (also known as XSS) is a vulnerability in which hackers can inject code into a website from the client side. In order for it to happen the website needs to display user input, and have no functionality to automatically disable anything it recognises as code.
As a form of attack it has been around for decades and, despite the relative ease of defending against it, it's still a shockingly common vulnerability, even among the websites of large, well-funded organisations.
The Open Web Application Security Project (OWASP) lists a number of simple ways to block XSS attacks.
How to protect your organisation from the top 5 security risks
Computing's top tips for safeguarding your data
4. SQL Injection
Another form of attack which has been around for decades, SQL Injection was recently seen in the TalkTalk hack of 2015. Similar to XSS attacks, the vulnerability stems from a web-facing application allowing someone to write code into an input form, which then is allowed to write straight to the back-end database.
The OWASP admonished firms still suffering such an ancient and easily remedied vulnerability.
"It's somewhat shameful that there are so many successful SQL Injection attacks occurring, because it is extremely simple to avoid SQL Injection vulnerabilities in your code," the organisation said.
To secure yourself from this type of vulnerability, developers have two choices:
One, stop writing dynamic queries and/or two, prevent user supplied input which contains malicious SQL affecting the logic of the executed query.
How to protect your organisation from the top 5 security risks
Computing's top tips for safeguarding your data
3. Social engineering
Social engineering is a different form of attack, in that it targets people rather than systems. Hackers who find that corporate systems are well defended technologically will often turn to this form of attack, hoping that staff prove to be a simpler way in.
It is often facilitated by social media. It is the work of moments for a hacker to scan an employee's social media profile, then approach them with a believable story, perhaps fabricating their own social media profile, claiming to have met the employee at a recent event, and soon winning their trust.
From there, it can be a simple matter for the hacker to pass themselves off as an existing customer or supplier, and ask for access to systems and data directly.
The best defence is a well-trained staff, and many firms conduct routine fake social engineering attacks on their own staff to hammer the message home.
How to protect your organisation from the top 5 security risks
Computing's top tips for safeguarding your data
2. APTs
Part marketing buzzword, part genuine threat, Advanced Persistent Threats define attacks from well-funded and persistent criminal groups, often state-sponsored.
An example is the Stuxnet worm attack on Iran's nuclear refinement industry in 2010, which some commentators believe was the joint work of US and Israeli security agencies.
Defending against a determined attacker with essentially bottomless resources is a tall order, and the best advice is make it sufficiently hard that most groups will look elsewhere. In essence don't be the low hanging fruit.
Few organisations will suffer the might of a cyber attack from a powerful state. Most APTs are the result of a long discovery phase, during which criminals send out payloads of malware in a scattergun approach, targeting a host of wealthy organisations with the aim of finding those most likely to pay off.
Present these low-level threats with the equivalent of locked doors and windows, and most will go elsewhere.
It's the equivalent of the old gag where two people are about to be chased by a lion, and one stops to lace up his trainers first. "You'll never outrun it," says one. "I don't need to outrun it," the other replies. "I just need to outrun you."
How to protect your organisation from the top 5 security risks
Computing's top tips for safeguarding your data
1. Insider threat
Insider threats, as the name makes clear, come from employees or other people with permission to enter corporate premises (for example cleaners, or other contracting staff).
Often working in tandem with malicious outsiders, it is one of the most terrifying attacks faced by corporations today owing to the difficulty in detecting and preventing an attack from those the organisation should be able to trust.
The best form of defence is to employ a rigid and regularly checked access management system to ensure that information is available only to those who ‘need to know'.
In this way, the number of people with access to sensitive information is kept to a minimum, making it less likely that outsiders will find co-operative insiders, and also giving investigators a smaller pool of potential suspects to investigate in the event of an insider-led breach.
The Centre for the Protection of National Infrastructure gives advice to organisations on how to guard against malicious insiders, including how to set up a security-conscious culture.