CYBERSECURITY AND ITS STANDARDS
By Akshay Hande, Intern, Seth Associates
Keywords- cybersecurity standards, Cyber law, cybersecurity
What is Cybersecurity?
Cybersecurity is the protection of Internet enabled devices such as computers, laptops, smartphones etc. and the computer networks, programs and services related to it.
Why is cybersecurity important?
Significance of cybersecurity cannot be understated in today’s tech driven world. The primary goal is to protect sensitive data of individuals such as personal information, business data, confidential information, Proprietary data of businesses. Every Business is dependent on computer systems, networks and digital services for its operations and holds sensitive business databases and other data. Without adequate cybersecurity, a business can be adversely impacted by an intrusion or cyberattack. It is important to secure our digital world so that we safeguard crucial data as it could have financial losses and be prejudicial to interests of a business.
Cyber-attack
The malicious and intentional attempt by an individual or organization to get unauthorized access to one’s data, applications or other assets in order to expose, alter, steal, destroy or disable it. Following are the common types of cyber-attacks-
-
- Malware: Malware is a harmful software which is intentionally designed to cause damage to a computer, server, client or network. There are multiple forms of malware including Viruses that are self-replicating software attached to legitimate files which if executed damages the data. Trojan horse is a disguised malware that disguises itself into a useful program /embedded within a legitimate software and tricks users to install it and then provides unauthorized access to user’s system. Ransomware uses strong encryption to hold data of users and makes it inaccessible unless the ransom in form of payment is made, commonly through cryptocurrency. Spyware is a malware that gathers sensitive information of users like username, passwords, credit card number etc. and transmits information back to hacker. Computer worm is similar to virus which can automatically spread between apps and devices without the need of legitimate program or software, once it infects a device it copies itself and spread further on an alarming rate.
- Phishing: A Social engineering activity where attacker sends emails and messages to users which purports to come from a trusted source that manipulates users to share their sensitive information, through downloading an infected software or clicking on malicious links.
- Denial of service (DOS): In this attack, a computer or network /service is attacked with fraudulent traffic which are illegitimate requests until the target can’t respond or crashes, which makes the system overloaded preventing it from responding to legitimate requests.
- Man in the middle: the attacker anonymously spies on communication between two individuals or a user and a server, the criminal changes the communication between the parties without their knowledge. Mostly done with session hijacking wherein criminal interrupts communication between the user and the server hosting important database. A criminal creates a fake email id to cause confusion so that victim believes an email is coming from authentic source.
- SQL Injection: These include the use of structured query language to send malicious commands or codes to website or apps database, the command is given in search bar and login windows. First the attacker discovers a security flaw in the login form then the attacker creates a username or password field containing malicious SQL code, the attacker then submits the login form to the web application which is unaware of the intent builds in the SQL query, this query retrieves all records from the users table including username and passwords, the criminal then uses this information for malicious activities.
- cross-site scripting: Criminal inserts a malicious code into a legitimate web page. When a user visits the site the code automatically runs in the user’s web browser within the malicious scripts, after which the criminal conducts data theft, session hijacking or redirecting user to another malicious site.
- zero day exploits: The vulnerabilities or flaws inside a software which are unknown to security community or which are known but not yet fixed are exploited by hacker to use it for their purpose.
- DNS spoofing: In these attacks the hackers edit the domain name service (DNS) records and replaces the website’s real IP address with fake, when a user visits the real site it is redirected to a malicious copy of the website that steals their data.
Global spending on Cybersecurity
The statistics are crystal clear, the trend across globe reflects that cyber-attacks are increasing at rapid rate, companies are targeted by ransomware attack every 14 seconds and they fail to protect their systems, affecting their business at large and putting themselves at risks. Cybersecurity tops the priority for every major business in the world. Cybersecurity market was $120 billion in 2017 but due to rapid cyberattacks the cybersecurity market is expected to increase to $300 billion by 2024. Small turnover companies spend less than $500 on cybersecurity making them prone to cyberattacks but the large wealth entities spend more, for instance Microsoft invests $1 billion and JPMorgan spends $600 million per annum on cybersecurity.
Cybersecurity standards: These standards are guidelines which a particular organization should follow so as to enhance their cybersecurity, such standards predominantly focus on how to prevent cyber threats/attacks.
General: ISO/IEC 27001: an international standard which marks requirements for an information security management system (ISMS). An ISMS is a framework for managing an organization’s risks related to information security. ISO 27001, the most widely recognized standard for information security and is mostly used by all organizations of all sizes in all industries. As per Information Technology law in India, it is one of the recommended standards of deemed cybersecurity compliance in India.
NIST Cybersecurity Framework: a voluntary framework providing a high-level view of cybersecurity risk management. The framework includes five core functions: Identify, Protect, Detect, Respond, and Recover. institutions use such framework to enhance their cybersecurity by identifying their cybersecurity risks, implementing appropriate security controls, and developing plans for responding to and recovering from cyberattacks.
These two standards can be applied across various industries.
Finance: PCI DSS (Payment Card Industry Data Security standard) a set of security standards created so as to ensure that all companies which accept, process, store, or transmit credit card information maintain a secure & safe environment. It was created by the Payment Card Industry Security Standards Council (PCI SSC), founded by major credit card companies consisting Visa, MasterCard, American Express, Discover, and JCB.
Health: HIPAA (Health Insurance Portability and Accountability Act) a federal law enacted in 1996 in order to protect privacy of individual’s health information. It is applicable to healthcare providers, health plans, and health care clearinghouses which electronically transfer health related information.
Government and Defence: FISMA (Federal Information Security Management Act) a law in US that marks the framework for securing government information and computer systems. It requires all federal agencies to have strong cybersecurity practices in place. The main objective is to protect government data, operations, and assets from cyber threats. Entails developing, documenting, and implementing an agency-wide information security program and conducting annual reviews to effectively manage security risks.
Internet: CIS (Centre for Internet Security) The CIS imparts standards which are globally recognized best practices providing framework to secure IT systems and data against cyber threats, such standards are designed to assist organizations for enhancing their cybersecurity position by offering practical and actionable guidelines which they can implement. The CIS standards also known as the CIS Controls or CIS Benchmarks.
Tools for cybersecurity
There are vide range of tools available for enhancing cybersecurity. Most common tools include firewall, which is a device that controls the access of incoming and outgoing network traffic based on predetermined security rules, hardware security module (HSM) i.e. a device used for protecting sensitive data. It stores cryptographic keys and performs functions like encryption, decryption and digital signing. Antivirus software like Bitdefender antivirus protects and removes viruses. Other tools include VPN, password managers, Data Loss Prevention software among others.
Conclusion
Bibliography
ORGANIZATIONAL ARTICLES /DOCUMENTS
- National Cyber Security Centre, “What is cyber security?” https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security#:~:text=Cyber%20security%20is%20how%20individuals,work%20%2D%20from%20theft%20or%20damage.
- IBM, “what is a Cyberattack?” https://www.ibm.com/topics/cyber-attack
- Fortinet, “Top 20 Most Common Types of Cyber Attacks” https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks
- IT Governance USA, “Cybersecurity Standards and Frameworks” https://www.itgovernanceusa.com/cybersecurity-standards
- Health and Human Services, “summary of the HIPAA Privacy Rule” https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
- Health and Human Services, “Summary of the HIPAA Security Rule” https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- Centre for Internet Security, “The 18 CIS Critical Security Controls” https://www.cisecurity.org/controls/cis-controls-list
WEB ARTICLES:
- Kurt Baker, “12 MOST COMMON TYPES OF CYBERATTACKS?” published on 14th May, 2024 https://www.crowdstrike.com/cybersecurity-101/cyberattacks/most-common-types-of-cyberattacks/
- Bojan Jovanovic, “Better Safe Than Sorry: Cyber Security Statistics and Trends for 2024” published on February 6, 2024 https://dataprot.net/statistics/cyber-security-statistics/