nnit cybersecurity brief white paper v0b.pdf · is without risk, cloud computing can be an...

WHITE PAPER

NNIT Cybersecurity BriefInsights on current and future cybersecurity challenges

Content

A new threat landscape 1Know the threats 2Build a security culture 4Stay secure in the Cloud 6Continuous Compliance 8Scale your Cybersecurity Strategy for an effective defense 9

NNIT Cybersecurity Brief 1

A new threat landscape

Every day, companies and organizations of all sizes find themselves under attack from an increasingly sophisticated array of cyberthreats. From hidden crypto-mining software secretly syphoning off your computing resources to cleverly crafted CEO fraud attempts and phishing emails, it’s no longer a question if you will be targeted, but rather when and how.

Thus, organizations are left with the difficult task of finding the right level of IT security while staying oriented in the rapidly changing risk scenarios arising from new technol-ogy like Internet of Things (IoT), mobility and cloud. Add to that the pressure to stay compliant with rigorous new regulations like the EU General Data Protection Regulation (GDPR), where data breaches can trigger massive fines in addition to other negative consequences.

Cybersecurity – A more complex challenge than ever beforeThe increasing complexity in the field of cybersecurity is driven both by the diversity among the potential perpetrators and the wide assortment of easily accessible tools they have available to carry out their criminal activities.

On one end of the spectrum, you have the self-taught script kiddies enabled by how-to videos on hacking and Cybercrime-as-a-Service, where a DDoS-attack can be ordered with a few clicks. At the other end, career criminals and state-sponsored groups wield sophisticated threats that can cripple IT infrastructure on a national scale.

Some threats may even be lurking inside your own organization, both in the form of careless or misguided employees and bad actors, who purposely betray the trust of their employers driven by motives like personal gain or vengeance. Strategy, culture and awareness training may be your strongest weapons in this respect.

On the technical side, the growing number of companies who migrate to the cloud, adds yet another dimension to cybersecurity. While no IT investment or transformation is without risk, cloud computing can be an attractive, agile, and cost-effective alterna-tive to traditional IT solutions – provided that you take appropriate steps to ensure cybersecurity.

For companies operating in heavily regulated industries, such as life sciences, continu-ous regulatory compliance should also be a top priority. Issues like inadequate Identity and Access Management and a growing amount of unstructured data represents a huge risk to these organizations, who would do well to evaluate their data management approaches.

In this White Paper we tackle some of these challenges head on. Our goal is to demon-strate that effective cybersecurity is not always about spending more money. Instead, it’s about aligning your security initiatives with the threats and priorities for your business in order to protect it from financial and reputational damage.

Enjoy the read and stay compliant, secure and future-ready!

NNIT Cybersecurity Brief2

Know the threats

As the methods used in cybercrime attacks continue to evolve, it’s crucial to understand your risk environment. This can be done through an initial security assessment, where NNIT can assist you in gaining an understanding of your current threat landscape, pain points, and your desired risk profile.

How scammers attack your company using CEO fraudResearch, social engineering and automatic scanning are just some of the weapons that scammers use to infiltrate businesses and impersonate the boss. Once the scammers have penetrated the company, they can hide for months; waiting for the perfect oppor-tunity to launch an attack.

A great deal of careful planning and patience lies behind the thousands of CEO fraud attempts targeted at top executives each year. Typically, the fraudsters send a fake emergency mail to the finance department from an executive who is away from the office. This mail instructs the employees to transfer a larger amount of money quickly, confidentially and without questioning the transaction.

Prior to the actual fake mail, a great deal of groundwork has typically already taken place. The fraudsters will have methodically investigated the company, identified key persons and gained access to internal systems such as e-mail servers and calendars. The incidence of CEO fraud is on the rise, and studies and experience from the NNIT Cyber Defense Center shows that these cybercriminals are becoming more and more sophisticated.

The criminals behind CEO fraud have an advanced range of tools that can automatically scan for vulnerabilities, and exploit passwords and login information. They are also clever at reading and imitating internal communication; so language use and formula-tion match the emails that the victims themselves send.

Phases of the attackA CEO fraud attack can typically take several months and involves these five phases:

Phase 1: Identification of potential targets Here, the fraudsters trawl through publicly available information to find suitable targets. Medium-sized businesses are typically the preferred victims, but all types of businesses and organizations can be at risk.


Phase 2: Gathering information Once the fraudsters have chosen a company, they systematically work on collecting informa-tion such as name, title, email and other information on key persons. This process is often automated, but in some cases the fraudsters contact the company directly via email or phone under the guise of potential applicants, suppliers or customers. In this way, they get access to mail signatures and knowledge about how company employees express themselves in both writing and speech.

Phase 3: The initial attackWhen the criminals have gathered the necessary information, they will typically try to compro-mise the company’s internal systems – either through technical vulnerabilities or via targeted phishing emails sent to selected employees. An example of this could be a job application sent to HR with a link or attachment that installs a snooper-program on the victim’s computer. From here, automated scripts provide immediate access to intercepted information such as passwords for the internal mail server or intranet. The criminals also look out for copies of invoices or mail correspondence from the employees they wish to impersonate. Calendars are especially valuable as they show when the manager is traveling or otherwise unavailable.

Phase 4: Calm before the stormIf the fraudsters have succeeded in infiltrating the company, they will typically lurk in the background and intensify the search for information enabling them to build up a credible story that can lead to a major payoff. They painstakingly study all communication to and from their chosen victims in order to gain insight into language use, sender information and habits.

Phase 5: The final attackThe fraudsters are now well-prepared and ready to strike when the perfect conditions arise. This could, for example, be when the CEO or another senior executive is temporarily inacces-sible. The fraudster may use the opportunity to send a credible request for the transfer of a large sum of money to an employee in the finance department or similar. In some cases, the cybercriminals have even cloned a senior executive’s SIM card, so mails can be followed up with a personal text message calling for swift action. The fraudsters will always try to create a sense of urgency and often strike during periods when temporary workers have replaced permanent employees. Many attacks take place on Friday afternoons, just as the employees are on their way home for the weekend.

The automated tools arms raceIf you want to defend yourself against CEO fraud, you can use the same mix of automated tools and human skills as the fraudsters. When NNIT Cyber Defense Center helps companies strengthen their security, we use technical security solutions such as Endpoint Detection Response (EDR), which can intercept penetration attempts into the IT system. In addition, it is crucial to educate employees and encourage a culture of heightened awareness in areas such as phishing and social engineering.

A lack of awareness about IT threats is one of the major problems that we clearly see when carrying out threat intelligence and security health checks. Our customers are often surprised by the risks revealed in the simulated attacks performed by our ethical hackers. As a rule, it can be several months before anybody even discovers that the system has been compro-mised. This is why automated monitoring of systems can be an effective layer of protection that detects fraud attempts at an early stage.


Build a security culture

As many as 90% of all cybersecurity breaches are caused by human errors. Therefore, creating an embedded culture of awareness is the most important measure against cybersecurity threats. One way to do this is through NNIT Cybersecurity Training in Virtual Reality, which uses gamification to build awareness among employees.

The biggest information security threat comes from withinEmployees’ unconscious actions are now considered to be the biggest information security threat. If a threat occurs within the company it can, however, be alleviated.

Companies and public institutions are increasingly exposed to cyberattacks. Cyberat-tacks are becoming more and more advanced and can potentially cause operational breakdowns with significant financial consequences to follow. An increasing share of companies’ IT budgets are used to improve IT security through technical solutions and process implementations. Employee behavior is, however, neglected despite the fact that it typically constitutes the biggest exposure. Why are employees the biggest threat?With multiple devices connected to various online services, we constantly give consent, download and click without hesitation. But one accidental click is enough to open the door to hackers. When employees are increasingly exposed to security threats without being able to identify them, the risk of unintentionally opening the door to hackers increases. Employees are key to avoiding cyberattacksThe biggest threat can be turned into a strong defense against cyberattacks by building strong IT security behavior. Investing in employee behavior is, therefore, important in alleviating the threat of cyberattacks. How is good information security behavior achieved?A clear and professional information security policy is the foundation of good informa-tion security behavior, but the strength of the foundation depends on the employees’ awareness of it. Management must carefully articulate the values, which employees collectively have to protect, and what is expected of them in doing so.


In order to succeed, management must provide appropriate training supported by ongoing dialog addressing the following questions: • How can phishing and spam mails be identified?• When is a link secure?• What is a strong password?• Why should passwords not be used in multiple logins?• Why should passwords not be shared?• Why should a PC be locked when leaving it?• What are the risks of charging smartphones from a PC?• Which types of USB flash drives are safe to use?• Which apps can be safely downloaded on a work phone?• When should data be encrypted?• When is it safe to give consent in a pop-up?• What should be done in case of a cyber-attack?

It is important that employees know the answers to these questions and many more and are able to incorporate them into their daily behavior. Behavioral change is, howev-er, time-consuming and requires ongoing efforts.

We humans like to do the right thing and would like to protect the companies for which we work. Nevertheless, we often do what is easiest, which may entail increased exposure to information security risks. Our experience as consultants shows that an information security strategy has to focus on behavioral design in order to be success-ful. Organizations have to think: How to make it natural and easy to act securely? This can be achieved by using simple nudging solutions such as having a plug in the USB port, which has to be removed before plugging in.

With a clear direction and appropriate training, employees can become key to avoiding cyberattacks.


Stay secure in the Cloud

Security concerns are among the top reasons why companies defer from moving systems and services to cloud-based solutions. But with the proper measures, risks can be identified and mitigated. NNIT offers a range of cloud security advisory services to help organizations ensure a smooth transition to the Cloud.

Control Your Security & Privacy in the CloudMany companies worry about security and privacy when migrating to cloud services. The cloud providers often demonstrate compliance with a comprehensive list of stan-dards and certification programs, but does that mean that you can relax and feel safe when migrating to cloud services?

For a number of decision makers, migrating company data to cloud services is a cause for concern. Fortunately, most of the decision makers have a risk-based approach. They understand the business criticality, data classifications, threats and risks – and they apply additional controls to mitigate the unacceptable risks.

Unfortunately, some of the decision makers wrongly believe that the cloud providers are obligated to protect customer data hosted in their cloud services by default. This misconception can be cleared up referring to the International Organization for Standardization (ISO) standards for cloud computing, specifically the ISO27017 and ISO27018 standards. They explain very clearly that the cloud customers are accountable for protecting their data.

Steps to Regain Control of Your Data Privacy in the CloudIn order to regain control of your data privacy in the cloud, consider including the following steps. The steps are partly covered by the ISO 270017/27018 standards.

1. Data ownershipIt is important to agree on data ownership to prevent the cloud providers from using your data to other purposes than agreed in the contract, e.g. to data mining for mar-keting. Data ownership is also important if you someday want to terminate the cloud service and migrate to another cloud provider or in-house hosting. Specify that data must be delivered in a commonly used format within an acceptable timeframe after termination. Furthermore, ensure that your cloud providers are obligated to notify you in case of data breaches and disclosures, and that the cloud providers must reject any requests for data disclosure that are not legally binding.


2. LegislationsIdentify any Personal Identifiable Information (PII) or other sensitive data you may store, where these are physically located, who has access, and how the data is used. Logging of access to data might be recommended or required. Data protection and privacy legislation varies from country to country, and there might be restrictions for where data can be stored and accessed from. The focus on data privacy is increasing further with the new EU General Data Protection Regulation (GDPR) and there is still uncertainty about the long-term validity of the EU Privacy Shield and EU contract clauses.

3. InsidersFind out how your cloud providers restrict access to your data. Some cloud providers are mature and have implemented controls preventing the cloud operations staff (or subcontractors) from accessing your data without your knowledge and acceptance. You might be able to mitigate this risk by encrypting sensitive data in transit, in use and at rest. Unfortunately, it is not always possible to apply encryption sufficiently. Then you must log when data is being accessed by the cloud providers and ultimately trust the cloud providers.

4. Access controlEnsure that you have implemented sufficient access controls for the cloud service. The cloud service is often highly exposed on the network which might require a strong authentication process to mitigate the risk for unauthorized access. Consider implementing multi-factor authentication (one-time passwords, text-messages etc.) and location-aware authentication to strengthen the authentication process.

5. Data Deletion and Technical bugsEnsure that your cloud providers have mature procedures for how to securely delete data media before being reused by the next customer. There have been examples of cloud providers just removing pointers to data and not securely shredding the data itself. Cloud services are often designed as multi-tenant environments where multiple cloud customers share the same infrastructure and computing units. Technical bugs and faulty operation procedures constitute a risk to your data privacy.

6. AuditEnsure rights to audit the cloud providers. Alternatively, be satisfied with cloud provid-ers compliance with one or more of the common audit and compliance frameworks. The Cloud Security Alliance (CSA) Star program is one of the most recognized programs providing security assurance.


Continuous Compliance

New regulations such as the EU General Data Protection Regula-tion (GDPR) requires all private businesses and public authorities to implement a level of IT security sufficient to protect personal data processed in the organization.

GDPR – Continuous Compliance is still a ChallengeIt is needless to say that the EU General Data Protection Regulation (GDPR) had a dramatic effect on the way that organizations were going to deal with the data of customers, employees, and others. The enforcement of GDPR forces organizations to (re-)evaluate their data management approaches to stay compliant and thereby avoid new fines and bad publicity.

Organizations of all sizes used a massive amount of effort to document processes and data, build governance programs, and ensure their compliance with GDPR by May 25, 2018. However, it is also worth mentioning that working with personal data as a discipline was an immature process for many organizations, which is why most of them did just enough to become compliant by carrying out process mapping, creating procedures, and implementing awareness programs.

Continuous Compliance is still a ChallengeIn March 2019, a Danish taxi company was reported to The Danish Data Protection Agency (DPA) for not deleting information when it was no longer necessary for the purpose it was collected for and was fined DKK 1.2 million. Since May 2018, more than 4,000 data breaches have been reported to the DPA and more than 5,500 incidents regarding Data Subject Rights (www.datatilsynet.dk).

Interestingly, most of the data breach incidents have been due to ‘human error’ in case of wrong entries, lack of anonymization, copy/paste error, etc. That raises the question of whether the organizations have done enough to educate employees in personal data handling.

The common training approach before the enforcement of the GDPR in May 2018 was to accomplish different types of basic awareness training, internal procedures updates, and communication plans often delivered with some gimmick (e.g. privacy screens, webcam filter etc.). However, the organizations need to ensure that the employees are reminded and tested regularly in the data privacy discipline and, furthermore, to ensure to share the benefits of staying in compliance and instill it into the culture.


The GDPR Journey goes onThe maturity of the GDPR journey can be divided into four steps: Diagnosis, Business Processes & IT Controls, Communication & Training, and Organizational Anchoring.

The first three steps can be argued to be accomplished by organizations, but the fourth step, Organizational Anchoring, needs time to be implemented and must be anchored in the organization’s culture, which leads to the Personal Awareness Journey.

The Personal Awareness Journey goes from general Awareness to Ownership, where it can be fair to say that most employees are still around step 3 and has not fully changed behavior (Accepted) or taken Ownership of the changes. This probably requires some reintroduction of the GDPR and informing of what benefits the organization has gained and plans for further advancement. One success criterion for true ownership could be to measure the number of improvement ideas both internally and customer facing.

(Re)-think Digital GDPR Compliance in your Business ProcessesDue to multiple regulatory requirements, the compliance work is still handled manually or includes heavy paperwork. However, grounded on prior challenges, it can be ‘fruitful’ to think of technology to avoid and minimize human errors. One use case could be the use of chat-bots, which are normally utilized for simple queries. Chatbots are becoming very common in different settings and they have also been used as GDPR lexicons for employees by answering questions with pre-defined answers. The next step would be to integrate the chatbots into the IT infrastructure, and by enhancing with Natural Language Processing (NLP) and coupled with Robot Process Automation (RPA), they can handle more complex and time-consuming tasks, e.g. requests from Data Subjects.

Another use case in digital GDPR compliance could be the use of Optical Character Recognition (OCR) coupled with RPA for transforming paper-based documentation to digital automatic document processing and archiving. The above could help the organization remove both trivial and complex time-consuming tasks from employees and thereby reduce the human error factor. In that way, freeing up time for more value-adding assignments and continuous improvement activities. When considering Digital GDPR compliance:

• Explorative development: Start simple but with a bigger vision – A well-defined Proof-of-Concept (PoC) or Minimal Viable Product (MVP) would be ideal to test complexity and organizational adaptability, especially when introducing new technologies

• Onboard employees: Remove uncertainty by welcoming and involving employees. New technology advancement could create anxiety and insecurity; therefore, involvement and empowerment would generate better meaning and anchoring

• Continuous training: Make sure to train and retrain employees and communicate the benefits and common achievements to them. Nevertheless, ensure to have the retraining as part of the annual compliance wheel and ensure to document it for inspection purposes.

Remember no technology is bulletproof and needs to be adjusted to the individual organization. Nonetheless, it also needs to be handled in the right manner through proper governance.


Scale your Cybersecurity Strategy for an effective defense

The developments in cyberthreats require new ways of thinking in order to achieve effective security protection to avoid financial and reputational damage. NNIT offers a range of tailored security services to help businesses on their journey to achieving effective security protection.

NNIT is a full range cybersecurity provider with a long and proven record of accom-plishment. With deep roots in the pharmaceutical industry, we are highly experienced in delivering compliance management, servicing heavily regulated industries, and providing comprehensive business continuity management.

One of our key focus areas is to identify and secure critical customer data and infra-structure. As both supply chains and intellectual property become digital, the need to protect critical systems and data is imperative to ensure the reputation and continuity of the business.

NNIT can help you stay secureAt NNIT, we are dedicated to keeping our clients secure. Our security services range from Cybersecurity Consulting to fully managed security. We cover specialized topics such as Application Security, Regulatory Compliance, Identity & Access Management and Cloud Security.

Our specialized teams leverage their extensive experience and expertise to help your business address its unique cybersecurity risks. And NNITs Cyber Defense Center is ready 24/7 to assist you.


Do you have a question or need for personal guidance?

You are always very welcome to contact us for more information:

Esben Kaufmann Head of Cybersecurity Consulting [email protected]

About NNIT

NNIT A/S is one of Denmark’s leading IT service providers and consultancies. NNIT A/S offers a wide range of IT services and solutions to its customers, primarily in the life sciences sector in Denmark and internationally and to customers in the public, healthcare, enterprise and finance sectors in Denmark.

www.nnit.com

NNIT A/S Østmarken 3A DK-2860 Søborg Tel: +45 7024 4242

NNIT Switzerland Bändliweg 20 CH-8048 Zurich Tel: +41 44 405 9090

NNIT Germany c/o Regus Herriotstrasse 1 DE-60528 Frankfurt am Main Tel: +49 69 66 36 98 73

NNIT Czech Republic Explora Jupiter Bucharova 2641/14 2.NP CZ-158 00 Prague 5 Tel: +420277020401

NNIT USA 4 Research Way Third Floor Princeton New Jersey 08540 Tel: +1 (609) 945 5650

NNIT China 20th floor, Building A, Jin Wan Mansion, 358 Nanjing Rd. CN-Tianjin 300100 Tel: +86 (22) 5885 6666

NNIT Philippines Inc. 10/F, 2251 IT Hub 2251 Chino Roces Avenue Makati City 1233 Tel: +63 2 889 0999

NNIT United Kingdom c/o MoFo Notices Limited CityPoint One Ropemaker Street London

nnit cybersecurity brief white paper v0b.pdf · is without risk, cloud computing can be an...

Documents