Believing our company is immune from potential IT attacks is both naive and very dangerous for the security of partners, suppliers, employees and customers. Let’s take a look at what happens when our company falls victim to an attack of this kind.
The three conditions of IT data
Let’s start with an understanding of the properties of IT data, which in order to be secure, must meet three conditions:
- Integrity: is the data inviolate? In other words, we must consider whether the data in our possession have maintained their initial form and characteristics. The only way we can do this is by verifying any permission given to make changes to them.
- Accessibility: for each item of information, there are individuals authorised to use it. When this possibility is removed, forcefully and unlawfully, we have a problem.
- Confidentiality: the confidential nature of the data requires verification. It is sufficient to consider whether our information is, rightly, reserved for those who have permission to use it.
When one of these points is compromised by an external activity, we have undergone an IT attack.
Some types of IT attack
Although it is of course impossible to imagine the full range of the endless scam operations that might be invented, we can maintain close control over the possible “access routes” criminals might use, based above all on the standard attack methods generally used.
Phishing, DSoS attacks and data breaches
Phishing is perhaps the most widely used technique, and is based on the misappropriation of the digital identity of someone in the company. Criminals manage to obtain someone’s credentials, using deceptive e-mail messages that induce users to provide their credentials, for example by having them log onto a website that simulates a company system, or pretending to be a colleague who has to deal with an emergency, thus activating a process of escalation that then allows them to obtain credit card numbers and access to bank accounts.
Attackers can also take advantage of the weak points of a particular software to make their way into the repositories where information is stored, to hold the data hostage and prevent the company from accessing them unless a large amount of money is paid, for which there is no guarantee the data will be returned intact; the data could be tampered with, or worse, copied.
DDoS (Distributed Denial of Service) attacks consist of rendering one or more IT servers unavailable, thus effectively preventing processes from being carried out. Any attacker with sufficient expertise could enter our system by using spyware and malware in order to violate the integrity of data. This is what is known technically as a data breach.
To evaluate the current situation and the risk of a data breach, Alpenite offers companies a range of possible solutions to raise the necessary firewalls.
Cyber risk assessment
At this stage, our security experts carry out a check to assess which data are at the greatest risk, and the impact a data breach could have. In short, they consider the possibility of some data – the most vulnerable, of course – being attacked, and draw up a list of the possible consequences. Based on this, consideration can be given to possible countermeasures.
Penetration test
This stage literally involves doing what hackers do, attempting to tamper with the system in every way that can possibly be imagined, in order to highlight any failings or weaknesses. This stage consists of seven steps:
Collecting information
Scanning the network
Listing vulnerable points
Analysis of vulnerable points
Access to the system
Maintaining access to the system
Reports
Analysing user awareness
Analysing user awareness is important to understand how attentive and sensitive users are to the issue, and their knowledge of possible prevention techniques. This stage can be carried out using questionnaires, or fake spam campaigns to assess reactions, and also through gamification (a light, entertaining, interactive approach).
Company training
This is the most powerful weapon of all for companies to prevent data breaches: information. Staff is engaged in a series of workshops in which they can learn more about the dangers connected with data breaches, and are taught the necessary skills to contain any risky behaviour.
