CogniDox and Information Security Management - a white paper

Last week we published a white paper entitled "CogniDox and Information Security Management" to our customer support site. It was written in response to questions received from our customers. To answer their questions, it had to be specific about what CogniDox does for information security. But we also found it had to be educational in a broader sense. So, we decided to publish it on our website to make it available to a wider audience.

You can find it in the Library section (under Documents) on our website or you can open/save the PDF file directly from this link.

Most companies are still unsure about the risk to their business associated with cyber attacks. They may read that cyber-crime costs the UK economy an estimated £19bn to £27bn every year. They see stories on one hand about lost or stolen USB drives or company laptops containing confidential data; and about sophisticated attacks by highly organised hacker gangs on the other. It can be hard to relate this wide spectrum of cyber-risk to the everyday operations of a high-tech business.

Some (wrongly) believe cyber-attacks are only a problem for large financial institutions, military, government, or mega-corporations. Verizon publishes an annual report called the Data Breach Investigations Report (DBIR). In the 2013 edition, it found 62% of data breaches happened to companies with fewer than 100 employees. It found that 20% of network intrusions involved manufacturing, transportation, and utility companies - the common motivation for these attacks is stealing intellectual property (IP).

One security firm which examines the so-called 'Dark Web' for evidence, found over 100 million stolen user IDs and passwords in one month of analysis. A quick scan of our company website server logs reveals 6 suspect IP addresses probing and 32 rogue attempts to use SSH in just a one-week period. It takes just seconds for automatic tools to scan your website looking for known vulnerabilities and weakly protected data. 86% of all websites investigated during 2012 had at least one serious vulnerability. Using these, an attacker could take control over a website, and have access to user accounts and sensitive data.

What can we do about it?

You could try to lock down data storage even further, but that can deprive authorised users of legitimate data availability. With the trend among employees to 'bring your own device' (BYOD) still on the rise, it also looks like a forlorn hope. If you make it hard to access information in the official repository; it increases the odds that it is 'temporarily' stored in Dropbox, or takes to the 'SneakerNet' via a USB flash drive.

You could try to improve your security training and awareness. The Guardian newspaper recently reported a survey of media professionals in which 70% said that they had received no training against cyber attacks. But, some experts believe that training is a waste of time.

You can try to spot intrusion attempts at the earliest opportunity through network intrusion detection software, so that 'mean time to detection' is minimised. The problem is that it only protects against attacks to your network. Other types of vulnerabilities are still a threat.

The answer is that it requires a number of concerted actions to improve security. It is a spectrum of risk, and different security controls apply to different parts.

The white paper argues that the ISO/IEC 27001 information security standard currently offers the best framework for cyber security. It reviews ways for hardening IT security on Linux-based systems, and shows how applications such as CogniDox can use (and depend on) this functionality. That still leaves a major gap in solving the problems of Information Security. The white paper therefore concludes by demonstrating how security-related features in CogniDox can address these problems.