Interview: Every information system is vulnerable, without exception

Security assessments of IT systems in an age of e-commerce are becoming a necessity. In an interview for the financial newspaper Finance, our experts on information security Jan Bervar and Matevž Mesojednik explain which security threats companies are facing today and how to manage information security risks.

New cases of cyber attacks on companies and various systems are becoming almost daily news. Are cyber criminals particularly skilled, or do companies have truly poor security mechanisms?

Bervar: The problem is mainly weak security. Often, companies are not even aware of potential consequences of cyber crime; their security measures only go as far as having a firewall and an antivirus. Numerous companies specializing in digital security, on the other hand, do not have enough time or resources to deal with such issues, which leaves ample opportunity for potential cyber criminals.

Which companies are facing the greatest risk? Are cyber criminals directing their efforts towards any particular industries?
Bervar: Today’s cyber criminals target almost every organization, irrespective of industry or branch. They don’t mind who their target is. However, some industries, e.g. commerce, the energy and financial sectors, are generally less protected against intrusions. Even companies that consider themselves to be too small or unappealing to hackers are also at risk. Modern attacks are targeted at everyone – by casting a wide net, attackers are grabbing every opportunity to pocket at least a few ten thousand from data theft and/or blackmail. In Slovenia, the state response team SI-CERT handled approximately two thousand security incidents last year. At least, that was the number of reported incidents. In practice, that number is quite higher, since in many companies, such attacks go undetected, or companies fail to report them.

Can security assessments prevent cyber attacks?
Mesojednik: Yes. Security assessments enable us to detect and eliminate critical security vulnerabilities before attackers even have a chance at them. Organizations that perform a security assessment and eliminate any potential vulnerabilities will significantly better handle attacks, sustaining less or even no damage. Whereas uninspected systems are facing full-scale consequences. Security assessments are an important part of every IT system operation, since they are constantly changing, adapting to business processes, and user needs. And since we’re the ones who designed the IT system, and are unaware of our own human errors, it is recommended to let someone else perform the security assessment – someone who will approach this task with a different perspective. So it makes sense that security assessments are performed by external security experts.

Does this mean that a security assessment attempts to intrude the system the same way a real attacker would?
Mesojednik: Exactly. However, this is done in a careful and controlled way. The primary purpose of a security assessment is to measure the resilience of the system to potential business damages resulting from attacks. Based on the results, we assess business risks and prepare detailed guidelines for preventing any future damages. A successful security assessment needs an expert who knows both sides of the field: both leading-edge intrusion techniques and ways of defending yourself from such attacks. NIL performs security assessments around the globe, which enables us to closely monitor what the world of cyber crime is up to. Often, we’re able to detect new threats before they even reach Slovenia.

Are all security assessments the same? How to choose a suitable provider?
Mesojednik: The expertise of the engineers performing the assessments and their ability to successfully take on the role of attackers are crucial.  But mostly, they need to get to know their client and their business processes. Handing them a list of technical vulnerabilities is of little use to companies if this list does not reflect potential business damages and client‑specific risks.

How would you assess information security in Slovenian companies?
Bervar: I see two major problems making security levels in Slovenian companies unsatisfactory. Smaller organizations are lacking the knowledge on data security, while larger organizations are managing extremely complex systems, which makes it difficult for them to detect potential intrusion points. At NIL, we have always taken the following approach, for small and large organizations alike: we quickly eliminate critical vulnerabilities and keep performing this procedure until we’re all satisfied with the company’s level of resilience to cyber crime.

More information