We value your privacy

We respect your privacy and are committed to protecting your personal information. Our website does not use cookies to collect, store, or share any information about you. You can browse and interact with our website without any tracking or monitoring. If you have any questions or concerns, please contact us at admin@nira.org.ng. NiRA Privacy Policy

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

INFORMATION SECURITY: THREATS AND COUNTERMEASURES

Posted by on | Featured

Information, according to Merriam-Webster dictionary, is “the communication or reception of knowledge or intelligence”. It was also put as “knowledge obtained from investigation, study or instruction” and likened to facts, data and intelligence. Information Security (sometimes shortened to IS or InfoSec) is the practice of preventing unauthorized access, use, disclosure, modification, inspection or destruction of digital and non-digital information.

There are several techniques or methods of social engineering used to attack sensitive, private and confidential information. Some of these are:

Phishing and Spear Phishing techniques focuses on sending out a lot of generalized e-mails with the expectations that only a few people will reveal private information/data. Spear phishing emails require the attacker to perform additional research on their targets in order to trick them into performing requested activities. 

Voice phishing also called Vishing uses a rogue interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution’s IVR system. The victims are informed to call in to the bank via a number provided in order to verify information. The victims receive the message vie e-mail and more advanced systems transfer the victim to the attacker/phisher, who poses as a customer service agent or security expert for further questioning of the victim.

Watering Hole: a computer attack strategy where the attacker guesses or observes websites a particular group/organization/industry/region often use and infects one or more of them with malware so that the members get infected. Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to spear phishing and other forms of phishing.

Online Baiting exploits human curiosity. Attackers create malware-infected floppy disk, CD-ROMs, or USB flash drives and give them legitimate labels that should make people curious to plug them into systems, leave them in locations where people/targets will find them. Inserting the disk into a computer installs malware, giving attacker’s access to the victim’s PC and possibly the target company’s internal computer network.

Quid Pro Quo Social Engineering Attack aka “something for something”. This is a strategy where an attacker creates/causes a problem for the victim, then gets across to the victim pretending to be a technical support officer or agent or someone that can offer help, the attacker eventually helps the victim get rid of the problem but in the process request the target input commands that allows the attacker launch malware or gives the attacker access. 

Fortunately there are several ways to prevent or mitigate these attacks and they include:

  • Implement data classification in the organization and grant privileges only on “need to know” basis
  • Identify which information is sensitive and evaluate its exposure to exploiters and breakdowns in security systems.
  • Establishing security protocols, policies, and procedures for handling sensitive information.
  • Training employees in security protocols relevant to their position. If a person’s identity cannot be verified, then employees must be trained to politely refuse.
  • Specify and train personnel when/where/why/how sensitive information should be handled
  • Perform unannounced, periodic tests of the security framework.
  • Prevent social engineering and other fraudulent tricks or traps by instilling a resistance to persuasion attempts through exposure to similar or related attempts.
  • Enforce approved regular software updates and patches.
  • Install shredding machines in sensitive areas.
  • Don’t throw away or discard old disks carelessly. Ensure proper procedures are maintained for disposal of old computer systems.
  • Conduct security awareness seminars for all staff and vendors who must work within your network.

Companies should thoroughly monitor their websites and networks and then block any traffic, if malicious content is detected. Most times, employees become the moles and create the loop holes to leak information. It is advised that a non-disclosure agreement be signed annually to keep sensitive information undisclosed and make employees more responsible for its safety. Be wise in handling of information and smarter in disclosing information.

Post Views: 229
Comments are closed.