As a company whose teams work remotely and, increasingly, from other countries, information security at AMC Bridge is critically important for steady business. In this article, Oleh Mazulevskyi, Information Security Specialist, explains what information security is in 2022, what requirements it puts upon business, and why information security rules shouldn’t be ignored.
The cost of information, as well as the cost of its loss, keep increasing
A society constantly changes and transforms from an industrial to an information one. As a result, the cost of information significantly increases. The phrase “Who owns the information, he owns the world” is no longer an exaggeration. Therefore, information security is an acute question in relations between people, companies, and even countries.
The information resource of either AMC Bridge or any other company is one of its most valuable assets. Information—that’s what our teammates produce, for example, the knowledge of how certain things, conversions, and transformations are done. Through the company’s procedures, this information further transforms into engineering software—the results of the company’s efforts. Along with that, the importance of sensitive information (information about a person) and the significance of financial information (what was bought/sold, how much it costs, how much we earned, what accounts were used, and with what authentication information they were accessed) should be mentioned.
To put it simply, the full set of means and measures for preventing the disclosure of sensitive data is information security.
Passwords and a VPN are only partial external elements of information protection to ensure its security.
When outlining the whole set of measures for maintaining information security, protection of information properties—confidentiality, integrity, and availability—is meant. Those information properties should be protected in three main states: transmission, storage, and processing. Information is protected in the following directions: personnel training, implementation of security hardware, and regulation of actions with information (at the company and government levels).
These three areas—properties, states, and measures—establish a modern approach to ensuring information security, which is called the Cybersecurity Cube. And there are multiple ways of implementing its intersections.
Cases
Now I’ll tell you about the most high-profile cases caused by violating security information rules.
2017 is known for two massive hacker attacks—WannaCry and NotPetya. The hackers used a method known as supply chain attack when malware was delivered. The insufficient attention to information security in one of the product companies—in case of the NotPetya attack—resulted in adding malicious code to one of its software releases. Thus, when clients received system updates, they installed updated software with malware. And since the company developed software for the financial reporting sector, it was quite widespread.
As a result, the attackers got access to the data of all companies that installed “updates”. Moreover, to sweep traces, they conducted the file-encrypting ransomware attack with a fake ransom demand. It’s a bright example illustrating the value of information security at all stages of its life cycle.
Further examples explain the consequences of using malicious software. For instance, a well-known program Torrent may cause not only a data breach on the user’s part but also leakage of information about the network and information security system. If one takes into account that uTorrent, the most popular client, is created by russians, it should be considered a direct threat to the security of information. Why? Let’s think.
The client code is closed and free to use. It provides a user with wide opportunities for file sharing. But how do developers benefit from it? As a minimum, they receive funds from advertising. Given that the network contains numerous connections that are difficult to track and provides access to data storage, it’s also a good cover to access and steal data, even in a large amount.
Another example of using malicious software is using Punto Switcher, a program that automatically switches the keyboard layout. In private communities, it is usually mentioned as malicious, which is used as a keylogger (in settings, select a checkbox to intercept entries containing more than one word and upload them to the cloud). A more profound study of Punto Switcher revealed that the program transmits data to clouds. One more reason to get you thinking is that it was also developed by russians.
I gave only two examples, but there is much more malicious software. That’s why, at AMC Bridge, we established the policy requiring prior approval from the IT department for all software installed on work laptops.
Expansion of AMC Bridge geography, the war in Ukraine, and new clients’ requirements are the challenges we have to tackle
Currently, AMC Bridge is moving toward implementing requirements and certification according to the ISO27001 standard. Apart from the extensive work that was done, there is a big scope of tasks. For example, expanding the AMC Bridge team in European countries entails the necessity to follow the standards of information security established in the European Union, particularly GDPR. As a result, security measures should be strengthened. And we’ll do our best so that they have a minimal impact on the usual operations performed by team members.
One of such changes is increasing the minimum length of a password to accounts to enhance their protection. Processors are getting faster, and password cracking features are getting better. Nowadays, a password that consists of 8 characters and contains lowercase letters, at least one uppercase letter, and one number can be broken in one hour. And that’s not even the whole thing. If hackers use not one computer but a distributed system, it will happen much faster. Furthermore, the table shows the time required to apply all possible combinations. In other words, it is the maximum time during which the necessary password will be found. At the same time, a 12-character password containing lowercase letters, at least one capital letter, one digit, and one symbol can be broken by a computer for 34, 000 years (at the current stage of computer technology development). And even when cracking passwords simultaneously, a hacker will fail to achieve the intended goal while the password is valid. However, we shouldn’t exclude the probability of random guessing of a password when numerous attempts are still unused. Therefore, the password strength should be ensured by multiple overlapping of the time of its breaking.
Source: statista.com
Without a doubt, the war in Ukraine increased clients’ attention to the topic of information security. Even our old clients surveyed us on information security. In its turn, AMC Bridge holds detailed consultations with each client during which the parties agree upon mutual implementation of information security requirements.
“The strength of the weakest component defines the strength of the whole security system”
Compliance with security measures requires efforts from all team members. And it is not only about information protection. The following principle can be applied here: the strength of the weakest component defines the strength of the whole security system. Sometimes it is enough to disregard security rules even once to destroy the whole security system of the company.
To help our colleagues and raise awareness about information security among them, we’ve launched a cybersecurity course. It contains basic knowledge required for safe and efficient operation under current conditions (remote mode of work, martial law in Ukraine, malicious activity in the entire world and, particularly, in Ukraine). What’s for sure is that we are heading in the right direction, and AMC Bridge information security strengthens.
Sometimes it might seem that nothing bad happens if the rules of information security are disregarded. But this is not so. I think nobody will share their ATM card PIN with the “bank security service” that calls from an unknown phone number. Also, nobody will leave the apartment keys under the doormat near the front door. Otherwise, the consequences will not keep you waiting.
That’s why I recommend following certain rules in cyberspace: create strong passwords and keep them secret, ensure information security while storing, processing, and transmitting data, avoid visiting potentially malicious websites, and so on.
Return to blog page