Set up a Process
We’ll be happy to help you set up your own vulnerability management process. It will be tailored to your systems, structures and requirements.
Reading time: 12 minutes
IT Security, Cyber Security or Internet Security: all these terms seem similar, however, there are subtle differences. Generally, IT Security is defined as the protection of IT systems against damage and risks.
This counts for single files to computers, networks and cloud services to whole data centers. Cyber Security extends IT Security to the overall cyber space.
As most systems are connected to the Internet nowadays, IT Security and Cyber Security are often used interchangeably. IT Security and Cyber Security cover all technical and organizational measures to defend systems from cyber attacks and other threats.
This includes access controls, cryptography, rights management, firewalls, proxies, virus scanners, vulnerability management and much more. The term Internet Security is specifically related to the protection against dangers from the Internet.
We’ll be happy to help you set up your own vulnerability management process. It will be tailored to your systems, structures and requirements.
Table of Contents
1. Information Security
2. Questions on IT Security
3. Paradigm Shift – From IT Security to Cyber Resilience
Often, IT Security and Information Security are used interchangeably. However, strictly speaking, IT Security is only a partial aspect of Information Security. While IT Security is focused on the protection of technical systems, Information Security comprises the preservation of information in general. This information can also exist on non-technical systems such as paper. The protection goals of Information Security are to ensure the confidentiality, integrity and availability of information. For example, suitable measures can be found in the internationally valid ISO/IEC-27000 series of standards. In Germany, the IT-Grundschutz of the Federal Office for Information Security (BSI) serves as a guideline for Information Security. An important component is the establishment of an Information Security Management System (ISMS). For this reason Greenbone is both certified for its ISMS (ISO 27001) and Quality Management (ISO9000) with the certs.
More about: https://www.greenbone.net/en/iso-certification/
Information Security for protecting sensitive patient data – @ nimon_t – #87948311 – stock.adobe.com
Data Security has the aim to secure the confidentiality, integrity and availability of data. In contrast to data protection, it is not restricted to personal data but includes all data. Confidentiality means only authorized individuals are able to access the data. Integrity means the data was not manipulated or damaged. The availability refers to the fact that the data can be used when it is needed. To establish Data Security, different technical and organizational measures are required, e.g., access controls, cryptography or redundant storage systems.
An Information Security Management System (ISMS) is not a technical system but defines rules and methods for ensuring, checking and continuously improving Information Security. Amongst other things, this includes the determination and evaluation of risks, the specification of security goals as well as a clear definition and documentation of responsibilities, communication channels and processes. The requirements for an ISMS are regulated in the ISO27001 standard. An ISMS is an important component for a comprehensive IT security concept.
Systems for Information Security can serve the central control of rail transport – @ chungking – #70423572 – stock.adobe.com
Cyber Resilience is understood as the ability of a company or an organization to maintain its business processes despite adverse cyber circumstances. These can be cyber attacks but also unintentional obstacles such as a failed software update or human error. Cyber Resilience is a comprehensive concept exceeding IT Security. It combines the areas Information Security, business continuity and organizational resilience. To achieve a state of Cyber Resilience, it is important to identify vulnerabilities at an early stage, to prioritize them economically and to remove them.
IT is a central element of each company and forms the base for almost all business processes. Without it, nearly nothing works anymore. In the worst case, IT disruptions can stop the whole business leading to huge economical and reputational damages. Hence, it is essential for companies to secure their IT systems and protect them against cyber risks and cyber attacks. More linkage leads to a larger attack surface as well. Each linked device is a potential gateway for cyber criminals increasing the risk for being attacked.
IT Security for ensuring digital linkage – @ Sashkin – #195865436 – stock.adobe.com
Information is one oft the most valuable company goods. Nowadays, it is mostly present as digital data within IT systems where it is stored, transported and processed. However, it can also be put down on paper or passed on verbally. If information is lost, stolen, manipulated or no longer usable, existence-threatening effects can be the consequence for companies. For this reason, it is important to take care of an adequate Information Security to ensure information confidentiality, integrity and availability.
If the availability, confidentiality and integrity of information is affected, serious consequences may be the result. For example, due to an attack sensitive data can fall into the wrong hands – whether personal data or business secrets. Hackers are able to carry out industrial espionage, steal the identities of individuals, abuse credit card information and much more. The manipulation of data can lead to incorrect transactions, production errors or wrong analysis results. If data is not available, business processes that rely on data processing are affected as well. In such cases, orders cannot be placed or production machines stop.
Cyber criminals are a constant threat to IT Security – @ Gorodenkoff – #164586542 – stock.adobe.com
Cyber criminals develop new attack methods constantly and become smarter. Nowadays, they are usually organized professionally and work with the latest technology. Thus, IT Security is a permanent race against growing threats.Common attack methods are:
This refers to targeted cyber attacks that are adjusted to chosen victims or victim groups and work with advanced methods. Attackers gain permanent access to a network and then expand this access to other systems. To do so, cyber criminals often implant malware.
The term “malware” includes all types of computer programs that run undesirable or harmful operations on a system, e.g., viruses, worms and Trojan.
Ransomware is malware that encrypts a system and only enables access to the data again if the victim pays a ransom. This type of malware has become particularly popular in the recent years. Known examples are the cypto Trojans WannaCry and Petya. Common distribution channels for ransomware are spam mails, phishing and drive-by exploits. The latter take advantage of vulnerabilities in browsers, browser plug-ins or operating systems.
Spam describes undesirable e-mails and is a popular method to distribute malware. Phishing e-mails are a special type of spam. They should convince a user to carry out a certain action – for example, revealing login data or installing malware.
Cyber criminals integrate foreign computer systems in botnets – an amalgamation of compromised PCs they can control remotely like robots and misuse for their purposes. For that, the computers are infected with malware. A popular field of applications for botnets are Distributed Denial of Service attacks (DDoS).
Distributed Denial of Service attacks intend to paralyze a service or server. Mostly this happens by hackers sending vast amounts of requests to the server via a botnet, overloading the server and making it inoperative.
Cyber criminals often exploit vulnerabilities in software or hardware for their attacks. Thus, it is significant for IT Security, to recognize and eliminate such vulnerabilities. For example, an important measure is installing up-to-date updates and patches to close security holes.
To minimize IT risks and to provide IT Security, companies have to introduce both technical and organizational measures. First of all, a process and vulnerability analysis is important. It serves to identify which processes are particularly essential for the company, which vulnerabilities exist, how likely the vulnerabilities are exploited and which damage this may cause. It will never be possible to eradicate all IT risks. Instead, a good risk management is required. Companies have to evaluate risks and reduce them according to their priority.
IT Security at the German Bundeswehr – @ Gorodenkoff – #161860908 – stock.adobe.com
IT Security and Information Security are not only a matter of technology. In fact, humans are the biggest vulnerability. Cyber criminals take advantage of this, for example by gaining network or system access using social engineering or phishing. For this reason it is important to train employees and to sensitize them for IT risks and IT Security. Online trainings with interactive exercises are advisable. Employees are able to carry out those trainings independently at any desired time and receive direct feedback due to the interactive components. In this way, a fast learning effect is achieved.
Data plays a key role for a successful digital transformation. Based on data, companies are able to gain knowledge, derive action recommendations and develop new business models. The ability to collect and evaluate data and to use it correctly is significant for success. Because of this, it is essential for companies to protect the confidentiality, integrity and availability of their data.
IT Security in control centers – @ Gorodenkoff – #184811629 – stock.adobe.com
Why does my company need IT security?
Today, IT is a central component of every company and forms the basis for almost all business processes. In the worst case scenario, IT disruptions can bring the entire business to a standstill, which can lead to major economic damage. Therefore, secure your IT systems and protect them against cyber risks and cyber attacks. In addition, increasing digitalization and networking are also increasing the attack surface, which increases the risk of attacks.
What is the difference between IT security, information security and data security?
IT security is the protection of IT systems – from individual files to computers, networks and cloud services through to data centers – against damage and threats. Cyber security extends IT security to the entire cyberspace. IT security is a sub-aspect of information security. While IT security refers to the protection of technical systems, information security is generally concerned with the protection of information. The aim of data security is to ensure the confidentiality, integrity and availability of data. In contrast to data protection, it is not limited to personal data, but extends to all data.
How can I implement IT security in my company?
Inhalt des Toggles hier reinBoth technical and organizational measures are necessary to minimize IT risks and ensure IT security. First of all, a process and vulnerability analysis must be carried out to determine which processes are particularly important for the company, which vulnerabilities they have, how great the risk is that these vulnerabilities will be exploited and what damage can be caused as a result. You can never eliminate all vulnerabilities. Companies must therefore assess and prioritize risks.
IT security and information security are not just a question of technology. People are the biggest weak point. It is therefore important to train employees and raise their awareness of IT risks and IT security.
What impact does an attack have on my company’s IT security?
In the event of an attack, the availability, confidentiality and integrity of information can be severely compromised – with significant economic consequences. If personal data or company secrets fall into the wrong hands, the consequences can be industrial espionage, identity theft or credit card misuse. Losses can also occur if data is not available. If data can no longer be processed, this can mean, for example, that production can no longer take place.
What methods and means of attack threaten IT security?
Cyber criminals today are usually professionally organized and are constantly developing new methods of attack. Malware, for example, can carry out unwanted or harmful actions on the target system, as is the case with viruses, worms or Trojans. Ransomware, on the other hand, uses malware to encrypt a system and blackmail a victim into releasing the system only against payment of a ransom. Social engineering, in which attackers pretend to be trustworthy or known to the victim, is also widespread. One form is phishing, where the victim is tricked into performing certain actions, such as unknowingly installing malware. These are just some of the many methods cyber criminals use to threaten IT security.
Considering the growing threat situation, companies have to strive for sustainable Cyber Resilience. This means preventing attacks if possible, reacting fast in case of a security incident and maintaining business operations without larger damage. To gain Cyber Resilience, companies have to take suitable technical and organizational actions, e.g., hardening the company IT and reducing the attack surface.
Cyber Resilience includes Cyber Security, but goes even further. While Cyber Security mostly concentrates on technical measures, Cyber Resilience is a comprehensive, more strategically oriented concept. In the past, Cyber Security was usually oriented reactively. Nowadays, this is not sufficient anymore. Companies have to face IT risks preventively. A paradigm shift is necessary – from Cyber Security to Cyber Resilience.
The steps leading to Cyber Resilience start with a risk management. Companies have to evaluate and prioritize IT risks they want to protect themselves against by all means or they may accept. IT risks can never be eliminated completely because protection measures have to be considered against the background of economic efficiency and must not disrupt running business operations. Building a large barrier around IT would not be useful and affect the flexibility. IT risks have to be managed instead.
The IT risk management base is an analysis of the business processes and their vulnerabilities. Which are the most important assets of a company, what damage could an attack cause to these assets and how likely is such an attack? A risk evaluation with the levels low, medium and high results from the relation between possible damage and probability of occurrence. Companies should now prioritize and reduce the risks according to the rating.
Compliance management comes with a good risk management. Compliance is understood as the observance of rules. These can be legal requirements, ethical principles or corporate regulations. Compliance violation is a risk companies have to take into account when carrying out the risk management. The introduction of a Compliance Management Systems (CMS) is recommended. It defines processes, measures and structures to ensure compliance observance.
Greenbone Basic
Our entry-level enterprise product for 2,450 € per year
Be a part of our community and participate in exciting debates.
Also visit our blog and do not miss any news.