Effectiveness of Security Policy
The increase in the number and type of cyber-threats that can put companies at risk pushes them to lock down and enhance the security of their networks. One aspect of the network's overall security is a good software/equipment installation/update policy. When it comes to installing or updating software, setting up an appropriate security policy can help to minimize the risk of loss of program functionality, the exposure of sensitive information contained within computing network, the risk of spreading malware in the company network, and the legal exposure of running nonapproved and unlicensed software. Particularly, an effective security policy can help to mitigate and limit the impact of the following cyber-threats:
Malware, Malicious Software, Email Malware
An effective security policy can help to mitigate and limit the impact of malware by preventing employees from accidentally causing malware to spread throughout the organization. More specifically, security policy will prove effective if it restricts end- users of devices from installing nonapproved applications from the Internet. Since employee devices are connected directly to the World Wide Web, organizations should dedicate time and effort to train employees and contractors for activity that does not put IT systems at risk [19]. According to this, users should be made aware of potential threats and learn about the responsibilities or restrictions of installing unauthorized software. Nonapproved software should be identified by authorized tools and prevented from execution. In general, software should be tested according to updated lists of recognized programs and services that are malware-clean, back- door-clean and that adhere to security standards [90, 91].
Another issue that needs to be addressed in security policies is filtering Internet access and emails; that is, blocking access to known malicious sites to prevent employees from downloading malware that can spread throughout the organization. This will prevent employees from downloading malware that can spread throughout the organization network [91]. According to [92], as of 2020, 94% of malware is delivered via email. Malware emails can cause security breaches through macro viruses or malicious links. Good practices such as email filters can block email containing malicious attachments and prevent malware activities. It was also found that hackers prefer targeting high ranking employees to steal data, because of their privileged access rights to systems [91].
Use of Nonapproved Hardware
An effective security policy can help to mitigate and limit the impact of threats related to nonapproved hardware. In fact, hardware-related threats have been present for a long time in the security landscape with attackers exploiting existing technology to perform new types of attacks. New advancements, such as IoT, smart devices and smartphones require a thorough analysis of potential risks and call for integrated security policies within organizations. Setting up procedures and checks for acquiring and installing or upgrading hardware can considerably reduce the probability that nonapproved hardware is used. For example, attackers will often try to insert modified hardware into organizations to achieve their goals, and it is an organization’s obligation to block off any device/hardware that does not comply w'ith certain characteristics described in their security policy.
Modification or extension of existing hardware is a common type of attack, where the attacker extends or modifies external and internal interfaces of hardware. The distinction between external and internal interfaces refers to the device casing. For example, interfaces that are accessible without opening/tampering the casing are called external interfaces, such as USB ports. In contrast, if the casing needs to be removed, leaving the hardware inside intact, then it is referred to as an internal interface, such as pins that expose a JTAG interface [93]. A good example of modifica- tion/extension of hardware is the Cottonmouth-1,30 which “extends an existing USB cable in a noninvasive way and supports over-the-air attacks.” This hardware implant
“will provide a wireless bridge into a target network as well as the ability to load exploit software onto target PCs.” Other examples include the FireWire plug or a PCIe device. Finally, in order to construct an effective policy against nonapproved equipment, it is important to remember that hardware can be “impacted by threats in a twofold way: a) the hardware itself is a physical asset to users (based on value and function) w'hich can be impacted, and at the same time, b) can be modified to impact other asset types, such as user health and property [93].”
In this context, an effective policy against nonapproved software/equipment can prevent and reduce the impact of risks related to “back off attacks” that are mainly caused by hardware trojans or infected operating systems/drivers. Also, guaranteeing that network software/infrastructure is malware-clean and adheres to security standards can reduce the probability that insecure network services are active, reducing thus the attack surface including MAC Congestion, MAC spoofing, malicious mobile nodes, sinkhole attack, network intrusions, physical and application layers DDoS attacks and many others.
Limitations
Although security policy and procedures regarding new/updated equipment and software exhibit many benefits against certain types threats, it is unable to defend against certain types of threats like memory scraping, traffic sniffing, buffer overflow, drive- by download attacks, physical damage, theft, or loss.
7.10.4.1 Memory Scraping
This type of attack uses a malicious script that parses data stored briefly in the memory banks of specific Point-of-Sale (POS) devices. More specifically, this technique “captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory” [94]. The collected data can either be sold in the underground black markets, or they can be used directly to create cloned copies of the cards. Cloned card holders can then use them to shop directly in stores [95]. In the infamous Target data breach in 2013, attackers stole financial information and personal data of more than 110 million customers. The attackers were able to steal card data by installing memory-scraping malware on the checkout POS devices of the Target stores [95].
In general, memory scraping is the most critical threat to POS systems. A recent study reviewed and extracted features from 22 malware families. Their analysis showed that memory scraping behavior consists of three different stages of behavior: a) infection and persistence, b) process and card data search, and c) data exfiltration. The results showed that this type of attack is still quite immature, as the code rarely includes sophisticated techniques to avoid static or dynamic malware analysis [95].
7.10.4.2 Physical Damage/Theft/Loss
Security policies regarding software and hardware updates can provide limited protection from physical damage, theft, and loss. Unexpected damage, such as extreme weather conditions (e.g.„ storms, floods, earthquakes, etc.) can have devastating results on hardware, equipment, and physical assets of an organization. In addition.
physical damage can be caused by criminal activity or acts of mischief, such as terrorism. explosion, riots, smoke, and civil commotions [19, 96]. There are certain cases where security policies can do little to prevent damage. For instance, in cases of theft, if offices, data centers, or sites where computer hardware is kept are not sufficiently secured or left unattended, it will then be quite easy for criminals to gain access and break in. Sometimes, criminals can also gain access by masquerading as suppliers, for example, a technician, a cleaner, or a utility company representative [96]. This type of “attack” is related to social engineering and it is fairly easy for employees to be tricked, especially when criminals disguise themselves as maintenance professionals, which gives them both access to the site and the physical equipment area (e.g., the electrical/network wiring rack).
Unfortunately, physical security tends to be overlooked by most organizations; taking countermeasures against hacking and sensitive data breaches are considered a higher priority, which leaves an opportunity for attackers to improve their methods over physical and remote access of systems.
7.10.4.3 Drive-by Download Attacks
Drive-by download attacks is another threat that cannot be dealt with by security procedures describing new updates and software installations. A drive-by download attack is a common attack among cybercriminals in which an automated download of software is installed on a device without the user’s consent. Downloading malware can happen in one of two ways:
- • The user has authorized the download but is not aware that the download includes a malicious program, for instance, an unknown or counterfeit executable program, ActiveX component, or Java applet.
- • The user has not authorized the download and is not aware that the download has been installed on the device, for instance, a virus, spyware, malware, or crimeware.
Essentially, the download can be initiated in various ways, such as an email attachment, a malicious link online, an advertisement pop-up window [97], etc.
