Cybersecurity risks have emerged as a crucial concern for IT companies. They can be associated with the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and have the potential to adversely impact an organization's operations (i.e., its mission, functions, image, or reputation).

So, understanding and managing cybersecurity risk has become a fundamental aspect of Test IO's robust cybersecurity risk management strategy.

Managing cybersecurity risks involves identifying and mitigating potential threats and vulnerabilities in the company's digital systems and networks.

Vulnerabilities are weaknesses in a computer or network that leave it susceptible to potential exploitation, such as unauthorized use or access.
Vulnerabilities include but are not limited to weaknesses in security procedures, administrative or internal controls, or physical configuration, as well as features or bugs that enable an attacker to bypass security measures.

A threat is anything capable of harming an asset and/or organization.
Threats can be adversarial (from an individual, group, or organization), accidental (from a user or administrator), structural (from IT equipment, software, or control devices), or environmental (a natural or man-made disaster or an infrastructure failure/outage).

Social engineering is a non-technical kind of intrusion that relies heavily on human interaction. It often involves tricking other people into not following normal security procedures. The attacker uses social skills and human interaction to obtain information about an organization or their information systems.

Most experts agree that social engineering generally involves taking advantage of the natural human tendency to trust someone and take them at their word. This is exactly what makes people vulnerable!

To bypass the security controls, attackers can use different channels of communication (instant messengers, emails, phone calls, etc.) and techniques (methods). Here are some of the techniques:

In some cases, an attacker will make a direct request for information or data—simply by asking for it. This is the first and most obvious method. It is not the most successful, but it is used.

This involves going through the trash (or a dumpster) to obtain information that can be used to steal one's identity. It is truly amazing how what people discard can potentially help malicious agents find additional information about them. Dumpster diving is not technically "social engineering," but it can sometimes be used as a step toward obtaining helpful information.

Once a person has selected a victim, raiding that person's mailbox can often provide additional information to use against them. Raiding mailboxes refers to the act of illegally opening and stealing contents from someone else's postal mailbox. The more you know about a person, the more effective alternate means of gaining data become.

Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information like your password, credit card number, or Social Security number. You will explore this social engineering technique in the What is Phishing article.

This is a method in which an attacker pretends to be someone in a position of authority. Some methods used during impersonation attacks include acting as an IT support or other support service employee, a repairman, a supervisor or manager, or a trusted third-party vendor.

A lot of corporate information can be obtained before even talking to anyone by simply surfing company websites—for instance, employee email addresses and phone numbers, organizational charts, executive titles, financial information, and more.
​

Have you ever wondered how easy it is to hack?
According to the National Institute of Standards and Technology (NIST), hackers post many new tools to internet hacking sites every month.

An attacker can exploit your system fairly easily with these tools if you are directly connected to a network (i.e., not using a router) and the attacker knows your IP address.
Social engineering uses manipulation to assist hackers in their exploits. For instance, a well-prepared phishing email can trick a user into opening a malicious attachment that activates a worm.
​
Awareness of a hacker's tool kit allows you to better implement preventive measures, recognize hacking attempts, and contribute to a more robust cybersecurity posture.

Internet hackers constantly scan networks to identify where systems are vulnerable. This type of scanning is also called a "pre-attack probe."

Intruders use a program that automatically keeps trying to log in to a system using a series of passwords that can be easily guessed or using a dictionary as a source of words.

Intruders set up a program that impersonates the sign-on routine for another system. When you attempt to log in to the system, the intruder's program collects your password and then returns a message that the system is unavailable. These programs can collect hundreds of valid passwords.

A virus is a program that "infects" stored files, usually executable programs, by inserting a copy of itself into the file. Copies are usually executed when the "infected" file is loaded into memory, allowing the virus to infect other files.

A worm is an independent program that reproduces by copying itself from one system to another across a network. Often triggered when someone opens an infected email attachment, a worm program can send replicas to everyone listed in the person's mail directory.

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer can hide a piece of code that starts deleting files (such as a salary database) should they ever leave the company.

Ransomware is a type of malicious software that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.

A Denial of Service (DoS) attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to the Internet. This is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

Did you know that historically, the weakest link in the security chain is the human factor? No matter how robust a security system is, it can be compromised if users do not follow security protocols and practices. This can include falling for phishing scams, using weak passwords, ignoring software updates, or unknowingly downloading malicious software.

You are the first line of defense and the first security control. You must know how not to become a victim of social engineering, thereby safeguarding the Test IO and customer's information security.

While testing, you must ensure you do not put the company's networks and systems at risk when using the internet. As a Test IO tester, you are responsible for internet safety.

When connected to the internet, all devices and networks are susceptible to attacks, unauthorized use, or access. One compromised device can affect every other device sharing the connection.
​

To protect its assets from threats from the internet, Test IO asks you to be constantly vigilant by doing the following:

Internet safety involves understanding cybersecurity risks and how to manage them. The system is strong as its weakest link. Don't be the weakest link! Instead, we recommend you include the actions we shared in the articles How to Keep Your Device Safe for Testing and DOs and DON'Ts in Protecting Your Testing Devices.