Cyber Threats and Solutions
While the developments in information and communication technologies have made our lives easier, they have introduced us to a problem that was not in our lives before: Cyber threat! The systems we designed and used to make our lives easier suddenly turned into a threat and we started to come up with ideas and solutions on how to protect ourselves. These attacks, which initially manifested themselves as simple problems, turned into very complex and expensive attacks over time and we started to realize what kind of monster we had given birth to. Unfortunately, we still haven’t been able to grasp exactly what the threat is.
New titles are being added to the concept of cyber threat day by day. It should not be a prophecy to say that many more new concepts will be added to this list. As long as the development in communication technologies and information systems does not stop, which does not seem to stop, the threat will continue to increase.
In the information age, to talk about staying out of the developments, creating a closed model, not using products developed by others, abandoning integrated systems and returning to autonomous structures would be to push the country behind the times and expect it to give up its claim to be a leading country. The best approach would be to approach cyber threats with the seriousness required by the subject, without making paranoia and conspiracy theories the justification, to analyze possible risks in a healthy way and prepare action plans, and to take part in global competition without taking the easy way out. The IT world, which is a huge sector where the young minds of the country can be easily directed, will also be one of the engine elements of development.
Although the threat is cyber, one of the most important types is physical access and natural threats. First of all, the physical security of the places where information systems are kept must be ensured. Measures to be taken for both malicious access (direct access, sabotage, man-made threats such as cutting energy systems and fiber infrastructure and even bombing) and natural disasters such as earthquakes, fires, floods, etc. are the first steps to be taken to prevent cyber threats. For this purpose, special buildings should be constructed, energy and fiber infrastructures should be installed with route redundancy, and systems located in different geographies that can back each other up live should be created. Of course, a harmony should be sought between the measures to be taken and the existing risk. However, it should never be forgotten that the most important threat before us is the “nothing will happen to me” approach.
The goal of a cyber attack can be categorized under many different headings such as stopping a system, using it for malicious purposes, stealing data, monitoring what is happening, copying systems, etc. The easiest way to achieve these goals is to become a system administrator. The second most important measure to be taken against cyber threats are approaches to eliminate internal attack threats with reliable people, auditable systems, effective monitoring and reporting, and distributed use of authority. Today, the most important cyber threat is still internal attacks. This is true both in terms of the number of incidents and the damage caused. It should never be forgotten that today’s authorities will be the unauthorized of the future.
As in Ziya Gökalp’s story Yüksek Ökçeler, the approach of let them do whatever they want and not give me a headache should be abandoned. Especially in critical systems, the IT manager and the cyber security manager should be completely independent and co-authorized administrators. While the IT manager controls and manages all information systems, he should not be authorized to intervene in security systems. Likewise, the security administrator should not have the authority to interfere with IT systems. In addition to all these, it should not be forgotten that an uncontrolled system is open to all kinds of abuse. One of the most effective ways against possible internal threats is independent external audits. Here, it is important that the auditor is not selected by IT and/or cyber security managers, but is competent and authorized in the field. In addition, planning these studies in the form of sudden audits will yield more effective results.
Threats from access sources are another consideration. There are many codes such as viruses, spyware, trojans, ransomware, etc. prepared for this purpose. Measures that can be taken against all these are ready to use with continuous updates. The most important point to be considered here is to keep these software constantly updated. Malware does its greatest damage after a certain period of time has passed rather than when it is released. The main reason for this is the neglect of updates. In addition to such software, system designs should also take into account attacks classified as piracy. Malicious software uses vulnerabilities in systems to gain access and achieve their goals. These vulnerabilities are sometimes caused by system settings and sometimes by the operating system, database or application software used. In addition to updates, the most important measure to be taken for such vulnerabilities is to test the systems with non-malicious attacks and close the vulnerabilities found.
The measures to be taken for infrastructures to be classified as critical systems should be even more radical. Information and systems that should be kept secret by the state, military systems, nuclear power plants or similar critical facilities, infrastructures such as energy, water, natural gas networks and sensitive infrastructures such as banking should be evaluated in a different category. All software, access and security infrastructures and SCADA systems should be designed by considering the possibility of back doors. Efforts to use national software and systems in such infrastructures should be planned and steps should be taken quickly. It should even be ensured that the fiber network over which these systems operate is independent. As in the case of Germany and Russia, the use of common software in such systems should be prevented and controllable solutions should be popularized. Open source codes offer a wide range of opportunities for these studies. Using products prepared in this field alone will not be sufficient. Staff who are familiar with all the codes of these software should be formed and a living and developing structure should be created by modeling sustainability. In case of possible sabotage, tests should be conducted by an organization completely independent of the developer and the relevant software should be put into use after this stage. Another work that needs to be done for cyber sabotage is the preparation of disaster scenarios and the preparation of emergency action plans and drills to ensure the autonomous operation of systems.
Cloud applications, which have been on our agenda in recent years, should also be evaluated. Some data should be prevented from being stored in the cloud, while a national cloud infrastructure should be created for some cases. Studies should be carried out on the encryption to be used in cloud configuration and national algorithms should be developed if possible. There is no point in knowing who the culprit is after an incident has occurred. The damage is the same no matter who the culprit is.
The steps to be taken while planning the country’s cyber defense should also be evaluated. The country’s internet and communication entrances should be kept under control and necessary preventive investments should be made for all attacks, from traffic blocking attacks such as dDos to piracy and sabotage attacks. In addition, the approach that the most important defense is attack should be taken into account and the country’s ability to conduct cyber attacks should be improved. Controlled cyber-attack elements will serve as a deterrent to possible systematic attacks from other countries.
Finally, if we are to talk about cyber security in the real sense, raising awareness of users is a basic necessity. Simple passwords chosen, insecure site visits, random memory usage, carelessness, etc. make all the measures taken meaningless. User diligence is a prerequisite for any security system and we need to raise awareness starting from primary school age.
Dozens of small omissions, such as people keeping critical information in a generic mail system, keeping e-mails in these systems for easy access, most of which are not looked at a second time, going online in insecure environments, not having a screen protection password on computers, opening folders to sharing, not backing up information periodically, have caused and will continue to cause major problems. We need to stop being a society that gets wise when the problem happens to itself, instead of learning from it.
Both the scandals around the world and the realities we had to face, especially after the July 15 invasion attempt, raised awareness about cyber threats. The fact that one of the first arrestees was in the IT department of the Prime Ministry showed how serious an issue we are talking about. This awareness must be kept alive. As we see that IT managers still decide on security investments, we think that lessons have not been learned from what happened. The steps to be taken regarding security investments are strategic and concern senior management. Thanks to this approach, which will free IT managers from blame, we will have more secure systems. Our cyber defense infrastructure should be strengthened and continuously fortified, starting from the national level, with planning that should be done gradually, starting with institutions, the private sector and even individuals.