By Jon Moynihan and Ed Savage of PA Consulting Group
Published: July 5 2010 16:25 | Last updated: July 5 2010 16:25
All organisations connected to the internet must consider themselves vulnerable to outside attack, and all organisations with computer systems are vulnerable to insider attacks, possibly involving sabotage or theft.
Using the internet, or working from the inside, individuals, organisations or nations can steal intellectual property and personal data or cause untold damage with relatively little investment in time or money, and with little chance of their identity being detected.
While the cloud (delivery of IT services via the internet) promises significant cost and operational savings for companies, it also offers malicious individuals and organisations access to cheap and unprecedented processing power that can be used in probes and attacks.
And cyberwarfare, by one state upon another, has been documented in at least half a dozen cases over the past few years.
Until recently, many organisations seemed to assume their firewalls and anti-virus software would protect them. But those that have suffered attacks are aware that this is not the case, and are part of a growing consensus that a new technical approach, and a much stronger focus on the people and organisational aspects of cyber defences, are badly needed.
Cyber defence traditionally focuses on keeping threats out, mostly talking about repelling attacks on the company’s IT infrastructure.
However, even the best anti-virus products are no obstacle to a “zero day” attack (one involving a previously unknown virus, hack or worm) since it will not have been known about prior to that attack.
Best practice therefore requires a resilient architecture plus mechanisms to permit rapid identification of such attacks; their immediate isolation from the live network; and tracking to enable potential identification of the attacker and their intentions.
There is, however, a consensus among specialists that most corporate networks already carry hidden malicious code, waiting to be triggered by a further entry through a prepared ”trapdoor”. Such targeted attacks will succeed, unless the very difficult task of searching for and removing such malware is successfully undertaken.
Best practice has not yet identified a way to spot all such pre-embedded malware “bombs”, although it has been suggested they might be identified by checking every line of the software against a duplicate copy of the original code, examining deviations.
This has not yet been shown to be practicable in most cases, but easier-to-implement immediate steps that could be taken include the following:
● Getting better information on all intrusive probes and attacks on software infrastructure. Most organisations are under daily attack from amateurs; those calling themselves “semi-professionals”, or “hacktivists”; and professional intelligence agencies of other countries.
Organisations need to get better at monitoring all attempts to penetrate their systems.
● Reviewing all software to discover what trap doors have been installed or may have been or exploited, and what malware may have been added to their software. This could be costly and difficult in practice. Some newer detection products are achieving good hit rates, although it is almost impossible to be certain all malware has been removed.
● Installing new software, protected from intrusion, from a reliable source, to replace old and potentially compromised software. This is expensive but could be confined to the most sensitive areas. Where IT services have been sourced to a third party, “protect and replace” agreements must be written into contracts at the outset.
● Locking down key parts of the software, and removing access from the public internet. For many organisations this will limit normal business, but some have found that doing this is possible for key control systems and more sensitive data networks.
● Preparing contingency plans against cyberattack. This would include, for example, resilient back-up systems that could be switched to, completely isolated from the net, in the event of cyberattack.
● Maintaining a highly skilled counter-cyberterrorism capability is essential. National authorities such as CESG and CPNI in the UK provide much needed assistance but are still under-resourced.
While much investment goes on fighting external attacks, malign insiders still pose a great risk because they know the organisation, its high value assets, its vulnerabilities and, often, its defences.
Malign insiders can pose multiple threats – sabotage; facilitating third party access; corruption data; theft and espionage.
To reduce their exposure to such loss, organisations need to ensure their protective monitoring capabilities against insider threats are sound.
This need not entail significant additional investment in technology. The biggest gains in effectiveness often come from ensuring the organisational and process elements in an organisation’s monitoring are soundly based.
Strategic protective monitoring can also save an organisation from human error – since even the best technical defences can be thwarted by an individual unwittingly introducing a Trojan from a corrupted memory stick or by visiting an infected web site.
It makes good sense for every organisation to review, in its own way, its defences and actions to protect itself against the growing threat of cybercrime and terrorism.
Jon Moynihan is executive chairman, and Ed Savage, is senior defence and security specialist, both at PA Consulting Group
Copyright The Financial Times Limited 2010. Print a single copy of this article for personal use. Contact us if you wish to print more to distribute to others.
