Introduction
The cyber-attack on Sony Picture's infrastructure last November brought into sharp relief the fact that everyone can fall victim to such attacks and they are not going to go away.
Such was the scale of the attack, Sony is still picking up the pieces and many of its systems remain offline as security professionals seek to repair the damage caused by the affair. The hack led to embarrassing emails being released as well as a number of movies leaked to file-sharing sites. The finger of blame initially pointed to North Korea, said to be furious over the portrayal of its leader Kim Jung Un in the movie The Interview. Hard drives had also been wiped and its network was out of commission for more than a week.
In the light of this and other breaches over the past twelve months, how can we protect our infrastructure from such transgressions?
Entry point
Although no one seems to have publicly stated how the Sony attack happened, according to Barry Scott, Chief Technology Officer EMEA at Centrify, attackers initially look for a way into networks.
"Often through a phishing attack installing malware on an unsuspecting user's machine, and after gaining access they expect to have to jump from one system to another, increasing knowledge of the network as they go, until they hit gold," he says. "The goal is to find administrative credentials – without admin rights they are limited as to what they can do."
Enterprise internal network communications visibility and understanding of behaviour is an often overlooked element of information security, especially when organisations have significantly invested in modern border defences.
But in an era when even printers can be compromised and used as a pivot point to attack other systems, internal insight into what is genuinely happening is vital, according to David Palmer, Director of Technology at Darktrace.
"The complexity of large organisations can be managed by using machine learning and abnormality detection to direct the attention of defenders onto the incidents that most need investigating," he says.
GFI Software's General Manager, Sergio Galindo, says that organisations need to be aware of what is going on inside their own office and network. "By looking at network traffic – not only during office hours, but outside of office hours too – businesses can identify unusual traffic patterns that potentially give up a hacker," he says.
"What we saw with the likes of Sony and JP Morgan was that hackers were able to sit on the network for months, steadily gathering and transferring large quantities of information out of the organisation without anyone noticing," he adds.
Third-parties, training and outsourcing
Third-party perils
The breach at US retail giant Target was an example of when third-party access becomes a problem. Around 70 million customers had credit card data stolen as cybercriminals installed malware in the firm's payments systems. According to research by analyst firm Ovum, some 88% of companies have at least one third-party with access to their IT networks.
- How to ensure your company doesn't suffer a disastrous third-party data breach
"The breach at US retailer Target in late 2013 was revealed to have occurred via one of its contractors that had access to its billing system," says François Amigorena, CEO of IS Decisions. "When we talk about insider threats and internal security, we don't just mean the immediate set of current employees, but anyone that might have some kind of legitimate access to systems and data."
He notes, though, that there are ways to mitigate these risks. Amigorena adds that user training is an excellent place to start, as educating your employees on what constitutes good and bad security behaviour decreases the chances of an accidental breach. "Technology can help too, with a sophisticated toolset that strengthens all employees' login security to prevent unauthorised access to enterprise networks. It can also underpin training and security policy to further disseminate good behaviour," he says.
Stuart Facey, International Vice President at Bomgar, says that when implemented and managed properly, remote access is secure. "The recent changes in PCI DSS 3.0 compliance reinforces some key guidelines to ensure that third-party access is as secure as internal network security. This change also makes it clear that responsibility for security remains with the retailer, rather than only being on the outsourcer," he says.
Training
As mentioned by Amigorena earlier, training staff on the risks to infrastructure is important, especially new employees, according to Oscar Arean, Technical Operations Manager at Databarracks.
"Existing employees should also get yearly 'refreshers' to ensure their knowledge is up to date. We need to work to create a cyber-security culture within our organisations where education is encouraged," he says.
"In the same way that we have processes in place to protect our physical assets, like conditioning our employees to follow the correct lock-up procedure in the office each night, we need to extend it digitally, too."
Know your limitations
It is not only about training but also about knowing what your limits are. According to Eddie Schwartz, Chairman of ISACA's Cybersecurity Task Force, organisations must develop a stark sense of reality about what they can and can't do well in terms of cybersecurity.
"Security leaders must revisit the organisational structure and the skillsets of their security and IT teams that have any responsibility for securing information assets. They must evaluate their core competencies and where they may need to outsource skills," he says.
He adds that it's common knowledge that the bad guys share information freely and across borders, so it's critical for the good guys to have more opportunities to share information and intelligence about current attack techniques and emerging threats.
"Creating effective collaboration forums can help alert companies to the latest threats and help them identify the right solutions and service providers."
He adds that it is critical that security practitioners understand the relationship between their organisation, its people, its IT assets and the kinds of adversaries and threat actors they are facing. "It's no secret that organisations of every size are at risk of malicious attacks like the one Sony recently fell victim to, but by taking action now, businesses can greatly reduce the risk of becoming the next victim," Schwartz observes.
- What developments will impact business data security in 2015?
from www.techradar.com
