Earlier this month Google discussed the nature of the cyber attacks they have been facing from China. The targets included not only politically motivated email accounts, but also attacks on the corporate infrastructure that resulted in theft of intellectual property. During their investigations, Google also found evidence of ongoing attacks on major U.S. corporations including Dow Chemical, Goldman Sachs, and Juniper Networks with intellectual property as the target.
One outcome of this chain of events for any enterprise organization should be a thorough review of the processes by which data is secured. Quite often the motivator and business catalyst for investing in data security has been compliance with government regulations. But I now think it is prudent for organizations to consider that they will be under frequent, directed attacks targeting the intellectual property, source code and design documents that drive their businesses forward.
How should corporations facing these circumstances react? A good starting point is to understand what data needs to be protected and under what circumstances. Nearly all organizations are likely facing situations where critical information is dynamic and growing rapidly. As such it is important to have criteria for understanding which data requires the primary attention.
Are current protection mechanisms sufficient? It is likely that past security issues have biased the investments or way or another. But it is important to evaluate areas of exposure whether the data is in use by an application, stored in a database or traveling over a network. This casts a broad area of concern and certainly impacts all areas of an organization.
Given the severity of these events it bears closer examination of the attack approach. In some cases the attackers took advantage of a zero day vulnerability in Internet Explorer to access employee PCs. In other cases employees were sent contaminated PDF files, leveraging vulnerabilities in Adobe Acrobat. Once the PC was compromised a Trojan was then downloaded to the machine and following that the corporate network was accessed from the hijacked end-point.
Note also that the attacks were not directed at the network but at employees using the end point compromise to go after intellectual property. The attackers capitalized on the alignment of two significant trends – high grade Trojans and broad based infection capabilities. These developments should cause both business unit managers and security staff to pause and consider their approaches to data protection.
One valuable approach is to look at the system as a whole. The primary components of this security system are policy, strategy and control. The policy component defines the risks facing the business, the security program requirements and articulates the goals and measures for the program. The strategy is developed through a model of the risk situation, data to be protected and controls to carry out the protection objective. Lastly the control section implements, audits and manages the plan. The net result is business enablement.
It is also useful to look to others in the industries that have faced similar problems. The financial sector has been tackling nearly identical issues for many years. Consider electronic fraud, rather than rob the bank attackers have targeted user accounts. Quite similar to the challenges that enterprise customers now face. What’s worked well in financial sector? Systematic hardening of the infrastructure, multiple layers of defense, active logging of user activity, data encryption and centralized key management has proven effective.
Regardless of whether you look at information security from a top down perspective or through the lens of others facing similar challenges the era of cybercrime targeting enterprises is upon us. It is worth taking a thorough review of the situation.
– John Reno