This morning the Washington Post once again reported a widespread and ongoing set of attacks sponsored by a cybercriminal organization based in Eastern Europe. Amit Yoran of Netwitness was quoted as saying, “The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” Yoran said. “The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.” I have worked with Amit both at Riptech (now Symantec) and when he was National Cyber Security Division director within the United States Department of Homeland Security. We should take note. More sophisticated attacks are coming and perimeter oriented, signature-based defenses are inadequate.
What should be done? I would invest rapidly in two particular areas:
• Social engineering and security awareness
• Risk management
Social engineering and security awareness can be thought of your new front line of defense, your users. They need to be cognizant of the attacks that are being directed at them and the role they play in defending the organization and corporate assets.
Risk management can be implemented by following the process depicted above. From the standpoint of defending against cyber crime, the process helps identify the areas that are of highest impact to your business, and organizes controls to defend against the threats. Another important benefit is that business unit leaders and executive management are drawn into the process, and thus gain an understanding of the security issues and risks. Furthermore, implemented properly, risk management just becomes part of running the business similar in nature to the way the financial organization closes the books every month.
Here at Redspin we can help you understand your risks, educate your workforce and modernize your defenses.