SC Magazine has published an interesting e-book on the topic of Cyber-Espionage: Companies Need to Shift Their Thinking About Cyberattacks. Sponsored by information security vendors, the author suggests that companies may be focusing on the wrong things when it comes to protecting valuable information assets.
The first point made is a reminder that the attackers continue to have significant, public successes. Whether it's the Linux Foundation (in the papers today), security vendor RSA, or others, security measures don't seem sufficient to keep up with the tricks and techniques of the hackers.
With this in mind, it is understandable that the author suggests we are spending too much time on prevention and not enough on detection. While we should not stop doing our best to keep hackers out, we should be doing more to detect successful exploits more quickly so we can take action.
A director at PwC is quoted as saying that:
"Most companies today focus on prevention of attacks — building bigger firewalls and installing anti-malware software — when instead they should be focusing on the actual detection of attacks. Although prevention is important, she says no company can be 100 percent secure, so it is crucial to ensure that they can detect anomalous system and network activity as quickly as possible to shut down the attacks before crucial data leaves the building." She continues: "companies should assume their systems are already breached and should therefore analyze their network for inappropriate activity. Statesponsored and organized crime attackers could be in corporate systems for days, months or even years, she says, adding if a company only looks for new breaches, it might overlook an existing attack that is sucking its database dry. Further, companies need to shift their thinking about cyberattacks from a strictly IT perspective to an investigative one, she says. Instead of looking at firewalls, for example, and testing all of the known ways of defeating such technology, security professionals should instead analyze log files and build baselines for critical systems so that they can determine when unusual and unauthorized activity takes place."
Another point made is that you need to recognize the vulnerability of your culture. Is there a recognition that employee should not share passwords (even with their assistants), or talk about company business in public places? Would it be easy for hackers to gain access through social engineering, because people asking for access or other information are not challenged?
These, for me, were the more interesting points in the e-book. I especially liked the point that you have to assume that the hackers will occasionally succeed — and be prepared to detect the penetration, assess the extent and nature of the damage, and act quickly to protect further loss. In addition, your response processes need to include prompt communications within and outside the organization (e.g., to customers who might potentially have been affected).
I still prefer a risk-based approach to information security. This involves understanding, first, what needs to be protected: what and where are my most valuable information assets? Then, you identify and assess the risks (and this has to be a continuing process, not something that is performed on a monthly or quarterly basis). Preventive and detective mechanisms (both) are put in place to manage the risks.
What do you think of the e-book? Did anything surprise you? Did they miss something important?