I provided a response to the Computer Weekly Think Tank question ‘What should corporate IT managers do to ensure data protection?’:
Hacks of Google and at least 20 other companies in December prove that sophisticated cyber espionage attacks are a real and present danger. But in the light of the fact that most commercial security tools are ineffective against these attacks, according to the SANS Institute, what can and should corporate IT managers do to ensure data protection?
“Few organisations have the resources available to Google, who were still unable to prevent or readily detect the recent wide-scale electronic espionage, and most are unlikely to work with the National Security Agency after a compromise. Yet, organisations that form part of the UK critical national infrastructure (CNI) have for years received government advice and guidance on threats, including those emanating from China, from the Centre for the Protection of National Infrastructure (CPNI). Although its private advice is not readily available, the CPNI website provides non-classified information that non-CNI businesses should be aware of.
Many organisations tend to focus on preventative measures – policy, procedure, and technology – and fail to fully address the detective and responsive controls required for good information security management. Log analysis, required for firewalls, intrusion detection and data loss prevention, is resource intensive, requires expert interpretation of results and is not particularly appealing, but is necessary to detect anomalous behaviours. A robust incident reporting and management procedure is also required, along with an associated forensic readiness plan.
Every organisation should understand the need for regular upgrades and patches, after adequate testing and planning, for all vulnerable systems. Sometimes this is set aside for operational expediency, for critical systems where downtime or the risk of failure is unacceptable, or due to backward compatibility requirements, for legacy applications or platforms – but the risk posed by the failure to upgrade or patch must be mitigated by additional controls that compensate for the vulnerabilities. Defence is depth, or layered security, would mean that a single weakness or vulnerability does not expose everything.
Common factors in this and similar attacks is the level of research and targeting that goes into them, not just utilising multiple zero-day vulnerabilities in IE6 and Adobe Acrobat, but directing the attack at specific people with sufficiently contextually correct information to trick them into effecting the compromise. The attackers appear patient and with long-term goals, rather than seeking money or glory, which makes them all the more insidious. A long-term strategy of user awareness training and education is required to combat this threat, in conjunction with technical and procedural security measures.”
The full articles is available online at: