The recent attacks on Sony’s data systems—first at its Pictures division, then the PlayStation network—may well cost the company millions of dollars. But Sony certainly isn’t alone. Home Depot, Target and Neiman Marcus have also experienced embarrassing and expensive breaches. Add to that conspicuous list Adobe, Yahoo and numerous financial institutions.
Yet there are good reasons for this ridiculously poor showing, posits Dr. Mark Ciampa, associate professor in Information Systems at the Gordon Ford College of Business at Western Kentucky University. In a webinar with IDG senior editor Bill Laberis and Mark DeBandi, vice-president of systems engineering at network technology provider Ciena, he discussed some of the biggest problems with network security today.
Among them is the notion that organizations are at war with cybercriminals—a battle that, eventually, businesses will win. Sounds dramatic, but patently false. In fact, “this is not a war to be won or lost,” Ciampa said. Instead, the goal should be to achieve equilibrium: As new threats emerge, organizations must meet them, recognizing that the next attack is on the way. “Information security becomes an endless cycle between attacker and defender.”
Ciampa outlines three important tactics organizations can use to raise the stakes for attackers—and maybe convince them to give up and go home (even if only temporarily). First, businesses should aim to break the cybercriminal workflow. Second, they should improve employee protocols for handling sensitive information. Third, they should use deep encryption to protect data at its core.
Break the chain
Hacking involves a number of steps: researching the target to find out what sorts of systems it has; delivering the malware into the organization’s network; and controlling the malware once it’s in. According to Ciampa, companies should focus on each area of that hacker workflow—“break the chain,” as he puts it. For instance, prevent infiltrators from discovering the details of the organization’s server and network architecture. Without that knowledge, attacks will be less effective. As well, break the chain of command and control to keep the malware from communicating with its handlers. By targeting the hackers’ workflow, organizations stand a far better chance of thwarting attempts to exploit business data.
Hackers know something many people don’t: breaches succeed when employees act dumb—e.g., using weak, easily guessed passwords, failing to patch their computers, sharing too much information on social media. “This is an area which, for far too long, has been neglected,” Ciampa said. He thinks society should get ahead of the problem by introducing basic computer security concepts in school. Too often, young company recruits arrive lacking the knowledge to work securely in a digital environment. Ciampa blames social media. Many youngsters use it multiple times an hour with little thought to security and privacy—and then young users bring those habits into the workplace.
Data encryption plays a crucial role in keeping information safe, Ciampa said. His webinar co-presenter DeBandi from Ciena couldn’t agree more. DeBandi described his company’s solution: bulk encryption applied so deep in data that no matter what protocol is used to transport it and no matter what application is used to access it, the information is protected. Said DeBandi, “Anything leaving a data centre or any other carrier POP is encrypted on the way out.”
Defence mechanisms like these will help companies meet hackers head on—an important capability that not only protects data, but also increasingly protects people’s lives. Ciampa pointed out that medical equipment such as heart monitors and defibrillators are vulnerable to outside attacks that disable the lifesaving gear. Problems at such an intimate level could be what really compel organizations to reassess their security systems and their attitudes about information protection.