Executive Briefings

How You Can - and Must - Enhance Your Cybersecurity Program

Somebody wants your company's secrets. And there's an excellent chance that they'll succeed in getting them.

How You Can – and Must – Enhance Your Cybersecurity Program

Cyberspace is rife with attacks on proprietary business networks. For all of its obvious benefits, the internet has made possible an exponential increase in industrial espionage and outright thievery of sensitive data.

Some of the world's biggest companies - even those thought to be among the most secure - have been targets. In March of 2011, RSA, the security division of IT provider EMC, was subjected to the theft of security tokens designed to protect millions of computers from unauthorized users. The stolen tokens were then used in a cyberattack against aerospace giant and RSA customer Lockheed Martin.

Last August, Saudi Arabian Oil Co. (Aramco) was the victim of a spear-phishing attack, which resulted in the permanent erasure of data from some 30,000 company computers.

And in March of this year, in what was called "the biggest cyberattack in history," the European anti-spam organization known as The Spamhaus Project withstood a massive distributed denial of service (DDoS) attack, allegedly by a Dutch web-hosting firm.

Those are just three of the countless incidents to have occurred in recent years. They involved varying degrees of sophistication on the part of miscreants; the attack on Spamhaus apparently could have been carried out with no more than a laptop and an internet connection. According to the Center for Strategic & International Studies, between 80 and 90 percent of successful corporate network breaches require "only the most basic techniques."

From all of this, we can derive a disturbing, three-part lesson: Hacking is easy. Hacking is prevalent. Hacking is very likely happening to you.

Now, as if cybercrime by private citizens weren't enough, we must also contend with aggressive action by foreign governments. According to numerous press reports, China is among the most outrageous violators today. The People's Liberation Army is said to be engaged in a concerted, multi-year campaign of cyberattacks against both businesses and U.S. government agencies. Ground zero for the relentless campaign appears to be a nondescript building outside Shanghai, staffed by a secret military group known as PLA Unit 61398.

The group's activities were exposed this year by a report from the information-security firm Mandiant. It claims that Unit 61398 has "systematically stolen confidential data from at least 141 organizations across multiple industries."

Flushing such activity into the open can be a potent weapon of sorts. Mandiant supplemented its report on computer-hacking by the Chinese military with the release of several thousand identifiers that can help companies to detect and guard against future attacks from that source. In fact, the firm's efforts appear to have resulted in a temporary lull in activity by the Shanghai unit. But they're expected to have little impact on the Chinese hacking campaign over the long run.

So where does this leave businesses, particularly those with global supply chains involving multiple partners? Not in a very good place, unfortunately. In a recent paper for CSIS, cybersecurity expert James A. Lewis noted that hacking is pervasive and easy to carry out. Yet the business world remains blissfully unaware of the threat.

Approximately one-quarter of all malware isn't blocked by current techniques, including off-the-shelf antivirus software, Lewis says. And 85 percent of security breaches go undetected for months - plenty of time for companies to suffer severe damage through loss of vital data.

The failure can't be chalked up to a lack of investment. Lewis says government and private companies are spending up to 7 percent of their IT budgets on cybersecurity. The total bill for security software was said to have hit $17.7bn in 2011. It's likely to be even higher today.

Clearly the old techniques of defending against cyberattacks haven't worked. Traditional network security methods are reactive in nature, and of limited effectiveness even then. Newer and more effective methods focus on a program of continuous diagnostics and mitigation measures, according to Lewis. "The strategies used in this approach reduce the opportunities for attack and force attackers to develop more sophisticated (and expensive) techniques or to give up on the target," he writes.

Lewis says companies need to adopt "a minimum standard of due care" in their cybersecurity programs. As a guide for action, he cites work by the Australian government's Defence Signals Directorate (DSD) and the U.S. National Security Agency (NSA). DSD has come up with a list of 35 recommended mitigation strategies, while NSA lists 20 "critical controls."

For companies looking to tighten up their cybersecurity measures, the first four of DSD's recommendations provide an excellent start. They are:

- Use application whitelisting to restrict your computers and networks only to those programs that are specifically approved by you.

- Download patch applications that correct the vulnerabilities in such programs as Microsoft Office, Adobe Flash, Java and various Web browsers.

- Similarly, accept patches to plug vulnerabilities in operating systems such as Windows (which has long been notorious for its exposure to hackers).

- Place tight controls on administrative privileges. Keep to an absolute minimum the number of individuals who are authorized to make changes on your network.

DSD says those four strategies will help to protect organizations from "low to moderately sophisticated" intrusion attempts. In fact, the agency says, they can ward off more than 85 percent of cyber intrusions. What's more, Lewis says, the measures tend to remain effective despite the ever-evolving nature of cyber threats.

They are not, of course, the complete answer. For most companies, there simply isn't one. No system can protect against all types of attacks, but diligent companies can get to the point where cyberspace "is no less secure than any other environment we operate in," says Lewis. And that's a far better state of affairs than most businesses are in today.

Next: A supply-chain perspective on cybersecurity.

Comment on This Article


Keywords: supply chain, supply chain management, supply chain security, cybersecurity, supply chain risk management, supply chain visibility, supply chain planning, international trade, supply chain management: supply chain security & risk management

Cyberspace is rife with attacks on proprietary business networks. For all of its obvious benefits, the internet has made possible an exponential increase in industrial espionage and outright thievery of sensitive data.

Some of the world's biggest companies - even those thought to be among the most secure - have been targets. In March of 2011, RSA, the security division of IT provider EMC, was subjected to the theft of security tokens designed to protect millions of computers from unauthorized users. The stolen tokens were then used in a cyberattack against aerospace giant and RSA customer Lockheed Martin.

Last August, Saudi Arabian Oil Co. (Aramco) was the victim of a spear-phishing attack, which resulted in the permanent erasure of data from some 30,000 company computers.

And in March of this year, in what was called "the biggest cyberattack in history," the European anti-spam organization known as The Spamhaus Project withstood a massive distributed denial of service (DDoS) attack, allegedly by a Dutch web-hosting firm.

Those are just three of the countless incidents to have occurred in recent years. They involved varying degrees of sophistication on the part of miscreants; the attack on Spamhaus apparently could have been carried out with no more than a laptop and an internet connection. According to the Center for Strategic & International Studies, between 80 and 90 percent of successful corporate network breaches require "only the most basic techniques."

From all of this, we can derive a disturbing, three-part lesson: Hacking is easy. Hacking is prevalent. Hacking is very likely happening to you.

Now, as if cybercrime by private citizens weren't enough, we must also contend with aggressive action by foreign governments. According to numerous press reports, China is among the most outrageous violators today. The People's Liberation Army is said to be engaged in a concerted, multi-year campaign of cyberattacks against both businesses and U.S. government agencies. Ground zero for the relentless campaign appears to be a nondescript building outside Shanghai, staffed by a secret military group known as PLA Unit 61398.

The group's activities were exposed this year by a report from the information-security firm Mandiant. It claims that Unit 61398 has "systematically stolen confidential data from at least 141 organizations across multiple industries."

Flushing such activity into the open can be a potent weapon of sorts. Mandiant supplemented its report on computer-hacking by the Chinese military with the release of several thousand identifiers that can help companies to detect and guard against future attacks from that source. In fact, the firm's efforts appear to have resulted in a temporary lull in activity by the Shanghai unit. But they're expected to have little impact on the Chinese hacking campaign over the long run.

So where does this leave businesses, particularly those with global supply chains involving multiple partners? Not in a very good place, unfortunately. In a recent paper for CSIS, cybersecurity expert James A. Lewis noted that hacking is pervasive and easy to carry out. Yet the business world remains blissfully unaware of the threat.

Approximately one-quarter of all malware isn't blocked by current techniques, including off-the-shelf antivirus software, Lewis says. And 85 percent of security breaches go undetected for months - plenty of time for companies to suffer severe damage through loss of vital data.

The failure can't be chalked up to a lack of investment. Lewis says government and private companies are spending up to 7 percent of their IT budgets on cybersecurity. The total bill for security software was said to have hit $17.7bn in 2011. It's likely to be even higher today.

Clearly the old techniques of defending against cyberattacks haven't worked. Traditional network security methods are reactive in nature, and of limited effectiveness even then. Newer and more effective methods focus on a program of continuous diagnostics and mitigation measures, according to Lewis. "The strategies used in this approach reduce the opportunities for attack and force attackers to develop more sophisticated (and expensive) techniques or to give up on the target," he writes.

Lewis says companies need to adopt "a minimum standard of due care" in their cybersecurity programs. As a guide for action, he cites work by the Australian government's Defence Signals Directorate (DSD) and the U.S. National Security Agency (NSA). DSD has come up with a list of 35 recommended mitigation strategies, while NSA lists 20 "critical controls."

For companies looking to tighten up their cybersecurity measures, the first four of DSD's recommendations provide an excellent start. They are:

- Use application whitelisting to restrict your computers and networks only to those programs that are specifically approved by you.

- Download patch applications that correct the vulnerabilities in such programs as Microsoft Office, Adobe Flash, Java and various Web browsers.

- Similarly, accept patches to plug vulnerabilities in operating systems such as Windows (which has long been notorious for its exposure to hackers).

- Place tight controls on administrative privileges. Keep to an absolute minimum the number of individuals who are authorized to make changes on your network.

DSD says those four strategies will help to protect organizations from "low to moderately sophisticated" intrusion attempts. In fact, the agency says, they can ward off more than 85 percent of cyber intrusions. What's more, Lewis says, the measures tend to remain effective despite the ever-evolving nature of cyber threats.

They are not, of course, the complete answer. For most companies, there simply isn't one. No system can protect against all types of attacks, but diligent companies can get to the point where cyberspace "is no less secure than any other environment we operate in," says Lewis. And that's a far better state of affairs than most businesses are in today.

Next: A supply-chain perspective on cybersecurity.

Comment on This Article


Keywords: supply chain, supply chain management, supply chain security, cybersecurity, supply chain risk management, supply chain visibility, supply chain planning, international trade, supply chain management: supply chain security & risk management

How You Can – and Must – Enhance Your Cybersecurity Program