Risk
2/28/2010
01:08 PM
50%
50%

Tech Insight: Preparing Your Enterprise For Cyberwar

Recent attacks prove you don't have to be in government or maintain a critical infrastructure to be a target. Are you ready?

Is your organization ready for a cyberwar?

If your answer is no, then you're not alone. CNN's broadcast of the Cyber Shockwave simulation helped to demonstrate that major government agencies in the U.S. aren't ready to even find the source of such an attack, much less defend against it. And many organizations that play a role in critical infrastructure are even less prepared than those agencies.

You're also not alone if you think a cyberwar probably won't affect your organization. Many enterprises believe that if they aren't directly involved in banking, utilities, or critical infrastructure, then they won't be involved in a cyberattack. But even in the politically motivated attacks we've seen so far, there has been collateral damage. Most recently, theAurora attacks against Google and U.S. companies demonstrated that no company is safe from becoming a target.

McAfee's fifth annual "Virtual Criminology Report" asks the question, "Is the 'Age of Cyber War' at hand?" There's no doubt we're at the brink of that age -- if it hasn't already begun. The simple act of doing business with a targeted company or nation could mean attackers take aim at you tomorrow.

So what should your organization do to prepare? The first step is to have a strong disaster recovery and business continuity plan in place. Being ready to withstand a disaster is good business, noted Scott Borg, director of the U.S. Cyber Consequences Unit, in the McAfee report. Well-prepared businesses stand to gain considerable market share, and "their reputations will emerge from the crisis in better shape than businesses that were less prepared," he said.

Surviving an attack that's part of a widespread cyberwar -- or even a smaller, focused hacktivist campaign -- requires more than just being sure your data is safe and your systems can be resurrected at another site. It's critical to develop a strategy for preventing attacks that are designed to penetrate your perimeter and gain access to sensitive information -- a lesson often learned too late.

Many of the recent politically motivated attacks could have been prevented with existing security tools and controls -- if they were properly implemented. For example, the Aurora attacks targeting Internet Explorer were designed to exploit IE version 6. Unless these were test machines that should have been on a highly restricted network, a good patch management program might have mitigated the effects of the attack.

But patch management is only part of the answer. Aurora also involved zero-day exploits. Shortly after the suspected original exploit code surfaced, new code was developed and released by security researchers that could be used against newer versions of Internet Explorer, bypassing some of the recommended protections. Still, solutions like host-based intrusion prevention systems (HIPS) and application whitelisting could have helped prevent the exploit, or at least a systemwide compromise.

Antivirus vendors have been incorporating HIPS-type of protections into their enterprise antivirus products for several years. Some of those features include preventing new executables from being written to common system directories, buffer overflow protection, and blocking network communications from certain executables.

Working together with patch management, AV, and HIPS, application whitelisting can prevent unauthorized executables -- such as those associated with cyberattacks -- from running. The rules can be based on path, file hashes, certificate, a repository of known goods, or other variables, depending on the solution. Combine application whitelisting with advanced AV, patch management, and HIPS, and you have an extremely powerful defense.

Of course, there are standard "best practices" we should be performing to protect our networks, and any of these could also help against advanced attacks. But the issue always comes down to security versus productivity and functionality. The sad truth is that users almost always end up having more privileges and access than they need, making them an easier target. Far fewer threats would affect your users' systems if they had to prove a business need before they were allowed to access the Web.

Ultimately, it comes down to limiting your attack surface and protecting what's left. When you can do that effectively -- and still being productive -- then you're in a good position to weather possible cyberwar.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.