Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/28/2010
01:08 PM
50%
50%

Tech Insight: Preparing Your Enterprise For Cyberwar

Recent attacks prove you don't have to be in government or maintain a critical infrastructure to be a target. Are you ready?

Is your organization ready for a cyberwar?

If your answer is no, then you're not alone. CNN's broadcast of the Cyber Shockwave simulation helped to demonstrate that major government agencies in the U.S. aren't ready to even find the source of such an attack, much less defend against it. And many organizations that play a role in critical infrastructure are even less prepared than those agencies.

You're also not alone if you think a cyberwar probably won't affect your organization. Many enterprises believe that if they aren't directly involved in banking, utilities, or critical infrastructure, then they won't be involved in a cyberattack. But even in the politically motivated attacks we've seen so far, there has been collateral damage. Most recently, theAurora attacks against Google and U.S. companies demonstrated that no company is safe from becoming a target.

McAfee's fifth annual "Virtual Criminology Report" asks the question, "Is the 'Age of Cyber War' at hand?" There's no doubt we're at the brink of that age -- if it hasn't already begun. The simple act of doing business with a targeted company or nation could mean attackers take aim at you tomorrow.

So what should your organization do to prepare? The first step is to have a strong disaster recovery and business continuity plan in place. Being ready to withstand a disaster is good business, noted Scott Borg, director of the U.S. Cyber Consequences Unit, in the McAfee report. Well-prepared businesses stand to gain considerable market share, and "their reputations will emerge from the crisis in better shape than businesses that were less prepared," he said.

Surviving an attack that's part of a widespread cyberwar -- or even a smaller, focused hacktivist campaign -- requires more than just being sure your data is safe and your systems can be resurrected at another site. It's critical to develop a strategy for preventing attacks that are designed to penetrate your perimeter and gain access to sensitive information -- a lesson often learned too late.

Many of the recent politically motivated attacks could have been prevented with existing security tools and controls -- if they were properly implemented. For example, the Aurora attacks targeting Internet Explorer were designed to exploit IE version 6. Unless these were test machines that should have been on a highly restricted network, a good patch management program might have mitigated the effects of the attack.

But patch management is only part of the answer. Aurora also involved zero-day exploits. Shortly after the suspected original exploit code surfaced, new code was developed and released by security researchers that could be used against newer versions of Internet Explorer, bypassing some of the recommended protections. Still, solutions like host-based intrusion prevention systems (HIPS) and application whitelisting could have helped prevent the exploit, or at least a systemwide compromise.

Antivirus vendors have been incorporating HIPS-type of protections into their enterprise antivirus products for several years. Some of those features include preventing new executables from being written to common system directories, buffer overflow protection, and blocking network communications from certain executables.

Working together with patch management, AV, and HIPS, application whitelisting can prevent unauthorized executables -- such as those associated with cyberattacks -- from running. The rules can be based on path, file hashes, certificate, a repository of known goods, or other variables, depending on the solution. Combine application whitelisting with advanced AV, patch management, and HIPS, and you have an extremely powerful defense.

Of course, there are standard "best practices" we should be performing to protect our networks, and any of these could also help against advanced attacks. But the issue always comes down to security versus productivity and functionality. The sad truth is that users almost always end up having more privileges and access than they need, making them an easier target. Far fewer threats would affect your users' systems if they had to prove a business need before they were allowed to access the Web.

Ultimately, it comes down to limiting your attack surface and protecting what's left. When you can do that effectively -- and still being productive -- then you're in a good position to weather possible cyberwar.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.