I often encourage my clients to be paranoid about security, but never to the point of throwing the baby out with the bathwater, which is exactly what the Economic Development Agency did two years ago when responding to a report that some of its computers were infected with malware. Due to a mixture of clerical error, poor communication and straight-up inexperience (in a government agency? Imagine that!), the top brass at the EDA received a report that stated over a hundred devices on its network were infected. Believing the technology to be unrecoverable, they proceeded to physically destroy all of it, including mice, keyboards, monitors, printers and other devices that couldn’t be infected with malware, rather than risk the spread of infection, to the tune of nearly $3 million.
What this means for you:
If you’ve ever had a really bad malware infection, you sometimes might hear the technician say, “It’s probably best if we nuke this thing from orbit,” referring to a favorite scene from the movie Aliens. Obviously, your computer is going to be just fine, as he’s actually just talking about wiping out the contents of your hard drive and starting with a fresh install of your operating system. Unless he’s a contractor who lists the EDA as a former client, in which case you might want to show him the door and call someone else.
In all seriousness, a situation like this can easily happen if your organization’s leadership has an incomplete understanding of technology and security. In the above case, a little knowledge and a pinch of common sense could have saved the EDA a lot of money and embarrassment. Continue to be paranoid about security, but only “nuke from orbit” when your company is completely overrun by man-eating aliens. A malware infection, or even a serious security breach, can be handled without slaughtering all those helpless keyboards and mice.
With results that will probably surprise no one (and warming the hearts of black-hat hackers everywhere), the US Government Accountability Office has published its findings on a recent security audit of the Internal Revenue Service. The summary reads like the report card every good parent dreads, “Needs improvement.” Despite having a comprehensive security plan (the development of which was funded by your dollars!) the GAO has found that the IRS has failed to follow through in many areas of implementing and enforcing that plan in various parts of its operation, and these failures have severely compromised the overall security of the very important data the IRS collects on all American citizens.
What this means for you:
As you might expect, the 31-page GAO report is not the most exciting of page-turners. I’ll save you the dry read with the “moral” of the story: having a security policy is only as good as how well it is enforced and maintained. It does your company no good to say that “All employees must use strong passwords that are changed every 60 days” if no one is checking to see if they are actually adhering to the policy. It’s actually much worse for your company if you do have a security policy, experience a breach, and then discover that the breach was due to lack of enforcement.
Don’t get me wrong – I’m not recommending against having a security policy. You should have a security policy, especially if you handle sensitive data of any sort, and you should be making every effort to enforce, update and maintain that policy on a regular basis. A simple security breach could cause untold damage to your company’s reputation, and even more so if you have to admit that it happened because you failed to follow through on your own company’s policies.
Though it’s no secret to the security world, the US government has specifically avoided naming Chinese state agencies as the source of a tremendous surge in cyberattacks on corporate and government institutions over the course of the past 2 years. On Monday, the gloves finally came off as Obama’s security advisor, Tom Donilon pointed the finger of blame right at China’s military in a speech given to the Asia Society in New York, NY, as evidence gathered by multiple security firms continues to build an unavoidable confrontation on this issue. The Chinese government has of course denied these allegations, but has also said that it is willing to meet with the US and other nations to discuss cybersecurity.
What this means for you:
It’s still very early in the ballgame to decide if this is going to make things better or worse for the average business. At the moment, unless you are on the short list of companies that have information worthy of corporate or state-sponsor cyber-espionage, nothing will change for you, as your threats are likely still coming from the “traditional” vectors: either organized criminal elements seeking to steal from you, or random mischief and mayhem generated by malware controlled by those with less focus and malice. Today, as before, constant vigilance remains the most effective tool in your defense.
Targets of state-sponsored cyberattacks will continue to have a great deal to worry about. Where a “garden variety” attacker encountering strong defenses would normally move on to easier marks, cyber espionage targets will typically suffer through a dedicated, prolong campaign of multiple types of attacks (brute force, trojan horse, spear phishing, social engineering, etc.) because of the valuable data or services protected within and the deep pockets of the government powering their efforts.
It’s not immediately clear what either government hopes to accomplish around meeting on cyber warfare, other than to set up guidelines that will only be used for political leverage when violated by the other party, and probably ignored when it suits either country. As you can imagine, rules like the Geneva War Conventions only work when both sides are willing to abide by them.
Following recent attacks by hacktivist group Anonymous on various government websites, the Department of Energy has reported that it too has been hacked, and personal information on hundreds of its employees has been compromised. The DOE has been relatively tight-lipped about the breach, and it’s not immediately clear whether this may be related to Anonymous’s current campaign “Operation Last Resort” which aims to reform computer criminal laws in the wake of internet celebrity Aaron Swartz’s suicide. In the case of the Anonymous-led attacks, various government websites have been completely taken over by hackers and used to post derogatory videogame parodies and login credentials for hundreds of banking executives.
What this means for you:
The gloomiest of the doomsayers are saying that in the near future, there will be only 2 types of businesses: “Businesses that have been hacked, and ones that don’t know that they’ve been hacked.” We’re not there yet, but some analysts believe we’ve hit an inflection point in cyber security where the criminals are now ahead of the business world in terms of sophistication and advantage. If the above is any indication, many government institutions are probably even further behind businesses in terms of security. Does that mean it’s time to pack up all that technology and return to paper ledgers, brick and mortar storefronts and hand-written checks? Not yet, but the businesses that take an aggressive stance towards tightening up their ships will stay well ahead of the competition, especially when those looser ships start to spring cyber-leaks.
What’s the first step? Find out if you have an information security policy. If so, make sure it’s being enforced. If not, call me right away to start talking about how to get your company’s technology battened down for the coming storm.
- 1
- 2