The Cordon Sanitaire on Cyber Security

In response to: Break a wall of silence on cyber attacks

Gillian you must read this: http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109

It is fiercely difficult for world class companies to protect against cyber attacks, a cadre of highly specialized professionals is absolutely required. These are very difficult to recruit, difficult to maintain and even more difficult to manage.

An important point to make is that China is behind many of the more notorious attacks. The Vanity Fair piece above details how and why. In short: it is easier to steal intellectual property than it is to buy or invent it.

Organized crime is targeting banks and already many banks are no longer compensating customers for money stolen out of their account by cyber criminals. There’s a growing risk that a bank could be compromised to the extent that it will fail or perhaps worse, be subverted or held hostage by criminals threatening to reveal the extent to which it and its customer data has been compromised. Worth mentioning is that databases of foreign account holders with Swiss banks were stolen by bank employees and sold to governments seeking tax dodgers: corruptible clerks are another security risk.

Small and medium sized companies can do a lot to improve security. One is to forward internet access through firewalls. Ideally, through self made firewalls based on OpenBSD (http://openbsd.org) installed on stock intel computers. Second is to decrease exposure of critical or sensitive data on networks; is it really necessary for an entire company to be connected to the internet, or can people rely on specific devices (tablets, phones) for internet access? Disconnecting desktop computers from the internet may seem draconian but ca be cushioned. It will decrease exposure significantly. Third is to use windows on machines that absolutely require it and move to more secure operating systems, especially OpenBSD, but a Linux like Ubuntu or Mac OSX are to be preferred as well.

Sadly enough, IT staff is often being cut to save costs. Many banks prefer to outsource their IT operations to low wage countries, a process that makes the whole of IT even less transparent. Top management echelons in banks would rather not know too much about the nitty gritty of their IT, while that is increasingly the very core of their business.

The lesson for companies is: own your whole company, especially your IT processes. It no longer is sufficient to plead ignorance or blame the CTO.

I think you’re right Gillian that the wall of silence must be broken, but companies are silent because they also are aware there’s so very little they can do about it. They don’t have sufficient talent to guard against attacks, they don’t know what if anything has been stolen or compromised. A freak hack could set in motion a cascading failure and most pray it won’t happen on their watch or in their company.