Sophistication has added a new twist to online security. The clunky grammar and bizarre URLs of past years have been replaced by targeted messages sent to specific people. Preparing for a cyber attack now requires far more than casual awareness and technical safeguards.
In the following Q&A, "Inside Cyber Warfare" author Jeffrey Carr outlines a host of security techniques companies can implement. He'll expand on many of these ideas during next week's free webcast Preparing for a Cyber Attack.
Carr stressed, both in this interview and in a past discussion, that cyber security preparedness works best when it's based in reality. That means each company needs to assess its own risk. If your business deals with general information that's publicly available, or its value is negligible, you don't have to overdo it on the security front. The recommendations included in this interview are for companies that possess valuable information and believe they could be targeted.
Phishing grows up
Jeffrey Carr: Old phishing attacks were easy to spot. They had almost no relevance to the recipient. The response rates were extremely low. But it's improved greatly, to the point it's now called "spear phishing." Spear phishing is a focused attack on specific targets.
I can use myself as an example because this was done to me. I had a spear phishing attack that went out to .mil and .gov email addresses under my name. And it was ironic because it warned of a spear phishing attack. From what I can tell, that was very successful. People clicked on it.
That's an example of how targeted these spear phishing attacks can be. Even a sophisticated user can click on a link. And once you click, whether it sends you to an infected website or it downloads a document with embedded malware, that will generally install keylogger software on your system. The software captures your username and password at any given site, including your bank. And if you're an employee at a bank, it'll also capture your internal passwords and any type of authentication keys you use.
Spear phishing is so pernicious because you can't rely on a firewall; you can't rely on antivirus. You have to rely on the suspicious nature of your employees, and that may vary from employee to employee. Part of the preparation for this is training. I think once employees hear about it, awareness has an impact. And if they do receive a suspicious email, or it''s an internal email that has a link or a document attached, they can pick up the phone and verify it. Just take that one extra step.
How do you discover an attack?
Jeffrey Carr: In the financial community, they don't know about an attack until the money is missing. Generally speaking, attackers are not going to make a mistake and be noticed prior to completing the transactions because they're logging in as a trusted person on the network. Again, that's why protection falls back on an employee's awareness to look at an email or look at a link and be more cautious about what her or she clicks on or downloads.
For other types of companies, probably the only way you're going to know you've been attacked is if you've got somebody monitoring your network and the attackers make mistakes. If you see large amounts of data leaving your network during the day, and it's not encrypted or it's not going through the port that generally carries most of your traffic, then you can catch it. But if the attackers are careful, you probably aren't going to catch it for quite a while.
You've been attacked. Now what?
Jeffrey Carr: After an attack, you're going to want to do the things that you should have done before. You'll have to force password changes across your organization. Then you'll need to conduct an assessment, looking at things like: what was done, how was it done, what was the point of entry, what malware was used, and what IPs were used to collect the data. That will help you devise a new strategy. It's also important to remember there's no such thing as 100-percent protection.
I am a firm believer in transparency. Right now, there's not enough public attention around these attacks. After becoming aware of an attack, I would immediately contact law enforcement, my software security vendor, and my network monitoring company. If you don't already have people watching your network, you need to arrange for someone to do that.
Then, I would wait until I have all the information and then go public. By "public," I mean contacting your congressman or contacting other people that should know: local politicians, state politicians, and federal politicians.
Should companies disconnect all critical information?
Jeffrey Carr: You'd think there would be a way to protect anything in the age of electronics, but some companies go back to a pre-technology solution: lock information in a safe with no access. In a way, that's what's done with classified networks. If you have to regularly visit a site that's classified, you'll have two computers. One will be only for the classified network, and the other will be for the unclassified network or the regular Internet. And never do those two networks cross. That's typically very effective and it would be something a company would want to do if it has really critical information that it simply cannot afford to lose.
- Cyber warfare: don't inflate it, don't underestimate it (O'Reilly Radar)
Learn more about this topic from Inside Cyber Warfare.
You may have heard about "cyber warfare" in the news, but do you really know what it is? This book provides fascinating and disturbing details on how nations, groups, and individuals throughout the world are using the Internet as an attack platform to gain military, political, and economic advantages over their adversaries. You'll learn how sophisticated hackers working on behalf of states or organized crime patiently play a high-stakes game that could target anyone, regardless of affiliation or nationality.