ASK ANY IT DEPARTMENT about the state of its defences and you will hear reassuring words that all is well. But that is unlikely to be true. Firewalls and malware protection packages are, at best, leaky and, at worst, transparent to the latest generation of attackers.
Even the biggest organisations are not safe – just look at Twitter. A quarter of a million users had their accounts compromised when emails, passwords, usernames and other data were stolen.
Those persisting in a DIY approach are most at risk; unaware while the unseen hand of spyware trawls through their files. It doesn’t do damage; it comes to gather information. It encourages the host to consume and use more, lulling it into a false sense of security.
Let’s put this into perspective: The lone hacker might be expending a few thousand pounds, while a gang of organised hackers would use tens of thousands, and criminal gangs spend a few million. However, rogue states come in at a much bigger spend, between £100m and £1bn. So, as a crude measure of your defences, just add up your entire company spend on cyber-crime protection. Then reflect on the huge imbalance and consider – is all well, and are you really safe?
A recent case involved The New York Times which was invaded by over 40 species of malware with a suspected origin in China. A specialised company let the malware work for a month so it could identify all points of access. It then blocked all ports and repaired all infected machines. The NYT is now thought to be clean. But is it? I’d put money on the table that says it is not.
These attacks are difficult to detect, and they infuse networks with malware of different grades – some you can find and some can only be detected with massive resources. The bar has been raised even higher and the threat never sleeps.
So, where are we? First: no company can go it alone. They don’t have the people, technology or money to defend themselves against state-sponsored threats. And viruses are available on the internet for anyone wanting to do damage.
Second: the methods of the past cannot possibly work in the face of a growing bring-your-own-device culture and faster people, technology, product and market changes.
Third: IT departments are already overloaded. People are the biggest risk. The personal mobile phone, tablet and laptop present backdoors that are wide open. Leave a memory stick on a coffee shop table and it will be in someone’s pocket within 20 minutes and on the network within two hours. Far easier than breaching a firewall.
What to do? Get into the cloud fast. But be smart and go with multiple suppliers, internet service providers, devices, operating systems and apps. Compound this with multiple fixed, mobile and transient clouds. And create dirty clouds (public) and clean clouds (corporate). Encrypt all important files, parse and store on several unrelated servers in different physical locations. Employ a priori knowledge and use cryptic conversation styles. And beef up all access points beyond a password and a PIN.
Additionally, ask your IT department about URL hopping and anonymity software. Consider simple but cost-effective biometrics involving hand, eye, face, voice, typing, locations and habits. This isn’t rocket science, and it is far better than assuming the hackers have been held at bay.
The only recourse is to create large groups capable of developing sophisticated defences to counter the new enemies. Make it difficult for them through mobility and obscurity. Engage with the cloud and embrace multiple layers of protection. And don’t think for a moment you are safe. Assume that is not the case, and act accordingly. Remember – the primary aim of the new threat is not to do damage. It wants you to succeed so it can profit from your knowledge – it really is parasitic in every sense of the word. ?
Peter Cochrane is an IT consultant and former chief technologist at BT