There has been a lot of talk this year about the increasing sophistication of cybercrime threat – even going so far as to claim that virus creation has moved into the “Web 2.0” era. However, as is often the case in the security industry, hyperbole and drama garner all the attention, while gentle reminders of continued good practice can easily be forgotten.
Many in the security industry continually stress the importance of implementing the “latest prevention trend’ – a recent example being behavioral analysis – or debate the danger of the latest Conficker-esque “zero-day exploits”. However, approaching security policy in this manner encourages a reactive standpoint and leaves organizations constantly attempting to play catch-up with the cyber criminals.
A lot of the talk is designed to make the security industry seem ever more enthralling, but it seems fair to say that the software being used now to create viruses isn’t much more sophisticated than it was ten years ago. Certainly, there are more threats now than there ever have been, and it’s likely that the rate at which viruses are created is accelerating every year. But the make-up and threat level of the individual viruses themselves hasn’t changed enough to mean entirely new prevention processes are required. It’s effectively the same virus creation software that’s being used – just re-invented and re-monetized for phishing and key-logging purposes.
It may not sound as exciting as much of the talk, but enterprise strategy should be the same as it has always been; ensuring strict methodologies and processes are in place to restrict the threat of malicious attacks. The crucial part of this strategy is to always be proactive rather than reactive in the way you approach security – staying one step ahead of the criminal. Aside from the obvious port blocking and virus and malware scanning that we can assume the majority of enterprises have in place, there are other cost-effective and valuable proactive processes that can be undertaken by CSOs, which can vastly improve a company’s level of security.
Both vulnerability scans and penetration testing of the network, for example, should be carried out regularly, but they just do not seem to happen frequently enough. The company network is a living breathing entity – machines are constantly being removed and added, the network grows and contracts. Regular testing should be carried out; on a day-to-day basis there could be new vulnerabilities and more holes for cyber criminals to exploit.
Vulnerability scans and penetration testing are not synonymous and should both be carried out on a regular basis as they expose different weaknesses in a network. Penetration testing needs to be carried out by a specialist external company, which sees how far it can infiltrate the network from three angles; as if a stranger, from inside a user account and as an administrator. This needs to happen at least a couple of times a year. End-user companies themselves can carry-out vulnerability scans, although these scans are only as good as the scanning software itself, if it is not constantly updated it will be useless against new, emerging threats.
Another, often overlooked, way for security professionals to be proactive is to get out amongst their peers and network, which can help the sharing and discussion of the latest industry thinking. You can network socially both in the old-fashioned sense, for example being a member of an organization such as the Computer Emergency Support Team (CERT), which provides advice on the latest threats and gives patching advice; as well through new e-mediums such as online forums and increasingly Twitter, from which CSOs can gain real-time updates on the latest trends.
Attempting to stay one step ahead with cyber criminals is a difficult game. There will always be new malicious code, and there will always be attackers attempting to break the latest encryption processes. In many ways, approaching security in a reactive sense will always be a thankless task. But, by employing strong, consistent, proactive measures, enterprises can ensure they are in the best possible position to protect themselves against cyber criminals looking for an easy payload.