We increasingly see cyberattacks around us, even against companies we know. Cyberattacks are no longer a “global issue” but also a local issue impacting companies we support—or, vice versa—support Hong Kong. Cyberattacks will be a problem as long as we use computers, smart devices, or any device connected to the internet.
The board members and/or top management I meet often ask: doesn’t a wide range of security products such as firewalls, anti-virus/anti-malware software, and intrusion detection (or prevention) systems protect us from cyberattacks?
Yes and no.
No “magic bullet”
While some companies invest more in cyberdefenses than others, no company can achieve 100% protection. Security products are tools that enable companies to apply cyber defense tactics in a more efficient manner consistently. A company with strong and comprehensive cyber defense tactics may achieve a higher level than a company that acquired a lot of security products but doesn't use mature cyber defense tactics. The real question is: why don’t companies have a well-planned cyberattack response mechanism?
An established and mature cyber-attack response mechanism helps a company swiftly detect an active cyberattack, fully understand the affected data and network, and immediately deploy fixes to contain the impact and address the root causes of attacks before the next wave comes. From my previous experience helping different companies responding to active hacks, it's a tough task. But there are ways to build a reasonably effective response mechanism to defend us in the ongoing cyberwar. Here are three inspired by “The Art of War” by Sun Tzu:
1. Know the enemy and know yourself
When hackers successfully infiltrate our networks and systems—slurping up credit card data, business data, and personal information—we can't pretend we “didn't know” we collected and stored that data in our systems. Building and maintaining an inventory of system and data (including backups) is the way to visualize our “attack surface”: how exposed we are, and which part of our network needs protection the most. This is our base upon which to build subsequent cyber defenses
2. Forage on the enemy
IT networks are complex, and different forms of internal and external data-sharing add another layer of complexity. To create an effective defense, we must harvest the wisdom of hackers. Focus on protecting areas that are “low hanging fruit” for hackers (e.g., searching for files that contain usernames and passwords from network drive/shared folders). Go online and you will find articles from ethical hackers who share their hacking journeys and the consequences. Do you see your company (or similar) in those case studies? Learn from the hackers so you can prioritize your energy and resources when protecting your company. Hire a team of ethical hackers for a cyber-attack simulation service. Where to meet them? There are a few hacking competitions in HK coming soon that are open to public—let me know if you have difficulties finding them.
3. Hide in the most secret recesses of the earth
In the context of cybersecurity, this means hiding your crown jewels behind multiple layers of protection. Traditional network architecture has different zones for internet-facing servers, internal resources (e.g., file servers, core systems) and office computers including laptops and workstations. Like our home, we have a living room to welcome our guests (the zone for visitors from the internet to our websites), but also a bedroom where we put our more important (or private) assets (the zone for internal resources).
Unfortunately, this analogy falls apart when malware enters the equation.
Malware comprises malicious programs with “phone home” functions. Malware is sent by hackers to victims via emails, instant messengers and other online communication channels. Once the victim opens the malware-infected attachment using his or her office laptop, the malware attempts to communicate with the hacker (i.e., phones home), download new instructions, execute those instructions, and report to the hacker accordingly. At this point, the hacker is no longer attacking a company directly from the Internet, but attacking the company’s internal resources and employee laptops through the victim’s compromised laptop.
This means servers connected directly to the office network are at risk, if one of the employee workstations has been affected by malware. We must classify our servers based on their criticality—servers that are more important should either reside in a separate network segment, or have a “jump-box” between them and the office network.
It is not easy to build an effective response mechanism to handle cyberattacks. It takes time and lots of investment. But before deciding how to invest, I hope the three ways suggested above will help you prioritize what you need now, and what you need later on.
Felix Kan is an EXCO Member, Cyber Security Specialist Group at Hong Kong Computer Society.