Hewlett-Packard’s Cyber Security Report 2013, released this week, includes an analysis of the huge attacks on computers in South Korea, which crippled banks and television networks through a remote access Trojan. Some sources said the hard disks of around 48,000 computers were wiped. Here’s six lessons it says can be learned. All images from Shutterstock.com.


Don’t rely solely on traditional perimeter security

It’s not enough. One of the key characters of targeted threats is their ability to compromise networks and keep a low profile. They may be missed. In South Korea authentication and session details from SSH clients were used to gain remote server access, so consider PKI rather than passwords for authentication to critical servers.

SMALL Firewall graphic SHUTTERSTOCK



Not all information and network assets are equal

By getting hold of the credentials for an enterprise patch management server, the attackers were able to use it to serve the malware to multiple computers. Systems that facilitate centralized management functions and play a central role in establishing trust in networks are highly prized targets of compromise and could be used to make other security controls useless. Prioritize resources to identifying and protecting critical assets first.

INSIDE Priority, list SHUTTERSTOCK



People are part of your organization’s perimeter
So educate them to identify spear phishing attacks, drive by downloads, watering hole attacks. Make sure they view with suspicion requests for certain information (like passwords), types of behavior that might indicate a compromise and how to report suspicious messages or behavior.

INSIDE Employees, staff SHUTTERSTOCK



Make security and response a continuous process
Continuous monitoring and gathering of event data enables you to know what’s normal and what’s not. That way you can increase the likelihood of detecting advanced threats that have breached the perimeter before they take hold and create more damage. Tools include data visualization and SIEM.

INSIDE Measure, continuous improvement



Expect to be compromised
So not only perform daily backups of critical data, but practice recovery. Have an emergency communications plan in case the network fails. Isolate critical systems to ensure they can be brought up independently of other systems. And ensure that  sensitive data is encrypted.

INSIDE Be prepared SHUTTERSTOCK



Stick together

Enterprises should share their experiences of compromise with the greater security community and other organizations. Often attackers use campaigns that target multiple organizations at once, so sharing information on current attacks and methods makes everyone less vulnerable and the attackers less likely to succeed. We are stronger together, the report argues.

INSIDE team SHUTTERSTOCK


Previous articleEight more security best practices
Next articleEight security takeaways
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com