如何確保你的公司在2015年免受網(wǎng)絡(luò)攻擊?
????2014年將因?qū)覍业巧项^條新聞的網(wǎng)絡(luò)攻擊事件而被人們長(zhǎng)期銘記。無(wú)論是上市公司、政府機(jī)構(gòu)還是非營(yíng)利組織,沒(méi)有哪類機(jī)構(gòu)能夠幸免于難。進(jìn)入2015年,我們只是在維護(hù)網(wǎng)絡(luò)安全這條永無(wú)止境的征途上前進(jìn)了一小步。我們亟需理解網(wǎng)絡(luò)攻擊的復(fù)雜性,時(shí)不我待。 ????大多數(shù)網(wǎng)絡(luò)攻擊都可歸類于以下三種主要的威脅類型: ?????針對(duì)網(wǎng)絡(luò)機(jī)密性的攻擊,導(dǎo)致信用卡號(hào)或社會(huì)保險(xiǎn)號(hào)等安全信息遭竊或泄露; ?????針對(duì)網(wǎng)絡(luò)可用性的攻擊,通過(guò)發(fā)送大量請(qǐng)求導(dǎo)致網(wǎng)站無(wú)法訪問(wèn),或插入代碼改變?cè)L問(wèn)頁(yè)面的路徑; ?????針對(duì)網(wǎng)絡(luò)物理完整性的攻擊,改變或破壞計(jì)算機(jī)代碼,以損毀網(wǎng)絡(luò)基礎(chǔ)設(shè)施。 ????2015年,你的公司應(yīng)該在免受網(wǎng)絡(luò)威脅方面立下7項(xiàng)新年決心: ????1、管理好你的供應(yīng)商網(wǎng)絡(luò) ????要從2014年的網(wǎng)絡(luò)攻擊中總結(jié)出一個(gè)要點(diǎn),那就是密碼被破。黑客通過(guò)竊取空調(diào)和食品配送公司等小型供貨商的密碼和證書,進(jìn)入了《財(cái)富》100強(qiáng)的公司網(wǎng)絡(luò)。請(qǐng)修改你的簡(jiǎn)單密碼,采用雙重認(rèn)證(2FA)的方式。雙重認(rèn)證的一個(gè)典型例子就是用銀行卡從自動(dòng)取款機(jī)上取錢——它需要雙重認(rèn)證:你的銀行卡和你的密碼。另一個(gè)例子是登錄彭博社終端,首先你需要輸入密碼,然后采用生物測(cè)定學(xué)技術(shù)的系統(tǒng)還會(huì)要求你刷指紋進(jìn)行二次認(rèn)證。想要偷走指紋可不容易。你應(yīng)該對(duì)所有遠(yuǎn)程進(jìn)入公司網(wǎng)絡(luò)的供應(yīng)商和員工采用雙重認(rèn)證方式。 ????2、引爆惡意軟件 ????“網(wǎng)絡(luò)釣魚”是一種發(fā)動(dòng)網(wǎng)絡(luò)攻擊的簡(jiǎn)單而有效的方式。黑客從你的社交媒體公共賬戶獲得了你朋友的名字,并偽裝成你認(rèn)識(shí)且信任的人給你發(fā)私信。當(dāng)你點(diǎn)開附件或鏈接,郵件就會(huì)把惡意軟件裝進(jìn)你的網(wǎng)絡(luò)。一種應(yīng)對(duì)惡意軟件的方法是安裝“引爆”軟件。一旦帶有惡意軟件的電子郵件被打開,在它把你的重要信息帶走之前,這種軟件會(huì)先將它扔進(jìn)“沙盒”中進(jìn)行引爆測(cè)試,看它是否指向了一個(gè)不正常的網(wǎng)站。 ????3、保護(hù)你的“王冠” ????對(duì)你來(lái)說(shuō),什么信息最重要?是秘密配方、專有知識(shí)產(chǎn)權(quán)、社會(huì)保險(xiǎn)號(hào)、信用卡號(hào)、敏感的衛(wèi)生保健數(shù)據(jù),還是非公開的財(cái)務(wù)信息?一旦你確定了公司最重要和敏感的信息,就把它與其他的技術(shù)和網(wǎng)絡(luò)操作分離開來(lái)。 ????4、現(xiàn)在就準(zhǔn)備好網(wǎng)絡(luò)攻擊應(yīng)急計(jì)劃 ????準(zhǔn)備好應(yīng)急計(jì)劃并定期演練。作為計(jì)劃的一部分,你應(yīng)當(dāng)雇傭取證調(diào)查公司來(lái)檢查你的網(wǎng)絡(luò)和應(yīng)急計(jì)劃。 ????5、進(jìn)行“滲透”測(cè)試 ????邀請(qǐng)一家第三方公司來(lái)進(jìn)行“滲透測(cè)試”,找出公司信息技術(shù)網(wǎng)絡(luò)和基礎(chǔ)設(shè)施中的缺陷。根據(jù)結(jié)果來(lái)進(jìn)行必要的安全性改進(jìn),同時(shí)遵守資料公開的要求。比如,根據(jù)美國(guó)證券交易委員會(huì)的規(guī)定,上市公司有義務(wù)告知投資者公司內(nèi)部存在的網(wǎng)絡(luò)安全漏洞,該委員會(huì)還專門就此發(fā)表了一份指南。 ????6、尋求政府的幫助 ????在網(wǎng)絡(luò)攻擊領(lǐng)域,那句著名的“我們來(lái)自政府,我們將施以援手”簡(jiǎn)直是再正確不過(guò)。在理解網(wǎng)絡(luò)威脅的嚴(yán)重性方面,美國(guó)政府要遠(yuǎn)遠(yuǎn)領(lǐng)先于商界?,F(xiàn)任和前任內(nèi)閣官員多年來(lái)一直警告稱,美國(guó)有可能遭遇“網(wǎng)絡(luò)珍珠港”或“網(wǎng)絡(luò)9?11”襲擊。美國(guó)特勤局和聯(lián)邦調(diào)查局也在不斷提醒毫無(wú)覺察的上市公司,他們的系統(tǒng)被攻破了——盡管這些機(jī)構(gòu)并沒(méi)有這種義務(wù)。不要等到自己被攻擊之后,才開始同聯(lián)邦調(diào)查局、國(guó)土安全部和司法部的核心官員搞好關(guān)系。 ????7、從事并購(gòu)交易時(shí)要審查網(wǎng)絡(luò)安全 ????傳統(tǒng)上,并購(gòu)交易的最大安全隱患在于保密工作。而網(wǎng)絡(luò)風(fēng)險(xiǎn)正日益成為其中一個(gè)重要卻被忽視的因素。請(qǐng)注意國(guó)土安全部最近發(fā)出的網(wǎng)絡(luò)風(fēng)險(xiǎn)警告,其中也許就包括你正考慮購(gòu)買或投資的公司。請(qǐng)將網(wǎng)絡(luò)安全審查作為常規(guī)盡職調(diào)查的組成部分。 ????在2014年,許多網(wǎng)絡(luò)攻擊的目標(biāo)都是盜竊信用卡,進(jìn)行金融犯罪。在未來(lái),這種威脅可能會(huì)逐步升級(jí)為對(duì)技術(shù)網(wǎng)絡(luò)和基礎(chǔ)設(shè)施的物理性破壞。 ????在2014年12月的假日季,德國(guó)政府報(bào)道了一起導(dǎo)致鋼鐵廠“嚴(yán)重?fù)p毀”的網(wǎng)絡(luò)攻擊事件。黑客利用網(wǎng)絡(luò)釣魚攻擊,使得負(fù)責(zé)關(guān)閉熔爐的電子控制系統(tǒng)陷于癱瘓,最終造成整個(gè)工廠嚴(yán)重受損。 ????2015年將會(huì)有什么新型的網(wǎng)絡(luò)攻擊?不要再被動(dòng)地等待了。即刻實(shí)施這些新年決心,保護(hù)你的公司在2015年免受無(wú)處不在的網(wǎng)絡(luò)威脅吧。(財(cái)富中文網(wǎng)) ????本文作者彼得?J.?貝沙爾是Marsh & McLennan公司執(zhí)行副總裁兼法律總顧問(wèn)。 ????譯者:嚴(yán)匡正 ????審校:任文科 |
????Last year will long be remembered as the year when cyber attacks became front page news. No institution was spared — public companies, government agencies or non-profits. Heading into 2015, we have just reached the first mile of a race without a finish line, and time is of the essence when it comes to understanding the sophistication and complexity of cyber attacks. ????Most cyber attacks fall into one of three main threat types: ?????attacks on a network’s confidentiality, causing theft or release of secure information such as credit card or Social Security numbers; ?????attacks on a network’s availability by overwhelming it with so many requests that it renders the site inoperable, or by injecting code that redirects traffic away from the site; and ?????attacks on a network’s physical integrity which alters or destroys computer code causing damage to the network’s infrastructure. ????In 2015, here are seven resolutions to help protect your company against cyber threats: ????1. Tighten Your Vendor Network ????If there is one key takeaway from the cyber attacks of 2014 it’s that passwords are dead. Hackers gained access to Fortune 100 companies by stealing passwords and log-in credentials of smaller vendors, including air conditioning and food delivery companies. Replace your single passwords with two-factor authentication or “2FA.” A good example of 2FA is withdrawing money from an ATM – it requires two authentications — your bankcard and your password. Another example is signing on to a Bloomberg terminal, which requires a password and then, using biometrics, requires a fingerprint swipe for a second form of authentication that cannot easily be stolen. You should require 2FA of all vendors or employees who log on to your networks remotely. ????2. Detonate Malware ????“Spear Phishing” is an easy and effective way to attack a network. Hackers obtain names of your friends from your public social media accounts and then send you a personal note that appears to come from someone you know and trust. When you click on the attachment or link, the email installs “malware” on your network. A solution for malware is “detonation” software. Once an email with malware is opened but before it can leave your network with critical information, it is detonated in a “sandbox” to test whether it is being routed to an inappropriate site. ????3. Guard Your “Crown Jewels” ????What information matters the most to you? Is it a secret formula, proprietary IP, Social Security or credit card numbers, sensitive health care data or non-public financial information? Once you determine your company’s most important and sensitive information, compartmentalize it from the rest of your technology and network operations. ????4. Develop a Cyber Attack Response Plan – Now ????Develop a plan and practice it regularly. As part of your plan, hire a forensic investigatory firm to review your network and your response plan. ????5. Conduct “Penetration” Tests ????Engage a third-party firm to conduct “penetration tests” to identify weaknesses in your company’s IT network and infrastructure. Based on the findings, make the necessary security improvements and comply with disclosure requirements. For example, the SEC has published guidance regarding the responsibilities of public companies to inform investors about cybersecurity vulnerabilities. ????6. Embrace the Government ????When it comes to cyber attacks, the famous saying that “we are from the government and we are here to help” couldn’t be more true. The U.S. government has been far out front of the business community in understanding the significance of cyber threats. Current and former cabinet officials have warned for years about the risk of a “cyber Pearl Harbor” or “cyber 9/11.” The Secret Service and FBI have repeatedly alerted unaware public companies that their systems were breached — even though neither agency was under any obligation to do so. Don’t wait until after an attack to build relationships with key officials at the FBI, the Department of Homeland Security and the Department of Justice. ????7. Kick the Tires in M&A ????Traditionally, the biggest security risk in a merger or acquisition transaction was confidentiality. Increasingly, cyber risk is becoming a critical, and often overlooked, factor. Heed the Department of Homeland Security’s recent warning about cyber risks in companies that you may consider buying or investing in and conduct cyber audits as part of routine due diligence. ????In 2014, the focus of many cyber attacks was stolen credit cards and financial crime. In the future, the threat will likely escalate to physical damage of technology networks and infrastructure. ????During the 2014 December holiday season, the German government reported a cyber attack that caused “massive damage” to an iron plant. Utilizing a spear phishing attack, hackers disabled the electronic controls that turned off the plant’s furnaces, causing damage to the entire plant. ????What new forms of cyber attacks will 2015 bring? Don’t wait to find out. Start 2015 off right by implementing these resolutions to help protect your company from ever-present cyber threats. ????Peter J. Beshar is Executive Vice President and & General Counsel of Marsh & McLennan. |
-
熱讀文章
-
熱門視頻