Companies must look to internal security: Symantec
Dale Zabriskie, Symantec principal technologist says internal policies must be secured
Following the Stuxnet Worm attack in September 2010, Dale Zabriskie, Symantec's principal technologist is urging companies to look at their internal policies and processes to prevent malicious attacks on their business.
The Stuxnet Worm was able to jump into an isolated network, possibly through a contractor's plug-in drive and was able to disrupt and control centrifuges within the Iranian nuclear plant.
"Stuxnet has been a real wake up call for a lot of industries, not just the local oil and gas and telecoms. Wherever there is process control, wherever there is manufacturing, the real change here is Stuxnet, we have not seen a threat actually physically control something. All the threats to this point have been focused on disruption of systems of computers, of websites, of servers or they have been very focused over the last few years on getting into an organisation and stealing info, much like a smash and grab," said Zabriskie.
Perimeter security in most companies is now very secure, said Zabriskie, with most companies having strong internet security and network security to protect their information.
However, the global financial crisis has played a big role in lowering security defences in companies through IT budgets being lowered, staff laid off and projects being put on hold, he added.
"What we have seen, and what we have been talking about as a company for a long time is that it is what is going on inside that needs to be focused on, the internal processes. All the infrastructure builds up and because organisations have cut their staff and they don't have strong IT budgets, they are struggling to keep things going, and one of the first things that goes is the focus on the internal processes and best practices, which now open up more and more opportunities for exploitation," said Zabriskie.
Zabriskie said that manufacturing companies whose networks are isolated now need to look more closely at their internal processes because threats can now jump across those barriers they have put up and infect their systems.
"It is a matter of reviewing what are you doing and why are you doing it, are you doing things for the right reason? An example [of this] is a company in Australia that was a part of the government that ran motor vehicle licensing. They had a situation where they had a car park where they had some parking tickets, and the process was in place that said, ‘I have a request for 12 license plates, tell me who owns these cars so I can send them a parking ticket'. The process had being going on for years, no problem, the lady in the office just does what she was told to do and clicked a button and, because of what was happening in the back end was not being looked at and was not strong enough, a conduit was opened up where over 25,000 names were exposed to the internet," said Zabriskie. The incident went to court and the conclusion was that the leaking of information was not malicious, but was because of just bad process.
Zabriskie says that companies need to ensure first and foremost that they have a strong perimeter, that systems are up to date, that they are managing patching and all the different aspects of security. One of the challenges companies face is that they have all sorts of different hardware and platforms and vendors, so keeping up with what they have, understanding the assets that they have and what level they are at from a patch or protection level whether it is an operating system or an application, is the first thing that needs to be done.
Zabriskie listed three questions that IT organisations must ask themselves, before they can feel good about their environment.
"Number one; where is the info that I care about, where is the critical stuff? Number two; who has access to it, do the right people have access? And the third one is; how do I enforce policies that I have set up in order to protect that info? Enforcing the policy is a challenge; understanding what is going on inside in that very fluid, active environment to make sure things are protected," he said.
Another very important factor in companies being able to face and overcome cyber-attacks is the ability to work alongside other businesses and to share information about how they overcome or deal with cyber-threats.
"We are all in this together, but there is this traditional idea of ‘you can't look at my cards'. There are certain things that need to be kept confidential, but when we start to see attacks like Stuxnet that are going to affect more specific types of organisation, then the sharing of best practices in important," Zabriskie said.
The principal technologist listed the Abu Dhabi Commercial Bank as one of Symantec's customers that has been very proactive in the financial sector, sharing information and initiating the right types of controls against cyber-threats. The bank has won numerous industry awards for its efforts.
However, ADCB is an isolated case and Zabriskie says that far more companies need to work with each other.
"I think we have come to the point where groups need to sit down together and say we did this, this was a problem we had, we took these steps and here are the results. We see more and more of that particularly in Abu Dhabi, with the oil and gas industry there is a camaraderie if you will. On the flipside of that, a lot of the companies there are reluctant to do anything until they see another company taking those steps. They don't want to be the first in the pool," he added.
The current cyber-crime landscape is a good-guy vs bad-guy situation, because of the money and organisations that are behind cyber-crime. Zabriskie says that Symantec knows that organized crime is funding attacks and that these cyber-crime networks share information to improve their changes of successfully gaining access to company information.
"Stuxnet points towards a very well-funded organisation, perhaps even a government, we don't know. We know that it took at least six months with five to 20 people working on it to create a very sophisticated piece of malware. The good guys have to work together in order to share appropriate info about how things can be protected in their verticals," he added.