Tom Chapman likes to quote the ancient Chinese general and military philosopher Sun Tzu when he’s talking about cyber-security. “If you know your enemies and know yourself, you will not be imperiled in a hundred battles,” Chapman quotes from Chapter 3 of “The Art of War.”
Chapman, who is director of cyber operations at EdgeWave Security, believes that if enterprises looked at security the way the military does and used military-grade practices, few network breaches would succeed. Chapman gets his military slant because he was in charge of part of the U.S. Navy’s cyber-war operations.
This is why he thinks the North Korea theory about the attack on Sony Pictures isn’t accurate. He said that nothing about the attack makes sense if you try to blame that country. Instead, he thinks the attack was either someone making use of readily available attack scripts found on the Internet or it was an inside job.
He also said that it’s obvious that Sony Pictures had very weak security practices, partly because it had so few people in the IT department assigned to security functions and so few of them actually did hands-on security work.
“They had 11 people in IT,” he explained. “Three were workers, three were managers, three were senior managers, and there was a vice president. They needed people looking at their logs.” Unfortunately, he said, there is no “set it and forget it” function in security.
He said that because nobody had the time to regularly look at logs or check suspicious activity, someone was able to range freely inside the network at Sony Pictures. “Basically they owned them,” he said.
But that also meant that nobody was available to check for suspicious activities such as the download of vast quantities of data from the servers at Sony Pictures, amounts that some have estimated to be as much as 100 terabytes. Chapman noted that the Sony Gameboy network that was previously hacked apparently got serious about security, but those practices weren’t implemented at the Sony Pictures unit.
So what does this mean for you, considering that you probably don’t have servers full of unreleased movies? That’s where Sun Tzu comes in. “Every company is different,” Chapman said. “You have to understand your adversary. Sony Pictures isn’t going to get attacked by Russia or China,” he said, but rather by cyber-criminals or, in this case, someone who wants to hurt the company.
It’s still not clear who Sony Picture’s adversary is, but as each day passes it looks less and less like North Korea. But let’s say you’re not Sony Pictures. Let’s say you run a small or medium-size business and you know that a breach could cause serious damage to your company. In fact, it could put you out of business.
Best Defense Against a Cyber-Attack Is to Know Your Adversary
To know yourself and to know your adversary, first you have to think about what kind of information you have on any computer or network that’s connected in any way with the Internet. Do those computers contain your employee information in any form? Customer data? Credit card numbers? Perhaps those computers contain your business banking information or even designs for new products or detailed product or process specifications.
The next step is to think about who would benefit from having any of that information, even in partial form. “You need to worry about competitors,” Chapman said, but he adds that actual cyber-crime from a competing company is unlikely. “Breaking into your system is a very risky business. If they got caught, their losses would be incredible”—not to mention jail time if caught and convicted.
But a very real threat is the same cyber-criminals who try to steal credit card information elsewhere. The key there is to keep your sensitive information somewhere they can’t reach easily. “Make sure risky items like credit card processing are outsourced,” he suggests.
Chapman said that most banks will handle all credit card processing for their customers. It’s worth noting that this might cost more than handling credit cards some other way, but it’s far more secure. “Then you’re protected by the bank’s security,” he said.
This also means not keeping payment information on your own computer systems. While it may be convenient, it’s far safer to just ask your customers for their credit cards each time they buy something. The fact is, if you don’t have such data, nobody can steal it.
Training employees extensively on good security practices is also necessary, Chapman said. This may mean teaching them through hands-on practice what a phishing email looks like, how Web-based malware can affect your business or how not to leak information that would make things too easy for criminals.
“I’ve seen restaurants put their IP address, their login and password on top of the computer,” he said. Adequate training can make a huge difference because it helps employees avoid making really bad mistakes and it helps them recognize a threat when they see it, and teaches them whom to tell when it happens.
But even if all of that works, Chapman’s first point comes into play. Your business needs to have somebody with adequate resources to do something about security threats when they turn up and the ability to look for threats during the normal course of their day. Otherwise, someone could download 100 terabytes of your data without you ever noticing.