What the Chinese attacks on Google mean for enterprise security
too.
The attack will spur more collaboration between the U.S. private and public sectors. Dispassionate observers will recall reports in the news from last year about large-scale industrial attacks< against the U.S. government and critical infrastructure. If these more recent attacks against private companies are also felt to be coming from similar sources (the PRC government, PLA red teams etc.), it won’t take a genius to start connecting the dots. A formal public/private attack data sharing program, with generous safe-harbor exemptions, would be a good start. Re-invigorating the ISACs would be another.
Multinationals will see the need to pay more attention to protecting their secrets, not the just “toxic data” like PII or PHI. Our most recent annual IT security survey, which we are busy analyzing, shows that “compliance” (big-C compliance like PCI and HIPAA, and little-C compliance with security policies) is the motor that drives security budgets in large corporations. Enterprises have gotten used to the idea that they need full-disk encryption and DLP to keep toxic customer and payment data from spilling. But two-thirds of the value of the information enterprises protect resides in the secrets they keep that confers long-term competitive advantage. Google’s admission that they lost some of their secrets in this hack shows that securing trade secrets deserves just as much attention as the toxic stuff.
Relying on one browser is a liability. As we have seen, this attack succeeded because of flaws in Internet Explorer. Browsers are complex pieces of software. By one measure, Firefox is 2.5 million lines of code. By contrast, the Apache web server is just one-tenth of the size, at less than 300,000 lines of code. Who knows how big IE is? Certainly, it is several million lines of code at least. Complex systems fail complexly, which is why browsers continue to be favored targets for zero-days. In this day and age, it is shameful that I still see many corporations (including Forrester) whose business processes rely on web page formats and ActiveX controls that chain them to a specific browser. It should not be that way. Enterprises should strive to deploy web-based applications that are browser-independent; when one browser is targeted, enterprises can mitigate their risk by switching.
Humans remain the weak link. Jaquith spoke with a contact at an aerospace company who knew something about the Adobe PDF attacks. He was surprised that good old fashioned phishing attacks still work. “This kind of stuff is driving the defense contractors nuts. They should know better, and yet, they are still affected.” It bears repeating, one more time: attachments from strangers are bad. CISOs should dust off their social engineering playbooks and do some internal phishing testing on their employees to make sure their staffs get the message.
“The best thing enterprises can do now is examine their security program to make sure that it includes healthy balanced diet of controls that protect both toxic data and secrets,” Jaquith writes. He describe what enterprises should consider in his recent report, Selecting Data Protection Technologies.