How Cyber Spies Infiltrate Business Systems

snydeq writes "InfoWorld's Bob Violino reports on the quiet threat to today's business: cyber spies on network systems. According to observers, 75 percent of companies have been infected with undetected, targeted attacks — ones that typically exploit multiple weaknesses with the ultimate goal of compromising a specific account. Such attacks often begin by correlating publicly available information to access a single system. From there, the entire environment can be gradually traversed enabling attackers to place monitoring software in out-of-the-way systems, such as log servers, where IT often doesn't look for intrusions. 'They collect the data and send it out, such as via FTP, in small amounts over time, so they don't rise over the noise of normal traffic and call attention to themselves,' Violino writes. 'There's probably no way you can completely protect your organization against the increasingly sophisticated attacks by foreign and domestic spies. That's especially true if the attacks are coming from foreign governments, because nations have resources that most companies do not possess.'"

Wait what?

[moogied]

Maybe its because I work for a large state's DOJ... but whos firewalls are just letting out random FTP connections? In our environment nothing goes in or out unless we directly state it should be. Its all very controlled... that and a pretty hefty usage of enterprise level AV scans on each box, then IDS, then AV on emails, filtering on emails(can only go to certain addresses).. etc etc. I guess we take the "Large amount of work in exchange for very tightly controlled systems" approach. Maybe other places should too?

Re:Windows is more secure than ever!

[mlts]

The way to protect against a dedicated attack is compartmentalization. Connectivity is important, but companies to structure not just machines, but the IT organization to resist compromise.

For example, log servers. These machines have to be *completely separated* from anything else in the company except the network. They can't use LUNs on a SAN (or else the storage admin can tamper with logs.) They can't use the corporate backup system (or else the backup admin can restore a tampered log.) They can't be run by the Windows or UNIX admins or else a compromised admin (or a blackhat) can compromise the machines, then the log server to completely hide tracks, or to perhaps cause damage. If you are running a program like Splunk, you don't run the thing on the log servers; you run it on a read-only mirror so people who have access to Splunk do not have access to tamper with the logs.

You can't "silo" the department where everyone works in little walled areas with no inter-group communication, but you have to have separation of duties so the damage done by a compromised employee can be mitigated.

Re:Cyber Spies

[Trepidity]

Here's what Ted Nelson had to say about it:

"Cyber-" means 'I do not know what I am talking about'

"Cyber-" is from the Greek root for "steersman" (kybernetikos). Norbert Wiener coined the term "cybernetics" for anything which used feedback to correct things, in the way that you continually steer to left or right to correct the direction of a bicycle or a car. So "cybernetics" really refers to control linkages, the way things are connected to control things.

Because he was writing in the nineteen-forties, and all of this was new, Wiener believed that computers would be principally used for control linkages-- which is if course one area of their use.

But the term "cybernetics" has caused hopeless confusion, as it was used by the uninformed to refer to every area of computers. And people would coin silly words beginning with "cyber-" to expand ideas they did not understand. Words like "cyberware", "cyberculture", "cyberlife" hardly mean anything. In general, then, words beginning with "cyber-" mean "either I do not know what I am talking about, or I am trying to fool and confuse you" (as in my suggested cybercrud).

Re:Cyber Spies

[gtall]

To go back further, it was called "cracking". "Hacking" was reserved for taking a program and modifying it or merely writing a program, there was no malfeasance implied.