Re: Cyber attacks/cyberwarfare = the new yeti?
TL;DR - Worry about 'cyber attacks' but don't stress too much about full-on 'hacking'.
-------
It's pretty obvious, anecdotally at least, that completely non-malicious events are the main cause of downtime. That's not to say humans aren't to blame, because in my experience stupidity, laziness and false-confidence are the main causes of issues.
But, to headline a story "Forget hackers - storms and snafus are bigger threat" is a bit misleading.
Here's Dan's friendly advice: DON'T 'forget hackers' but DO realistically assess the risk.
Having been a consultant I have had many clients ask how safe they are from 'hacking'. I usually tell them that there is always more that could be done and there is always risk but that, realistically, no one would be interested in 'hacking' them.
That's the crux of it.
Cyber attacks come in four forms:
1 Un-targeted, mass-distributed attacks (malware, website XSS, etc...)
2 Opportunistic attacks
3 Targeted attacks from disgruntled employees/contractors
4 Targeted, concerted efforts
The first two are what 99.9% of companies should focus on and the strategy to mitigate those risks is simple - conceptually if not in implementation:
* Patch bugs and keep software up-to-date
* Keep a good security/virus/malware solution up-to-date
* Adhere to the principle of least privilege
* Prevent users from installing software (so far as feasible)
* Enforce a strong password policy
* Monitor your links and general server health for any anomalies
But perhaps most important: educate your users. Have a thorough written IT policy that is reviewed periodically and advertised regularly. Make sure all staff have read it and understood it and make them sign off to say they have read it and understood it. Repeat this at least once a year and whenever it is updated. Make sure there are clear disciplinary consequences for users who do not follow the policy.
As I tell my clients, the settings and restrictions implemented from the IT side is NOT an IT use policy - it is the means of enforcing and monitoring an IT policy.
<Got a bit sidetracked there - you can tell I've tried to get this across to more than one stubborn client.>
The third attack - one undertaken usually by people known to the company like previous or current employees - is not overly common compared to the first two but is still the most common TARGETED attack so is worth spending a bit of time addressing. The simplest and most prudent step to take is around your password and access policy; make sure everyone has a strong password that is regularly changed and that staff are made aware that they are fully responsible for their password and should NEVER give it to any other staff. That means that us Sysadmins are never to ask a user for their password - we must instead reset it.
Really, most of the steps for mitigating the first two attacks apply to this as well as such attacks will usually be of a low to intermediate technical level and if not successful at first, are likely to be dropped.
To get from protecting against the first three attacks, to protecting against the last is a BIG step. Sure there are little, sensible things you can do but in the end, a truly determined effort will breach most networks.
This is the 'hacking' most of my clients are talking about and the reality is that it's a non-issue for most companies.
An analogy for the whole thing might be dying. (Sorry for the dark tone.)
Natural causes, disease and accidents are the most likely causes. Have a smoke alarm, don't fiddle around with the electrics, look before you cross, exercise, eat healthy, etc...
Malicious attacks on your network are similar to malicious attacks against your person. Sure, they're less likely than disease or accident but that doesn't mean you shouldn't take reasonable steps to avoid being mugged.
Without drawing a parallel for every type of cyber attack, real 'hacking' is like being murdered by a hired assassin - exceptionally hard to protect yourself against but for the uncountable majority of people, it's just not an issue. Some people of course are more likely to be the target of an assassination attempt and so it is with companies and their IT systems. Those companies at risk of such an attack take very detailed, very expensive precautions and these require CONSTANT monitoring - just like (e.g.) presidential security.
Sherlock, because it does seem all rather elementary now that I've bashed it out.