In order to get a grip on all the various flavors of malware and other criminal / espionage activities in anyone’s network, it will mean using multiple avenues of protection. Look at Symantec’s own response to the New York Times’ statement (about Symantec not protecting the Times’ network):
Symantec After New York Times Attack Says Antivirus Isn’t Enough
www.symantec.com/connect/blogs/symantec-statement-regarding-new-york-times-cyber-attack Jan. 31, 2013
And this is true; no one can rely ‘solely’ on AV signature based protection. That time came and went years ago as criminals and hackers continue to get smarter in penetrating networks and homes. We all need a combined approach, a tiered defense in depth that my cybersecurity colleagues and I have known for many years. Yet, many firms do not take this approach or if they do, it is not done adequately.
Firms need to ensure they have:
a) The latest ‘Next’ generation firewalls to perform more and better stateful inspection of the packets that transit the network;
b) The latest best of breed IDS/IPS for servers, PCs and all endpoints;
c) The best they can afford in behavioral anomaly detection software or AI heuristics software to look for patterns of possible criminal activity;
d) Routers capable of handling high bandwidth while also doing some form of network protection;
e) Segregation of high value servers – keep the private servers in a separate network with redundant protection and detection software/hardware;
f) Management software that can provide cybersecurity, IT and physical security teams a real-time up the millisecond dashboard for everything going on in the network, servers, printers, PCs, routers, firewalls, IDS/IPS, databases\
g) Automated patching to keep all software up to date, also tied into the management software;
h) Current Governance and Compliance software – also tied into the Management software;
i) A logfile specifically relating to SysAds that “CANNOT BE EDITIED OR DELETED,” which monitors these individuals and throws up red flags ‘requiring’ two person response whenever some suspicious SysAd activity takes place (i.e. attempted deletion of a certain files or attempted modification of file attributes);
j) Sandboxing and virtualization – if firms (and homes) have software to isolate malware on the PCs/tablets/smartphones/servers – this would be a tremendous aid;
k) Yes, we would still need to have AV software because bad girls/guys are not going to stop using old school techniques;
l) and yes, there are still more protection platforms to be added if needed, especially if the firm is going into the Cloud…
Hack your network
What really needs to be done is to have companies hack their own networks, on a continual basis to see where they may be vulnerable to intruders (crooks) or could become vulnerable down the road. Hacking, or rather, to use the more proper terminology, penetration testing (pentest) can be performed on various parts of the network. As the pentests take place, a firm should be testing specific parts of the network, not the entire network at one time. The firm should be testing the application layer of the network for holes; testing the network layer for any point where a breach could occur; and so on.
This has got to be done, either by the IT and/or Cybersecurity staff or by an outside team in conjunction with the in-house staff. And of course, this has to be signed off by the firm’s management – CEO, CIO, CISO, COO – “IT HAS TO BE DONE!”
DLP, all organizations with terabytes and exabytes of proprietary information on R&D or exabytes of PII have got to start watermarking the firms’ data – that is, after they have installed DLP software.
We have got to stop all this sensitive data from illegally leaving networks, stolen by hackers. And for those would-be insiders, companies have got to implement USB port protection so that not everyone can simply download valuable private data. For VPN connections, companies have got to decide who can have these types of connections for users at home as to whether they can download files to their home PCs or even to print them out while at home.
I’m afraid that I’m gonna have to reiterate what I stated previously – we need some kind of nation-wide protection umbrella. It would be an umbrella that protects the country coast to coast, including Canada from malware. Then too, there would be sub-umbrellas spread out across the country at major ‘Net hubs.
This would not be for just the benefit of the government but for everyone in the country. It would be to detect and stop the rampant and instant spread of malware (think back to the Melissa worm, Robert Morris’s Internet Worm (’88)). It would be to stop the continual theft of PII, to stop the widespread illegal credit card mart. Most of all, this umbrella would be highly useful in determining where the origination point begins for more crimes so the true criminal(s) can be caught and not some unsuspecting grandma who’s PC was turned into a zombie PC or a porn server…
A primary antagonist would be any nation state sponsoring international espionage or hacking or flat out theft of nation state / corporate proprietary data.
As to who would run it? Well, I believe it would have to be a combination of private, government collaboration. There does not seem to be any other way, many people do not want too much government (big brother, snooping, etc) and a single private corporation may try to gain a monopoly, or at least an oligopoly with another firm, neither of which we do not want. Because there would also be the financial aspect, how is it paid for to set up and maintain….
AV – Antivirus
DLP – Data Leakage Protection / Data Leak Prevention (depends on who you’re talking to)
PII – Personally Identifiable Information (medical, financial, private, etc.)
SysAds – System Administrators, the folks that run the networks
USB – thumb drives, flash drives, portable external storage devices (hard drives, smartphones)