Email the Editor    Email a Friend    Print this Page 

From cyber-espionage networks, to Conficker, to the threat posed by social media sites and mobile phones -- if businesses could just keep their machines patched, hackers wouldn't be so successful, says Sophos CEO Steve Munford. Here's an edited version of what he had to tell ITBusiness.ca. You can also watch the video for the full scoop.

VIDEO - Interview with Sophos CEO, Steve Munford

Social engineering seems to be favoured hacker method today. Security researchers here in Toronto recently unveiled GhostNet, a cyber-espionage network that had put Trojans on some very high-value targets around the world, including in the Dalai Lama's office. To get this done, they executed very well-targeted spear phishing attacks – for example, sending what looked like a letter supporting the Tibetan resistance movement to the Dalai Lama's office. What defence is there against such well-planned attacks?

Social engineering really has been part of attacks for quite some time now. If you look at viruses spread over e-mail, a lot of them are “click here to receive an offer” or “click here to receive the latest Britney Spears pictures” or “click here to make lots of money.” We have a saying that people will continue to do stupid things for sex and money.

Social engineering to get pay loads into the company is nothing new. But social engineering is getting increasingly sophisticated. The tools these organizations deploy, and the resources they have to build those tools are quite extensive. It really does point to larger organizations being behind malware creation than we've seen historically. Now for a corporation, you boil that down to a couple of different vectors. Unfortunately there's no one-size-fits-all solution.

On one hand, you have to educate IT users to understand practices out there and be more cautious. That's the first step, but certainly not the last. It comes down to having a holistic view of security, and that starts with making sure your network and your machines are compliant. I think that's where organizations are [failing] today. They deploy a lot of products and think by [doing that], they solve a problem.

But our surveys [show] up to 70 per cent of the machines in a corporate network are not patched or configured to the security policies of the corporation. So it's about having a tool and a process to monitor the status of machines on my network to ensure they are properly compliant.

Lastly, it's about having systems and process to mediate that. If something does get attacked, then how do I minimize the impact? That's where data security comes in, where it's about encrypting your data and protecting it, so even if someone gets into your network, your data won't be exposed.

share: