Is anyone safe from determined hackers?
23rd June 2011
It seems as if no one is safe these days. Major names in the industry, whose security might otherwise have been expected to be the best, have found that their systems have been compromised by hackers. They are far more vulnerable than they first thought.
Sony, Nintendo, SOCA, the NHS and others have fallen foul to determined hackers with clearly successful attempts to defeat their security in the process. This confirms that no matter how good they think their defences are, they simply aren’t invincible.
In truth a well organised intrusion prevention and detection system may well protect your systems, but if you’re attacker is dedicating his or her life to exploiting you, then the chances are they will eventually succeed. If you’re organisation is targeted by an Advanced Persistent Threat (APT’s) then your infrastructure is likely to succumb to their persistence and determination, particularly if they are well resourced, as many are. Their methodology will afford them the time to test and retest your platforms until a weakness can be exploited.
Unbelievably, many security systems are implemented without regular testing; the assumption being that the very installation and activation will be sufficient to safeguard against intrusion. Recent breaches demonstrate that this is simply not sufficient. Consider you’re every day behaviour for a moment. Do you leave the house and lock the door? I’m certain you do, but I’m confident that you check it too, just for good measure. It may only be a discreet tug on the handle but it reassures you and confirms that you’ve locked your house behind you. I bet on many occasions that you’ve turned the light off at night and settled into bed only to get up and pop downstairs to confirm that you did put the safety chain on and set the alarm.
These days a far more pro-active approach to information security is required to mitigate the risk of compromise. Penalties for data loss are severe in direct financial terms, usually as a result of a fine (or fines) from your regulator. However the indirect penalties could be far more punitive, loss of reputation could affect your business and drive your customers to a competitor resulting in a significant loss of revenue.
And don’t be mistaken into thinking that compliance is security, it isn’t – there is often a diverse gap between being compliant and being secure. In order to accurately understand the risks involved you need to conduct a detailed risk assessment, quantifying the losses that might be incurred by even the simplest of breaches and then balance that with the cost of ensuring you remain safe and not sorry.