Targeted Cyberattacks Testing IT Managers

The attack on Google prompts fears that the bad guys are infiltrating business networks.

Targeted cyberattacks of the sort that hit Google Inc. earlier this year are testing enterprise security models in new ways, and they represent an imminent threat to sensitive corporate data.

State-sponsored groups with deep technical skills and computing resources have long been directing such attacks against government and military targets. However, Google's disclosure in January that its network was attacked by China-based hackers stoked long-standing fears that cybercrooks would expand their horizons and start aiming targeted attacks at commercial networks.

Some experts say it's likely that widespread attacks have already begun. "If you have not yet identified systems within your enterprise that have been compromised through these advanced attacks, you probably are very lucky -- or you aren't looking closely enough," said Amit Yoran, former director of the U.S Department of Homeland Security's National Cyber Security Division and current CEO of security vendor NetWitness Corp.

Unlike the e-mail- and network-borne worms and viruses that have been hitting corporate networks for years, targeted attacks are stealthier and virtually impossible to fully block. Hackers typically rely on sophisticated social engineering techniques to break into networks, maintain access to them without detection and continually snoop out and steal sensitive information.

Some security pros suggest that IT managers are better off focusing on mitigating damage from targeted attacks instead of trying to prevent them.

Sean Arries, a researcher at Terremark Worldwide Inc., a Miami-based provider of IT infrastructure services, said traditional security measures, such as signature-based anti-malware tools, can't prevent targeted attacks because the perpetrators often take advantage of zero-day threats for which there are no known defenses.

Instead, he said, companies should take steps to strengthen their ability to detect intrusions and to respond quickly. Arries noted that a gusher of data going out over the network, for example, is a sign that something's amiss.

Paul Wood, a senior intelligence analyst at Symantec Corp.'s MessageLabs Intelligence unit, said that cloud-based security controls could help IT managers better detect targeted attacks. With a hosted security service, the provider sifts through large volumes of network traffic daily and therefore could spot suspicious activity sooner than internal IT operators who handle multiple jobs, he added.

Enabling remote logging capabilities is also crucial to detecting attacks, Arries said. Those who break into a server tend to wipe out activity logs and any other evidence of their presence from the server, he said. One way to get around that is to make sure that all logs are created at and stored in a central location.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that originally ran on as part of an in-depth look at cyberwar.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon