Organisations around the world are contributing to the threat
of information warfare by failing to apply basic IT security
principles, says internet security expertIra
Winkler.
By failing to apply what is known about how to prevent cyber
attacks, these organisations are adding their computing power to
criminal botnets, Winkler told the RSA Conference 2009 in
London.
The
Russian denial of service attacks on Georgia are probably the
only example we have of true information warefare, but they proved
that cyber attacks can be used for military purposes, he said.
Every organisation can help reduce that threat by securing their
networks to the best possible level, which often amounts to good IT
system administration, he said.
By simply ensuring IT systems are as secure as is reasonably
possible, system administrators would eradicate most botnets that
could be used for information warfare.
"System administrators are really the ones at the frontline of
defence, not IT security professionals," said Winkler.
Seldom is there anything new in cyber attacks, as most use the
same set of known vulnerabilities in underlying IT systems or user
behaviours.
Winkler, who is president of the
Internet Security Advisors Group
(ISAG), said far too many people are talking about information
warfare without taking any action.
But businesses have an important role to play. If they take care
of the smaller, manageable threats, they will take care of the
bigger threats like the super attack capability enabled by botnets,
he said.
"We can't effectively mitigate cyber threats, but we must and
can mitigate the underlying vulnerabilities, both technical and
human, that those threats exploit," said Winkler.
Businesses can find out which vulnerabilities cybercriminals are
exploiting. It is within their power to eliminate those
vulnerabilities, which in effect will remove the threat.
"This is a really simple and effective thing to do, yet few
organisations are actually doing it," said Winkler.
Protecting systems by doing security right is one part of a
successful strategy, but organisations must acknowledge they may
still be attacked by having proper detection systems in place.
The final piece is to know exactly what you are going to do in
the event of an attack, which is often neglected because too much
time is spent on discussing the potential threat, said Winkler.