Organisations around the world are contributing to the threat of information warfare by failing to apply basic...
IT security principles, says internet security expert Ira Winkler.
By failing to apply what is known about how to prevent cyber attacks, these organisations are adding their computing power to criminal botnets, Winkler told the RSA Conference 2009 in London.
The Russian denial of service attacks on Georgia are probably the only example we have of true information warefare, but they proved that cyber attacks can be used for military purposes, he said.
Every organisation can help reduce that threat by securing their networks to the best possible level, which often amounts to good IT system administration, he said.
By simply ensuring IT systems are as secure as is reasonably possible, system administrators would eradicate most botnets that could be used for information warfare.
"System administrators are really the ones at the frontline of defence, not IT security professionals," said Winkler.
Seldom is there anything new in cyber attacks, as most use the same set of known vulnerabilities in underlying IT systems or user behaviours.
Winkler, who is president of the Internet Security Advisors Group (ISAG), said far too many people are talking about information warfare without taking any action.
But businesses have an important role to play. If they take care of the smaller, manageable threats, they will take care of the bigger threats like the super attack capability enabled by botnets, he said.
"We can't effectively mitigate cyber threats, but we must and can mitigate the underlying vulnerabilities, both technical and human, that those threats exploit," said Winkler.
Businesses can find out which vulnerabilities cybercriminals are exploiting. It is within their power to eliminate those vulnerabilities, which in effect will remove the threat.
"This is a really simple and effective thing to do, yet few organisations are actually doing it," said Winkler.
Protecting systems by doing security right is one part of a successful strategy, but organisations must acknowledge they may still be attacked by having proper detection systems in place.
The final piece is to know exactly what you are going to do in the event of an attack, which is often neglected because too much time is spent on discussing the potential threat, said Winkler.