Google cyber attacks are a call to action, say security advisors

Disclosures of cyber attacks on Google, Adobe and more than 20 other companies in December provide evidence that cyber espionage is a real and present danger.

Disclosures of cyber attacks on Google, Adobe and more than 20 other companies in December provide evidence that cyber espionage is a real and present danger.

Google and Adobe are the only companies so far to admit that they were among the group of companies hit by individually targeted attacks originating in China.

The attacks prove these threats are no longer the stuff of science fiction, and should be taken seriously by the public and private sectors alike, say security advisors.

These attacks are widespread and routine, according to security firm F-Secure, which claims to have worked with dozens of companies that have kept such attacks quiet.

"Not a single one of these companies went public with the information," says Mikko Hypponen, chief researcher at F-Secure, in a blog post.

Top marks to Google and Adobe for breaking the silence, says director of the cyber security programme, Digital Systems Knowledge Transfer Network.

"The only way overall security will improve is if organisations are open about these attacks and share information with others," he says.

Time for a security review

Hopefully the latest attacks will prompt organisations to review their security and perhaps even discover breaches that have remained hidden for some time, he says.

"The problem is organisations are often unaware they have been infiltrated and do not take seriously threats they cannot see," says Dyhouse.

Only when organisations see evidence of such attacks, or really understand the potential impact of cyber espionage on their business, will they take any action, he says.

Graham Titterington, principal analyst at Ovum, says the attacks should be a warning to companies to think about the trustworthiness of their business partners.

Google is insisting it has enough security expertise on hand to deal with the problem and has been swift to try to assure Gmail users it has the matter in hand by introducing encryption of all e-mail content.

Cloud presents risk

But Toby Stevens, director of the Enterprise Privacy Group, says while this is a welcome development for online security and privacy, it is only one part of the puzzle.

From a corporate perspective, cloud computing still poses a risk, he says, and the evidence of Google's fallibility, which applies equally to any other cloud service provider, should be a wake-up call for organisations.

"Any business that allows sensitive personal or commercial information to enter the cloud without adequate controls is at risk from similar attacks," says Stevens.

Dyhouse says the attacks will serve to confirm corporate concerns about the security of cloud computing and could further delay moves to the model.

Encryption and access control

Alan Paller, director of research at the SANS Institute, says the attacks confirm the threat of pervasive and sophisticated espionage attacks on all organisations.

Most commercial security tools are ineffective against these attacks and deterrence works minimally at best, he says.

According to Paller, the only way organisations can protect data effectively is by using the right combination of encryption and access control.

The only other practical strategy is to assemble or get access to small teams of people with the right motivation and skills to stop these attacks.

This will require people with a deep and current understanding of operating systems and major database vulnerabilities, attack methods, intrusion detection and packet analysis and log analysis, reverse engineering, software security, and targeted counter-intelligence, says Paller.

"We have proof this works through a comparison of the impact of the same Chinese attack on two US agencies - one that had conventional skills and tools and one that had the combination of skills listed," he says.

Across the board, security and privacy advisors say that at the very least, the attacks disclosed by Google and Adobe should be a call to action for all businesses.

Read more on IT risk management