Companies must plan for ‘zero-day’ attacks

Users must deploy business continuity plans which assume that hackers will breach their corporate defences, the IT security...

Users must deploy business continuity plans which assume that hackers will breach their corporate defences, the IT security directors from some of the UK’s largest firms said last week.

Companies can no longer take it for granted that traditional security defences, such as firewalls and intrusion detection systems, will protect them, delegates at the Infosecurity Europe show were told by the IT directors of ICI, ABN Amro, Standard Chartered Bank and the Post Office.

The directors, founder members of the Jericho security forum, a group of 30 of the biggest IT users in the UK, said businesses will have to radically rethink their approach to security if they are to stay ahead of computer criminals.

"We have to accept that vulnerabilities exist. We have to accept that people will always try to exploit them and we will get hit. We have to have plans to deal with that," said Paul Stimpson, global head of technology risk management at ABN Amro.

Fred Cohen, principal analyst at analyst firm Burton Group, said that, within a year, patch management would be inadequate to combat the speed with which potential threats are exploited.

Hackers are creating automated development tools that will identify the changes a patch makes to software within 15 minutes of its release, Cohen said. The tools would generate worms before anyone had time to test and install the patch. Within a year hackers will be in a position to distribute viruses before IT directors have had time to apply patches - a zero-day attack.

David Lacey, global information security director at Royal Mail, said businesses should plan for zero-day attacks now, not wait for the problem to occur. IT directors will have to explain to the board that their expensive security systems will provide no guarantee of protection, he added.

Firms will have to respond instantly to new security patches, even if this means installing them without testing them, said Paul Simmonds, global information security director at ICI.

"You will have to re-organise your business. It means having dual redundant operating systems, so you can take one down and patch the other," he said.

Graham Titterington, principal analyst at Ovum, advised patching non-critical IT infrastructure immediately but leaving critical applications until after the effect of the patch has been assessed.

Suppliers must design systems that are more rugged, he said. They will have to be able to restart after a failure, correct any corrupted data and return the user to the point where the failure occurred.

Read more on IT risk management