The cyber attack on Sony Pictures raises the question of what companies can do to protect their internet assets.
One of the first things to realise is an attack on a company website, for example, would be on all internet assets. So email servers and other specialist servers – such as the virtual private network terminator, file transfer or file drop box and so on – are in the firing line.
So, what to do? Companies should maintain all their IT infrastructure – the whole infrastructure, not just the internet-facing parts – to the latest supported versions of software and/or firmware and implement security patches with the minimum of delay.
Where elements of a company’s internet service are outsourced, the contract with the supplier should adequately cover these points and those identified later.
Other key areas include ensuring the infrastructure and internet connectivity are subject to regular – annual, at least – security health checks/penetration testing.
It should also be ensured there is a viable and regularly tested backup system; firewall rule sets are regularly reviewed for fitness for purpose, together with the configuration settings for other infrastructure devices; that there are no default passwords; and documentation is maintained and up-to-date.
Operationally, there should be a nominated person (or help desk) to whom staff can report problems and that person should have up-to-date contact details for the company's internet service supplier and, where applicable, external hosting supplier. This information will be crucial when a company finds itself under attack – particularly a sustained distributed denial-of-service (DDoS) attack.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.