0898-08980898
本文摘要:Last year will long be remembered as the year when cyber attacks became front page news. No institution was spared — public companies, government agencies or non-profits. Heading into 2015, we have just reached the first mile of a race without a finish line, and time is of the essence when it comes to understanding the sophistication and complexity of cyber attacks.2014年将因屡次攀上头条新闻的网络攻击事件而被人们长年铭记。
Last year will long be remembered as the year when cyber attacks became front page news. No institution was spared — public companies, government agencies or non-profits. Heading into 2015, we have just reached the first mile of a race without a finish line, and time is of the essence when it comes to understanding the sophistication and complexity of cyber attacks.2014年将因屡次攀上头条新闻的网络攻击事件而被人们长年铭记。无论是上市公司、政府机构还是非营利的组织,没哪类机构需要幸免于难。转入2015年,我们只是在确保网络安全这条永无止境的征途上行进了一小步。
我们急需解读网络攻击的复杂性,时不我待。Most cyber attacks fall into one of three main threat types:大多数网络攻击都可归类于以下三种主要的威胁类型:oattacks on a network’s confidentiality, causing theft or release of secure information such as credit card or Social Security numbers;o针对网络机密性的反击,造成信用卡号或社会保险号等安全性信息遭窃或泄漏;oattacks on a network’s availability by overwhelming it with so many requests that it renders the site inoperable, or by injecting code that redirects traffic away from the site; ando针对网络可用性的反击,通过发送到大量催促造成网站无法访问,或放入代码转变采访页面的路径;oattacks on a network’s physical integrity which alters or destroys computer code causing damage to the network’s infrastructure.o针对网络物理完整性的反击,转变或毁坏计算机代码,以损坏网络基础设施。In 2015, here are seven resolutions to help protect your company against cyber threats:2015年,你的公司应当在免遭网络威胁方面立功7项新年决意:1. Tighten Your Vendor Network1、管理好你的供应商网络If there is one key takeaway from the cyber attacks of 2014 it’s that passwords are dead. Hackers gained access to Fortune 100 companies by stealing passwords and log-in credentials of smaller vendors, including air conditioning and food delivery companies. Replace your single passwords with two-factor authentication or “2FA.” A good example of 2FA is withdrawing money from an ATM – it requires two authentications — your bankcard and your password. Another example is signing on to a Bloomberg terminal, which requires a password and then, using biometrics, requires a fingerprint swipe for a second form of authentication that cannot easily be stolen. You should require 2FA of all vendors or employees who log on to your networks remotely.要从2014年的网络攻击中总结出有一个要点,那就是密码被斩。
黑客通过盗取空调和食品仓储公司等小型供货商的密码和证书,转入了《财富》100强劲的公司网络。请求改动你的非常简单密码,使用双重证书(2FA)的方式。双重证书的一个典型例子就是用银行卡从自动取款机上取钱——它必须双重证书:你的银行卡和你的密码。
另一个例子是指定彭博社终端,首先你必须输出密码,然后使用生物测定学技术的系统还不会拒绝你翻指纹展开二次证书。想拿走指纹可不更容易。
你应当对所有远程转入公司网络的供应商和员工使用双重证书方式。2. Detonate Malware2、爆炸恶意软件“Spear Phishing” is an easy and effective way to attack a network. Hackers obtain names of your friends from your public social media accounts and then send you a personal note that appears to come from someone you know and trust. When you click on the attachment or link, the email installs “malware” on your network. A solution for malware is “detonation” software. Once an email with malware is opened but before it can leave your network with critical information, it is detonated in a “sandbox” to test whether it is being routed to an inappropriate site.“网络钓鱼”是一种发动网络攻击的非常简单而有效地的方式。黑客从你的社交媒体公共账户取得了你朋友的名字,并伪装成你了解且信任的人给你放私信。
当你点进附件或链接,邮件就不会把恶意软件放进你的网络。一种应付恶意软件的方法是加装“爆炸”软件。一旦具有恶意软件的电子邮件被关上,在它把你的最重要信息拿走之前,这种软件不会再行将它扔到“沙盒”中展开爆炸测试,看它否指向了一个不长时间的网站。
3. Guard Your “Crown Jewels”3、维护你的“王冠”What information matters the most to you? Is it a secret formula, proprietary IP, Social Security or credit card numbers, sensitive health care data or non-public financial information? Once you determine your company’s most important and sensitive information, compartmentalize it from the rest of your technology and network operations.对你来说,什么信息最重要?是秘密配方、专有知识产权、社会保险号、信用卡号、脆弱的卫生保健数据,还所谓公开发表的财务信息?一旦你确认了公司最重要和脆弱的信息,就把它与其他的技术和网络操作者分离出来出去。4. Develop a Cyber Attack Response Plan – Now4、现在就准备好网络攻击应急计划Develop a plan and practice it regularly. As part of your plan, hire a forensic investigatory firm to review your network and your response plan.准备好应急计划并定期演练。
作为计划的一部分,你应该雇用核查调查公司来检查你的网络和应急计划。5. Conduct “Penetration” Tests5、展开“渗入”测试Engage a third-party firm to conduct “penetration tests” to identify weaknesses in your company’s IT network and infrastructure. Based on the findings, make the necessary security improvements and comply with disclosure requirements. For example, the SEC has published guidance regarding the responsibilities of public companies to inform investors about cybersecurity vulnerabilities.邀一家第三方公司来展开“渗入测试”,找到公司信息技术网络和基础设施中的缺失。
根据结果来展开适当的安全性改良,同时遵从资料公开发表的拒绝。比如,根据美国证券交易委员会的规定,上市公司有义务告诉投资者公司内部不存在的网络安全漏洞,该委员会还专门早已公开发表了一份指南。6. Embrace the Government6、谋求政府的协助When it comes to cyber attacks, the famous saying that “we are from the government and we are here to help” couldn’t be more true. The U.S. government has been far out front of the business community in understanding the significance of cyber threats. Current and former cabinet officials have warned for years about the risk of a “cyber Pearl Harbor” or “cyber 9/11.” The Secret Service and FBI have repeatedly alerted unaware public companies that their systems were breached — even though neither agency was under any obligation to do so. Don’t wait until after an attack to build relationships with key officials at the FBI, the Department of Homeland Security and the Department of Justice.在网络攻击领域,那句知名的“我们来自政府,我们将施以援手”真是是再行准确不过。在解读网络威胁的严重性方面,美国政府要相比之下领先于商界。
现任和前任内阁官员多年来仍然警告称之为,美国有可能遭遇“网络珍珠港”或“网络9o11”攻击。美国特勤局和联邦调查局也在大大警告没什么察觉的上市公司,他们的系统被攻陷了——尽管这些机构并没这种义务。
不要等到自己被反击之后,才开始同联邦调查局、国土安全部和司法部的核心官员搞好关系。7. Kick the Tires in MA7、专门从事收购交易时要审查网络安全Traditionally, the biggest security risk in a merger or acquisition transaction was confidentiality. Increasingly, cyber risk is becoming a critical, and often overlooked, factor. Heed the Department of Homeland Security’s recent warning about cyber risks in companies that you may consider buying or investing in and conduct cyber audits as part of routine due diligence.传统上,收购交易的仅次于安全隐患在于保密工作。而网络风险于是以日益沦为其中一个最重要却被忽视的因素。请注意国土安全部最近收到的网络风险警告,其中或许就还包括你于是以考虑到出售或投资的公司。
请求将网络安全审查作为常规尽责调查的组成部分。In 2014, the focus of many cyber attacks was stolen credit cards and financial crime. In the future, the threat will likely escalate to physical damage of technology networks and infrastructure.在2014年,许多网络攻击的目标都是偷窃信用卡,展开金融犯罪。在未来,这种威胁可能会逐步升级为对技术网络和基础设施的物理性毁坏。During the 2014 December holiday season, the German government reported a cyber attack that caused “massive damage” to an iron plant. Utilizing a spear phishing attack, hackers disabled the electronic controls that turned off the plant’s furnaces, causing damage to the entire plant.在2014年12月的假日季,德国政府报导了一起造成钢铁厂“相当严重损坏”的网络攻击事件。
黑客利用网络钓鱼反击,使得负责管理重开熔炉的电子控制系统陷入中断,最后导致整个工厂相当严重损毁。What new forms of cyber attacks will 2015 bring? Don’t wait to find out. Start 2015 off right by implementing these resolutions to help protect your company from ever-present cyber threats.2015年将不会有什么新型的网络攻击?不要再行被动地等候了。立即实行这些新年决意,维护你的公司在2015年免遭无处不在的网络威胁吧。
(财富中文网)Peter J. Beshar is Executive Vice President and General Counsel of Marsh McLennan.本文作者彼得oJ.o贝沙尔是Marsh McLennan公司继续执行副总裁兼法律总顾问。
本文来源:美高梅MGM-www.tianmaiguoji.com