Published on the 04/10/2010 | Written by Newsdesk

A new Symantec survey reveals half of the infrastructure providers questioned have experienced politically motivated cyber attacks…

In its latest Critical Information Infrastructure Protection survey, participants claim to have experienced such an attack on an average of 10 times in the past five years, incurring an average cost of US$850,000 to their businesses.

Survey participants from the energy industry reported that they were best prepared for such an attack, while participants from the communications industry reported that they were the least prepared. Critical infrastructure providers represent industries that are of such importance either to a nation’s economy or society that if their cyber networks were successfully attacked and damaged, the result would threaten national security.

“Critical infrastructure protection is not just a government issue. In countries where the majority of a nation’s critical infrastructure is owned by private corporations, in addition to large enterprises, there is also the significant presence of small and medium-sized businesses,” said Justin Somaini, chief information security officer at Symantec Corp.

“Security alone is not enough for critical infrastructure providers of all sizes to withstand today’s cyber attacks. The Stuxnet worm that is targeting energy companies around the world represents the advanced kind of threats that require security, storage and back-up solutions, along with authentication and access control processes to be in place for true network resiliency.”

Survey Highlights

• Critical infrastructure providers are being attacked. Fifty-three percent of companies suspected they had experienced an attack waged with a specific political goal in mind. Of those hit, the typical company reported being attacked 10 times in the past five years. Forty-eight percent expect attacks in the next year and 80 percent believe the frequency of such attacks is increasing.
• Attacks are effective and costly. Respondents estimated that three in five attacks were somewhat to extremely effective. The average cost of these attacks was $850,000 over five years.
• Industry is willing to partner with government on CIP. Nearly all of the companies (90 percent) said they have engaged with their government’s CIP programme, with 56 percent being significantly or completely engaged. In addition, two-thirds have positive attitudes about programmes and are somewhat to completely willing to cooperate with their government on CIP.
• Room for readiness improvement. Only one-third of critical infrastructure providers feel extremely prepared against all types of attacks and 31 percent felt less than somewhat prepared. Respondents cited security training, awareness and comprehension of threats by executive management, endpoint security measures, security response and security audits as the safeguards that needed the most improvement. Finally, small companies reported being the least prepared.

Symantec is recommending businesses:

• Develop and enforce IT policies and automate compliance processes. By prioritising risks and defining policies that span across all locations, organisations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.
• Protect information proactively by taking an information-centric approach. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access and how to protect it as it is coming into or leaving your organisation. Utilise encryption to secure sensitive information and prohibit access by unauthorised individuals.
• Authenticate identities by leveraging solutions that allow businesses to ensure only authorised personnel have access to systems. Authentication also enables organisations to protect public facing assets by ensuring the true identity of a device, system or application is authentic. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorised devices to the infrastructure.
• Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency and monitoring and reporting on system status.
• Protect the infrastructure by securing endpoints, messaging and web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organisations also need the visibility and security intelligence to respond to threats rapidly.
• Ensure 24×7 availability. Organisations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environment, showing the need for organisations to adopt more cross-platform and cross-environment tools, or standardise on fewer platforms.
• Develop an information management strategy that includes an information retention plan and policies. Organisations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free-up resources, use a full-featured archive system and deploy data loss prevention technologies.