订阅

多平台阅读

微信订阅

杂志

申请纸刊赠阅

订阅每日电邮

移动应用

管理

防范黑客要从公司高层做起

Shelley DuBois 2011年07月13日

解决数字安全问题已经不能再只靠IT部门了。企业高层必须从一开始就参与其中。

    如果一支有电脑行家组建的精锐部队想要黑进你公司的网络,他们很可能会得手。不过,如果就连一个闲得无聊的菜鸟黑客也能攻陷你的系统的话,这就有问题了。而且这个问题的根源并不在于公司的技术薄弱,而在于公司的管理。

    以今年四月份开始索尼公司遭受的一系列黑客入侵为例,标枪战略研究公司(Javelin Strategy & Research)的高级安全性分析师菲尔•布兰克指出,索尼遭受的一系列黑客入侵是由一个叫LulzSec的组织发起的,这个组织带有一些恶作剧性质,他们使用的黑客手法极为简单,连高中生都能掌握。

    黑客袭击事件之后,索尼对负责网络安全的管理人员进行了换血。今年五月,索尼公司任命原索尼全球解决方案(Sony Global Solutions)总裁酒井文明为公司的代理首席信息安全官——这是索尼被“黑”后新增设的一个职位。

    布兰克表示,许多公司都已经设立了专门负责信息安全的高级职位,这标志着他们迈出了重要的第一步。虽说这些负责信息安全的管理人员可能无法阻止技术含量极高的黑客攻击,但起码他们可以避免公司出现低级的安全漏洞。美国电信运营商AT&T的首席信息安全官爱德华•阿莫鲁索表示,信息安全人员重要的工作,可能就是要把信息安全部门和公司的其他部门整合到一起,而这并不是一个简单的任务。

    像IT员工一样,信息安全人员也是动辄满口术语和行话,不仅其他部门的员工听不懂,许多高管也摸不着头脑。

    不过可能是出于情势所迫,现在高管们对信息安全的术语也是越来越门儿清了。阿莫鲁索说道:“过去6个月里发生了一些网络攻击事件,它们甚至动摇了某些企业的根本。网络安全性问题无疑已经成了一个上升到董事会层面的重大问题。”

    任命了负责信息安全的高管后,下一步则是要从每个项目的一开始,就让信息安全团队参与其中。这一点非常重要,尤其是在公司各个互不相干的分支机构开发新技术的时候。阿莫鲁索表示,信息安全专家常常会在公司的某一个项目里发现漏洞,而他们之前甚至根本不知道这个项目的存在。

    不仅公司的管理层要将信息安全视为头等要务,信息安全人员本身也要向管理层做出一些妥协,要尽量使自己传递的信息变得更加有趣易懂。阿莫鲁索表示:“我们都从IT主管那里收到过长达三页、措辞严肃的备忘录。看完开头两句话,你就不知道它下面说的是什么了。这样是没法让人认清问题的。”

    如果执行得力的话,员工的信息安全意识会有助于企业防范一些基本的网络攻击。员工往往会犯一些低级的错误,比如点击了一个外部附件,或是点击了一个陌生的网址,这样一来,黑客就有了接触公司信息的机会。

    这些小错也能酿成大祸。一旦黑客侵入系统,他们就可以对系统内某些看似不相关的信息进行编译,比如账户、生日和电子邮件地址等,然后对它们进行交叉链接,从而发动另一轮相当复杂的攻击。布兰克表示:“过去人们可以决定哪些信息是值得保护的,哪些是不值得保护的,但是现在这种日子已经一去不复返了。”现在任何信息都需要保护。

    布兰克还表示,管理人员可以雇佣一些善意的黑客——也就是所谓的“白客”来指点迷津,以避免系统受到某些并非很复杂的攻击。这样可以使技术人员知道哪些地方有可能出现问题,以免某些恶意的黑客趁虚而入。

    当然,没有什么办法能保证所有信息都绝对安全。但企业只需采取简单的措施,就可以避免遭受低水平的攻击。随着基于网络的应用程序以及移动设备在企业中的应用越来越广,信息安全也必将成为管理层经常讨论的问题。

    译者:朴成奎

    If a team of mastermind computer experts wants to hack your company's network, it probably will. But if any rookie hacker with some time to kill can crack your system, that's a problem. And the problem doesn't start with poor technology; it starts with management.

    Take, for example, the series of hacks on Sony (SNE) that began in April: they were launched by a prank hacker group called LulzSec, which used a method so simple that a high school kid could master it, says Phil Blank, senior security analyst at Javelin Strategy & Research.

    In response to the attack, Sony revamped its security management. In May, the company appointed Sony Global Solutions president Fumiaki Sakai as acting chief information security officer -- a position the company didn't have before.

    In fact, many companies have created top-level positions for security information officers, and that's an important first step, Blank says. While security officers may not be able to prevent highly sophisticated attacks, they can help protect companies from simple security breaches. Perhaps their most important job, according to Edward Amoroso, AT&T's (T) chief information security officer, is to integrate the security department with the rest of the company, which is no simple task.

    Like IT employees, information security types tend to speak in a somewhat geekier dialect than the rest of a company's rank-and-file, one that can be hard for many executives to understand.

    But, perhaps out of necessity, executives are becoming better versed in security lingo, Amoroso says: "We've seen some attacks in the last six months that have shaken the very foundation of some of the firms involved. There's no question that computer network security is becoming a board-level issue."

    After putting someone in charge of the security effort, the next step is to include the security team in projects from the get-go. This is important, Amoroso says, especially as disparate branches of companies explore new technology. Often, he says, security experts will discover a breach in a project they didn't even know existed.

    While a company's brass must make information security a priority, security personnel also need to meet management half way by making their messages interesting and accessible, Amoroso says. "We've all gotten those serious, three-page memos from some IT administrator, but by the third sentence, you don't know what they're talking about. That's not the way to do awareness."

    If done effectively, employee awareness can help prevent basic attacks. Employees often make simple mistakes like clicking on a foreign attachment or a link with a strange URL, which allows hackers to access a company's information.

    These small mess-ups can cause a disproportionate amount of damage. Once inside the system, hackers can compile seemingly discrete pieces of information -- account numbers, birthdays, email addresses -- and cross-link them to launch fairly complicated attacks, says Blank: "The days are now gone when people could decide what information is worthy of protection and what is not." Instead, you have to protect it all.

    Blank says that managers can help prevent less sophisticated attacks by hiring benevolent, or "white hat," hackers to try to crack the system. This gives the tech staff a heads up to potential problems before they're rooted out by less benevolent hackers.

    There's no way to secure everything, of course, but companies can prevent low-level hacks by taking a few simple steps. And with web-based applications and mobile devices practically de rigeur in the corporate world, security discussions will need to become even more common among the executive set.

我来点评

相关稿件

  最新文章

最新文章:

500强情报中心

财富专栏