如何確保你的公司在年免受網絡攻擊

Last year will long be remembered as the year when cyber attacks became front page news. No institution was spared — public companies, government agencies or non-profits. Heading into 2015, we have just reached the first mile of a race without a finish line, and time is of the essence when it comes to understanding the sophistication and complexity of cyber attacks.

2014年將因屢屢登上頭條新聞的網絡攻擊事件而被人們長期銘記。無論是上市公司、政府機構還是非營利組織，沒有哪類機構能夠倖免於難。進入2015年，我們只是在維護網絡安全這條永無止境的征途上前進了一小步。我們亟需理解網絡攻擊的複雜性，時不我待。

Most cyber attacks fall into one of three main threat types:

大多數網絡攻擊都可歸類於以下三種主要的威脅類型：

oattacks on a network’s confidentiality, causing theft or release of secure information such as credit card or Social Security numbers;

o針對網絡機密性的攻擊，導致信用卡號或社會保險號等安全信息遭竊或泄露；

oattacks on a network’s availability by overwhelming it with so many requests that it renders the site inoperable, or by injecting code that redirects traffic away from the site; and

o針對網絡可用性的攻擊，通過發送大量請求導致網站無法訪問，或插入代碼改變訪問頁面的路徑；

oattacks on a network’s physical integrity which alters or destroys computer code causing damage to the network’s infrastructure.

o針對網絡物理完整性的攻擊，改變或破壞計算機代碼，以損毀網絡基礎設施。

In 2015, here are seven resolutions to help protect your company against cyber threats:

2015年，你的公司應該在免受網絡威脅方面立下7項新年決心：

1. Tighten Your Vendor Network

1、管理好你的供應商網絡

If there is one key takeaway from the cyber attacks of 2014 it’s that passwords are dead. Hackers gained access to Fortune 100 companies by stealing passwords and log-in credentials of smaller vendors, including air conditioning and food delivery companies. Replace your single passwords with two-factor authentication or “2FA.” A good example of 2FA is withdrawing money from an ATM – it requires two authentications — your bankcard and your password. Another example is signing on to a Bloomberg terminal, which requires a password and then, using biometrics, requires a fingerprint swipe for a second form of authentication that cannot easily be stolen. You should require 2FA of all vendors or employees who log on to your networks remotely.

要從2014年的網絡攻擊中總結出一個要點，那就是密碼被破。黑客通過竊取空調和食品配送公司等小型供貨商的密碼和證書，進入了《財富》100強的公司網絡。請修改你的簡單密碼，採用雙重認證（2FA）的方式。雙重認證的一個典型例子就是用銀行卡從自動取款機上取錢——它需要雙重認證：你的銀行卡和你的密碼。另一個例子是登錄彭博社終端，首先你需要輸入密碼，然後採用生物測定學技術的系統還會要求你刷指紋進行二次認證。想要偷走指紋可不容易。你應該對所有遠程進入公司網絡的供應商和員工採用雙重認證方式。

2. Detonate Malware

2、引爆惡意軟件

“Spear Phishing” is an easy and effective way to attack a network. Hackers obtain names of your friends from your public social media accounts and then send you a personal note that appears to come from someone you know and trust. When you click on the attachment or link, the email installs “malware” on your network. A solution for malware is “detonation” software. Once an email with malware is opened but before it can leave your network with critical information, it is detonated in a “sandbox” to test whether it is being routed to an inappropriate site.

“網絡釣魚”是一種發動網絡攻擊的簡單而有效的方式。黑客從你的社交媒體公共賬戶獲得了你朋友的名字，並僞裝成你認識且信任的人給你發私信。當你點開附件或鏈接，郵件就會把惡意軟件裝進你的網絡。一種應對惡意軟件的方法是安裝“引爆”軟件。一旦帶有惡意軟件的電子郵件被打開，在它把你的重要信息帶走之前，這種軟件會先將它扔進“沙盒”中進行引爆測試，看它是否指向了一個不正常的網站。

3. Guard Your “Crown Jewels”

3、保護你的“王冠”

What information matters the most to you? Is it a secret formula, proprietary IP, Social Security or credit card numbers, sensitive health care data or non-public financial information? Once you determine your company’s most important and sensitive information, compartmentalize it from the rest of your technology and network operations.

對你來說，什麼信息最重要？是祕密配方、專有知識產權、社會保險號、信用卡號、敏感的衛生保健數據，還是非公開的財務信息？一旦你確定了公司最重要和敏感的信息，就把它與其他的技術和網絡操作分離開來。

4. Develop a Cyber Attack Response Plan – Now

4、現在就準備好網絡攻擊應急計劃

Develop a plan and practice it regularly. As part of your plan, hire a forensic investigatory firm to review your network and your response plan.

準備好應急計劃並定期演練。作爲計劃的一部分，你應當僱傭取證調查公司來檢查你的網絡和應急計劃。

5. Conduct “Penetration” Tests

5、進行“滲透”測試

Engage a third-party firm to conduct “penetration tests” to identify weaknesses in your company’s IT network and infrastructure. Based on the findings, make the necessary security improvements and comply with disclosure requirements. For example, the SEC has published guidance regarding the responsibilities of public companies to inform investors about cybersecurity vulnerabilities.

邀請一家第三方公司來進行“滲透測試”，找出公司信息技術網絡和基礎設施中的缺陷。根據結果來進行必要的安全性改進，同時遵守資料公開的要求。比如，根據美國證券交易委員會的規定，上市公司有義務告知投資者公司內部存在的網絡安全漏洞，該委員會還專門就此發表了一份指南。

6. Embrace the Government

6、尋求政府的幫助

When it comes to cyber attacks, the famous saying that “we are from the government and we are here to help” couldn’t be more true. The U.S. government has been far out front of the business community in understanding the significance of cyber threats. Current and former cabinet officials have warned for years about the risk of a “cyber Pearl Harbor” or “cyber 9/11.” The Secret Service and FBI have repeatedly alerted unaware public companies that their systems were breached — even though neither agency was under any obligation to do so. Don’t wait until after an attack to build relationships with key officials at the FBI, the Department of Homeland Security and the Department of Justice.

在網絡攻擊領域，那句著名的“我們來自政府，我們將施以援手”簡直是再正確不過。在理解網絡威脅的嚴重性方面，美國政府要遠遠領先於商界。現任和前任內閣官員多年來一直警告稱，美國有可能遭遇“網絡珍珠港”或“網絡9o11”襲擊。美國特勤局和聯邦調查局也在不斷提醒毫無覺察的上市公司，他們的系統被攻破了——儘管這些機構並沒有這種義務。不要等到自己被攻擊之後，纔開始同聯邦調查局、國土安全部和司法部的核心官員搞好關係。

7. Kick the Tires in M&A

7、從事併購交易時要審查網絡安全

Traditionally, the biggest security risk in a merger or acquisition transaction was confidentiality. Increasingly, cyber risk is becoming a critical, and often overlooked, factor. Heed the Department of Homeland Security’s recent warning about cyber risks in companies that you may consider buying or investing in and conduct cyber audits as part of routine due diligence.

傳統上，併購交易的最大安全隱患在於保密工作。而網絡風險正日益成爲其中一個重要卻被忽視的因素。請注意國土安全部最近發出的網絡風險警告，其中也許就包括你正考慮購買或投資的公司。請將網絡安全審查作爲常規盡職調查的組成部分。

In 2014, the focus of many cyber attacks was stolen credit cards and financial crime. In the future, the threat will likely escalate to physical damage of technology networks and infrastructure.

在2014年，許多網絡攻擊的目標都是盜竊信用卡，進行金融犯罪。在未來，這種威脅可能會逐步升級爲對技術網絡和基礎設施的物理性破壞。

During the 2014 December holiday season, the German government reported a cyber attack that caused “massive damage” to an iron plant. Utilizing a spear phishing attack, hackers disabled the electronic controls that turned off the plant’s furnaces, causing damage to the entire plant.

在2014年12月的假日季，德國政府報道了一起導致鋼鐵廠“嚴重損毀”的網絡攻擊事件。黑客利用網絡釣魚攻擊，使得負責關閉熔爐的電子控制系統陷於癱瘓，最終造成整個工廠嚴重受損。

What new forms of cyber attacks will 2015 bring? Don’t wait to find out. Start 2015 off right by implementing these resolutions to help protect your company from ever-present cyber threats.

2015年將會有什麼新型的網絡攻擊？不要再被動地等待了。即刻實施這些新年決心，保護你的公司在2015年免受無處不在的網絡威脅吧。（財富中文網）

Peter J. Beshar is Executive Vice President and & General Counsel of Marsh & McLennan.

本文作者彼得oJ.o貝沙爾是Marsh & McLennan公司執行副總裁兼法律總顧問。