如何確保你的公司在年免受網路攻擊

Last year will long be remembered as the year when cyber attacks became front page news. No institution was spared — public companies, government agencies or non-profits. Heading into 2015, we have just reached the first mile of a race without a finish line, and time is of the essence when it comes to understanding the sophistication and complexity of cyber attacks.

2014年將因屢屢登上頭條新聞的網路攻擊事件而被人們長期銘記。無論是上市公司、政府機構還是非營利組織，沒有哪類機構能夠倖免於難。進入2015年，我們只是在維護網路安全這條永無止境的征途上前進了一小步。我們亟需理解網路攻擊的複雜性，時不我待。

Most cyber attacks fall into one of three main threat types:

大多數網路攻擊都可歸類於以下三種主要的威脅型別：

oattacks on a network’s confidentiality, causing theft or release of secure information such as credit card or Social Security numbers;

o針對網路機密性的攻擊，導致信用卡號或社會保險號等安全資訊遭竊或洩露；

oattacks on a network’s availability by overwhelming it with so many requests that it renders the site inoperable, or by injecting code that redirects traffic away from the site; and

o針對網路可用性的攻擊，通過傳送大量請求導致網站無法訪問，或插入程式碼改變訪問頁面的路徑；

oattacks on a network’s physical integrity which alters or destroys computer code causing damage to the network’s infrastructure.

o針對網路物理完整性的攻擊，改變或破壞計算機程式碼，以損毀網路基礎設施。

In 2015, here are seven resolutions to help protect your company against cyber threats:

2015年，你的公司應該在免受網路威脅方面立下7項新年決心：

1. Tighten Your Vendor Network

1、管理好你的供應商網路

If there is one key takeaway from the cyber attacks of 2014 it’s that passwords are dead. Hackers gained access to Fortune 100 companies by stealing passwords and log-in credentials of smaller vendors, including air conditioning and food delivery companies. Replace your single passwords with two-factor authentication or “2FA.” A good example of 2FA is withdrawing money from an ATM – it requires two authentications — your bankcard and your password. Another example is signing on to a Bloomberg terminal, which requires a password and then, using biometrics, requires a fingerprint swipe for a second form of authentication that cannot easily be stolen. You should require 2FA of all vendors or employees who log on to your networks remotely.

要從2014年的網路攻擊中總結出一個要點，那就是密碼被破。黑客通過竊取空調和食品配送公司等小型供貨商的密碼和證書，進入了《財富》100強的公司網路。請修改你的簡單密碼，採用雙重認證（2FA）的方式。雙重認證的一個典型例子就是用銀行卡從自動取款機上取錢——它需要雙重認證：你的銀行卡和你的密碼。另一個例子是登入彭博社終端，首先你需要輸入密碼，然後採用生物測定學技術的系統還會要求你刷指紋進行二次認證。想要偷走指紋可不容易。你應該對所有遠端進入公司網路的供應商和員工採用雙重認證方式。

2. Detonate Malware

2、引爆惡意軟體

“Spear Phishing” is an easy and effective way to attack a network. Hackers obtain names of your friends from your public social media accounts and then send you a personal note that appears to come from someone you know and trust. When you click on the attachment or link, the email installs “malware” on your network. A solution for malware is “detonation” software. Once an email with malware is opened but before it can leave your network with critical information, it is detonated in a “sandbox” to test whether it is being routed to an inappropriate site.

“網路釣魚”是一種發動網路攻擊的簡單而有效的方式。黑客從你的社交媒體公共賬戶獲得了你朋友的名字，並偽裝成你認識且信任的人給你發私信。當你點開附件或連結，郵件就會把惡意軟體裝進你的網路。一種應對惡意軟體的方法是安裝“引爆”軟體。一旦帶有惡意軟體的電子郵件被開啟，在它把你的重要資訊帶走之前，這種軟體會先將它扔進“沙盒”中進行引爆測試，看它是否指向了一個不正常的網站。

3. Guard Your “Crown Jewels”

3、保護你的“王冠”

What information matters the most to you? Is it a secret formula, proprietary IP, Social Security or credit card numbers, sensitive health care data or non-public financial information? Once you determine your company’s most important and sensitive information, compartmentalize it from the rest of your technology and network operations.

對你來說，什麼資訊最重要？是祕密配方、專有智慧財產權、社會保險號、信用卡號、敏感的衛生保健資料，還是非公開的財務資訊？一旦你確定了公司最重要和敏感的資訊，就把它與其他的技術和網路操作分離開來。

4. Develop a Cyber Attack Response Plan – Now

4、現在就準備好網路攻擊應急計劃

Develop a plan and practice it regularly. As part of your plan, hire a forensic investigatory firm to review your network and your response plan.

準備好應急計劃並定期演練。作為計劃的一部分，你應當僱傭取證調查公司來檢查你的網路和應急計劃。

5. Conduct “Penetration” Tests

5、進行“滲透”測試

Engage a third-party firm to conduct “penetration tests” to identify weaknesses in your company’s IT network and infrastructure. Based on the findings, make the necessary security improvements and comply with disclosure requirements. For example, the SEC has published guidance regarding the responsibilities of public companies to inform investors about cybersecurity vulnerabilities.

邀請一家第三方公司來進行“滲透測試”，找出公司資訊科技網路和基礎設施中的缺陷。根據結果來進行必要的安全性改進，同時遵守資料公開的要求。比如，根據美國證券交易委員會的規定，上市公司有義務告知投資者公司內部存在的網路安全漏洞，該委員會還專門就此發表了一份指南。

6. Embrace the Government

6、尋求政府的幫助

When it comes to cyber attacks, the famous saying that “we are from the government and we are here to help” couldn’t be more true. The U.S. government has been far out front of the business community in understanding the significance of cyber threats. Current and former cabinet officials have warned for years about the risk of a “cyber Pearl Harbor” or “cyber 9/11.” The Secret Service and FBI have repeatedly alerted unaware public companies that their systems were breached — even though neither agency was under any obligation to do so. Don’t wait until after an attack to build relationships with key officials at the FBI, the Department of Homeland Security and the Department of Justice.

在網路攻擊領域，那句著名的“我們來自政府，我們將施以援手”簡直是再正確不過。在理解網路威脅的嚴重性方面，美國政府要遠遠領先於商界。現任和前任內閣官員多年來一直警告稱，美國有可能遭遇“網路珍珠港”或“網路9o11”襲擊。美國特勤局和聯邦調查局也在不斷提醒毫無覺察的上市公司，他們的系統被攻破了——儘管這些機構並沒有這種義務。不要等到自己被攻擊之後，才開始同聯邦調查局、國土安全部和司法部的核心官員搞好關係。

7. Kick the Tires in M&A

7、從事併購交易時要審查網路安全

Traditionally, the biggest security risk in a merger or acquisition transaction was confidentiality. Increasingly, cyber risk is becoming a critical, and often overlooked, factor. Heed the Department of Homeland Security’s recent warning about cyber risks in companies that you may consider buying or investing in and conduct cyber audits as part of routine due diligence.

傳統上，併購交易的最大安全隱患在於保密工作。而網路風險正日益成為其中一個重要卻被忽視的因素。請注意國土安全部最近發出的網路風險警告，其中也許就包括你正考慮購買或投資的公司。請將網路安全審查作為常規盡職調查的組成部分。

In 2014, the focus of many cyber attacks was stolen credit cards and financial crime. In the future, the threat will likely escalate to physical damage of technology networks and infrastructure.

在2014年，許多網路攻擊的目標都是盜竊信用卡，進行金融犯罪。在未來，這種威脅可能會逐步升級為對技術網路和基礎設施的物理性破壞。

During the 2014 December holiday season, the German government reported a cyber attack that caused “massive damage” to an iron plant. Utilizing a spear phishing attack, hackers disabled the electronic controls that turned off the plant’s furnaces, causing damage to the entire plant.

在2014年12月的假日季，德國政府報道了一起導致鋼鐵廠“嚴重損毀”的網路攻擊事件。黑客利用網路釣魚攻擊，使得負責關閉熔爐的電子控制系統陷於癱瘓，最終造成整個工廠嚴重受損。

What new forms of cyber attacks will 2015 bring? Don’t wait to find out. Start 2015 off right by implementing these resolutions to help protect your company from ever-present cyber threats.

2015年將會有什麼新型的網路攻擊？不要再被動地等待了。即刻實施這些新年決心，保護你的公司在2015年免受無處不在的網路威脅吧。（財富中文網）

Peter J. Beshar is Executive Vice President and & General Counsel of Marsh & McLennan.

本文作者彼得oJ.o貝沙爾是Marsh & McLennan公司執行副總裁兼法律總顧問。