We are seeing an ever-increasing number of conversations in the media about "cyber space" and the "cyber war". Is this likely to affect you personally? How can you play your part in this "cyber war"? The battlefield is global "cyber space", all of those IT systems connected to the internet, including those of government, industry, businesses and the home and mobile user. The recruits for this war are not just human: they are computers, mobile phones, even computer discs and "memory sticks".

Indeed it is several factors colliding together, that heightens the threat to you, your personal computer and your business:

• The "arms race" between the attackers and the defenders has reached a critical point at which computer systems need to be updated more than once a day;
• The "delay" between a new type of attack being found and its defence developed means that traditional attack recognition approaches are no longer enough - defenders need to use advanced techniques that detect new types of attack on the fly;
• The level of organisation, sophistication, motivation and professionalism of the attackers has grown in an exponential manner - attack technology is now traded as a commodity on the dark side of cyber space - the chances are that if you are not looking you would not even know that you had been attacked - and the consequences of those attacks grow ever more severe for the government, businesses and citizens alike;
• The implications have not been lost within the military and intelligence functions of all major nations - and some are active participants, exploiting as a means to support both espionage and counter-espionage, coercion against other nation states or internal dissidents, active fighting against adversaries along-side the traditional military services, and others are interested in developing capability and technology for both offence and defence.

So which side are you on in the cyber war? And which side is your home and business computer on? This article helps you to join the side of the good, and that is essential for your own wellbeing, that of your family, and of your business. It includes a series of tips that can be used at home or at work.

The first thing to realise is that you probably have already been attacked and that attacks will happen with increasing frequency in future: Have you ever been infected by a computer virus? Have you been the victim of online banking fraud, credit card fraud or identity theft? Have you opened a file or clicked on a link to a supposedly plausible email seeming to come from your bank or a friend or colleague? If you run an IT network in your business, how often do you see attacks made on your firewall? If so you have been attacked.

The next is how to put up the best defence, and you need to defend at home and at work. Defence comprises two methods: pro-active, that is actively being aware of the attacks that can occur and looking out for signs of attack, and reactive, that is, once an attack occurs be organised so you know what to do to recover from the effects of the attack, and take steps to defeat or reduce future attacks.

Questions you should be asking yourself... and your home computer... to keep you both safe from attack

Is all of your incoming traffic fully scanned and examined before it reaches your inbox or web browser?

Make sure to install a full anti-malware software suite on all of your home computers. The best packages provide protection by scanning files on your computer and attached computer media as you access them, or by providing a full scan of all of your computer, scan emails as they are sent or received, scan web content as you browse it and can detect all types of computer viruses. Some packages also include identity protection that warns you if you attempt to enter sensitive details such as credit card numbers and passwords on rogue websites and can warn you of dangerous websites before you click on them. Go for a package which offers automatic updates on an hourly basis.

Do you know which protection packages are the best right now?

The Virus Bulletin (www.virusbtn.com) is a good online independent source of information on the current performance of all major anti-malware vendors. Once you have chosen your package, install it and ensure all of its features are enabled and always active. As well as the "on access" scanning provided by anti-malware software it is also advisable to have:

• A "full scan" scheduled to run on at least a weekly basis to check for malware that may have by-passed the "on access" scanning;
• A "recovery" CD-ROM created from the anti-malware package to enable the computer to be started from the CD-ROM if it becomes infected with a virus. This CD-ROM should also be used on older computers prior to installing anti-malware (if you install anti-malware on a computer that is already infected then it may not work).

Do you have a 'NAT' firewall

When setting up a home network make sure your broadband router includes a "NAT" firewall function - this protects the bridge between your home network, and the internet. For the same reason also enable strong wireless security on the router if you have a wireless network: look for WPA-PSK or WPA-PSK2 security options. Also, ensure all computers have a full software firewall installed and always enabled: Windows has included such a firewall since Windows XP SP2. Some anti-malware packages also come with an advanced firewall that includes "intrusion detection" (this will warn you if an incoming attack is detected).

Do you regularly allow updates to run? Is this automatic?

Most attacks rely on faults of old versions of software, so keep your software up to date. Assuming your computer is running a recent operating system (and if it isn't: consider upgrading it) it should include an automated update function. On all versions of Windows this is known as "Windows Update". This allows the latest security updates to be installed on your computer as and when they become available. If you install additional software and it comes with an update option, make sure you install and enable it (this applies especially to Adobe Acrobat Reader, and many recent attacks have been based upon PDF files used by this software).

Do you always use different passwords, and change them regularly?

It is good security to enable passwords and setup individual user accounts on your home computers. Especially change any "default" passwords provided on computers and network routers. Also - be sure to set a password for the "administrator" accounts on each computer.

Use sensible passwords, not easily guessable ones; if the operating system can be set to require regular password changes and strong passwords, consider using this facility. Also do not use the "administrator" account as a matter of course: all user accounts should be set without "administrator" option. Many attacks rely on lax security on the target machines: these precautions will defeat all such attacks.

Also, although it is easier to keep using the same password for everything, it increases your vulnerability to an attack: when registering for online sites, select different passwords for different sites (e.g. online banking, web mail and social networking sites): and be prepared to change those passwords if you have fallen victim to identity theft or if you suspect any of them have been "hacked".

Do you KNOW what security settings you are currently using?

Recent flavours of Windows (namely Vista and Windows 7) have added "user account control" security. This has been introduced to warn the user if any item of untrusted software attempts to run on the computer in a dangerous manner. This is enabled by default and should never be turned off. In the Unix, Linux and MAC OS/X world a similar function already existed known as the "superuser" mode: it is important that only trusted software runs in this mode. The important thing generally is - don't skip over unexpected messages presented to you, read them carefully and respond in the safest way possible. Remember this instruction: "Always say NO to untrusted software!" and never disable or reduce the security settings on your operating system, email software, Internet browser or any other software you have installed. Rather, consider familiarising yourself with all of the security settings of your operating system and software and consider applying more stringent settings than they came with (consult the software documentation, online help and official vendor forums).

Are you sceptical of ALL strange messages or does your curiosity sometimes get the better of you?

Be cautious - One of the tricks of the attackers' trade is "social engineering" - that is fooling computer users to reveal sensitive information, make bad choices or even hand over payment. Remember this applies not just in the "cyber" sense (via email and text messages), but also over the telephone (they may be calling you with their keyboard at the ready) or even via "junk mail". Make sure you have any security passwords and codes set up with your bank and other such institutions to allow you to positively identify yourself over the phone or online. Consider subscribing to identity theft services such as run by Equifax or Experian in the UK so you are notified of any unexpected credit checks purported to your name. Most of all be sceptical of all communications you receive, even emails apparently from friends, family and colleagues: those emails may have been forged or your respondent's computers may have been taken over by an attacker. Always ask yourself the question "Would this person really ask me to do this or communicate in this way?" Especially be wary of any attachments and web links included in the email; after you click or open them it could be too late: you could be infected. If it looks too good to be true, it is usually NOT true.

Do you back up your data remotely?

Backup your data - Ensure you have a means to backup your important data on a regular basis and the backup is stored away from the computer. This not only allows you to recover from a computer or disk failure or from their theft, but if you get attacked or infected by a computer virus that cannot be cleaned, this allows you to recover the data after your computer is re-built (either by yourself or a computer repair outfit). Remember also that some viruses can disrupt your computer and delete files, without an effective backup all of your data could be irretrievably lost.

Do you keep work and play separate?

Provide a separate machine for computer gaming and free applications downloaded from the internet to that used for online banking and other sensitive personal uses (including business use). Expect the gaming machine to be compromised with malware and other issues on a regular basis. Perhaps hold a clean CD backup to allow it to be re-built as required. Do not open up network connections between this machine and others, and take care of any media used (ideally never load a CD recorded, or memory stick used on the games machine onto other machines). Better still, use dedicated games console systems, but beware that newer consoles have networking and wireless features that can allow exchange with other computers.

If you are a business user as well as a home user, here is a quick guide to best practice

As a business user you will have more to be concerned about. The computers within your business may be attacked just like home computers, but your business itself may come under direct, targeted, subtle and persistent attack, depending on the value of the information you process and the degree of interest to potential attackers. Threats can come from the outside, including hackers, activists, journalists, organised crime, competitors or insiders including disgruntled or careless personnel. Their aims can include theft of your intellectual property, online fraud, web-site defacement or disruption of your business (and "cyber extortion"). Or you could be a collateral victim of a more wide-spread cyber-attack (e.g. against utility companies). Your business may also be a component of the critical national infrastructure itself (and therefore on the front-line of the cyber war).

Regardless of the business type you will probably have a particular blend of IT hardware, software and communications technology that will expose a vulnerability foot print that can be exploited by the threats.

All of these factors come together to create a unique risk profile for your business. Hence the one true holistic way to join the good side of the cyber war is by adopting an information risk management approach, which ensures that the risks to the business have all been correctly identified and addressed. This is something that most business struggle to do themselves and is the main reason specialist independent consultancies like Amethyst Risk Management Ltd exist.

It's difficult to give generic advice that applies equally to all businesses. However, there are some must have elements that play any important part in the cyber defences of businesses.

First - what pro-active measures can you take?

Do you have comprehensive anti malware and does it cover all mobile data?

Except for the smaller enterprises, scaling of the approach used for individual computers is likely to be difficult. Hence broader anti-malware solutions are called for that work at the corporate level. It is important to adopt a "defence in depth" approach that ensures that information is checked as it enters and leaves the corporate boundary, as it is stored on the organisation's servers and as it resides on the end points including individual computers and other devices (e.g. mobile phones). Hence a manageable solution is required that enables control of the anti-malware configuration and updating from a central IT service function, also the corporate gateway or managed external email scanning services can be used to filter spam and check email before it reaches the corporate email servers. If these solutions come from multiple products, so much the better, some anti-malware products may resolve certain viruses before others: hence having more than one product can provide a better defence. Smaller enterprises may consider Internet hosted or "cloud" based email solutions provided that these incorporate anti-malware services.

Are your boundaries well monitored?

Small enterprises will undoubtedly need a managed firewall solution to provide a secure Internet connection (even if this is little more that the home based firewall). Larger enterprises start to need more sophisticated corporate gateway which includes resilience and security services including web content filtering, web access controls, and, if using remote access, secure virtual private networking. Enterprises that are part of the critical national infrastructure may also require anti-denial-of-service technology and services from their service providers or sponsoring government agency (this can defence against widespread focussed attacks). It is also important for complex organisations to consider not just one outer boundary but a series of internal boundaries that protect business critical systems. Of particular note is the concern over the recent Stuxnet virus which affects industrial controllers: there needs to be effective boundaries between internet facing business systems and process control networks used by industry.

Are you on the 'watch' for potential intruders?

All enterprises should consider inclusion of "intrusion detection and prevention" technology both at and within the boundary. This will provide rapid and early warning of most types of attacks, can manage of defeat many network based attacks and may also be able to detect suspicious behaviour within the network. However, it is not just required to have the technology: organisations need to provision monitoring, and in the case of many sizeable business today this mean constant 24x7 monitoring and management. Such technology involves deployment of "black boxes" attached to strategic points in the network and special "host" agent software installed on business critical servers, both types reporting back to a central monitoring facility.

Do you collect and check logs?

Most business server operating systems come with only rudimentary log recording of their activities. Consider hiring IT specialists to design and setup logging systems according to the function each server performs (e.g. file server, email server, database server). Ideally each server should allow security related events to be recorded and each event clearly attributed to the user who caused it. For this reason it is also important to ensure that each user has their own distinct log-on and "shared" and "generic" user accounts are not used for security related work. Most importantly; it is not just enough to record information, these logs should be checked frequently and referred to if there are any problems. Consider having the log viewer window open permanently on the desk top of a member of the IT staff. Small and medium businesses may get by using the facilities provided by the servers themselves, however, large, multi-site businesses will probably need a log management system or "security incident and event management" system that collects log reports from across the business estate and reports in real-time to continuously monitored displays (alongside intrusion detection monitoring). It is only by intelligent pro-active monitoring of security activities within the business that attacks can be spotted as they start or are underway: retrospective checking of logs can only tell you about past events.

Do you manage vulnerabilities across your entire IT estate?

Just as individual computers need updates to be applied to eliminate vulnerabilities, businesses need a comprehensive approach to the management of vulnerabilities within their IT estate. It only needs one unpatched computer to enable an attacker to succeed. Consequently, this problem is the most difficult to for larger enterprises, who will probably be running a whole series of IT systems of various ages. Furthermore many legacy and custom applications are fragile to change and the blanket application of security patches can cause them to fail: these are known as "unpatchable systems" and are the source of the greatest area of weaknesses to businesses. The first step businesses need to take to address this issue is to undertake a vulnerability survey: this can involve engagement of an independent penetration testing team to come into the business and check each critical server for its vulnerability status, or it can be by the occasional or permanent installation of "vulnerability assessment" software to scan all of the enterprise IT platforms. This provides a picture of the IT vulnerabilities within the business. Then strategies need to be developed for patch management within the business and the elimination of vulnerabilities; those systems that cannot be patched may have to be dealt with as special cases, maybe moved behind an internal firewall, placed in a "semi-trusted" enclave. Remembering that the time to patch is now more than once daily, all businesses should be working towards the eventual elimination of unpatchable systems and have all systems configured for automated update and patch management.

Are your platforms and users locked down?

The reason that so many attacks succeed is that most computers come installed with a large set of utilities and bundled software, this makes what is known as the "attack surface" of the computer very broad, creating a large target for the attacker to hit. Often a lot of these functions are either never or rarely used by all or even individual users, particularly as part of their job. Business IT departments should therefore customise computer builds so that they are stripped down to only support business functions: provision of additional software should be the exception rather than the default. This greatly reduces the attack surface and hence reduces the likelihood of attacks working against the business.

Are your users sufficiently trained and educated about potential threats?

The greatest weakness in any business can be its users, not necessarily meaning the users are not trusted in their normal job functions (although it is recommended that any IT system administrators are carefully vetted). The weakness arises mainly from the lack of knowledge of the users regarding computer security basics and cyber threats. Therefore each business should have an awareness programme that seeks to educate not just new joiners but everyone in the business and provides them with some key pointers for secure working with IT. Often this information needs to be uniquely tailored for the business to reflect its risk environment. There is some excellent resources on the Internet available for general awareness, one of these is UK based and is sponsored by the government and large IT organisations: Get Safe Online (www.getsafeonline.org).

Is your supply chain tight and secure at every link?

Modern cyber threats arise not just from the use of IT and the Internet. Much of today's technology is manufactured in the Far East and the regimes in certain countries have sought to interfere with the manufacturing process and had "back doors" built into the microprocessor chips that are then assembled into computers and mobile devices. Equally, attackers can place inset into a supply chain and add snooping hardware to equipment or re-programme the read-only memory of computers to add hooks to assist in espionage. Even apparently genuine mainstream software installation discs have come complete with malware installed. Consequently care needs to be taken of where IT equipment is sourced and businesses should ask questions about the origins of equipment and the quality management controls of their ultimate suppliers.

Secondly - how you should react in the event of an attack?

Manage incidents effectively

It is most important for businesses to establish incident management functions that can respond effectively not just to events occurring within the enterprise but any external events which interfere with business operations. The team should be trained and exercise regularly, even if there are no incidents to contend with. The team should also develop external relationships and communicate with local Computer Emergency Response Teams (CERTs) and also be tuned in to vulnerability notices issued by the vendors of their IT hardware and software. Although the main thrust will be recovery from actual incidents, they should still be pro-active and attempt to identify problems before they occur and take action to minimise adverse effects.

Be able to investigate

As well as recovery from incidents businesses should either build in house or have recourse to external incident investigation facilities. Recovery alone will not prevent re-occurrence: by investigation of incidents root causes can be found, defences improved, the source of the attack potentially identified and measures put into place to prevent or defeat such attacks in future. This is also essential if the business wishes to take action against the attacker or to hand an investigation over to law enforcement: there is a discipline known as "forensic readiness" that prepares an organisation for undertaking investigations and gathering evidence from IT systems to the standards required by the courts.

Be able to recover

The highest cost to the business will be recovery from major attacks. Such costs can only be controlled by considering the effects of cyber attacks within the businesses' business continuity and disaster recovery function. Remember also that cyber attacks may affect local utility services and other elements of the critical national infrastructure: therefore cyber attacks may indirectly affect the business causing significant continuity issues. However, cyber attacks have other consequences when compared against other sources of continuity issues and natural disasters: attacks cannot just affect the availability of IT systems, they can also affect the confidentiality and integrity. Hence recovery is not just about restoring IT servers, it can also be about cleaning up other compromises: for instance, securing data leakages or reversing fraudulent transactions. It is also worth investigating the insurance position of the business to see if there are any exclusions that relate to cyber attacks.

Share knowledge

Businesses are traditionally reticent to the sharing of bad news, and this includes falling victim to computer security issues and cyber attacks, even reluctant to report via official channels. This is a natural response as businesses wish to protect their reputation and share price. However, by putting the cyber situation on a war footing this can no longer be seen as a responsible position to take. Also, given that many attacks are eventually publicised themselves, or even by the attackers, it can seem that businesses have colluded in a cover-up if it is later exposed that they have fallen foul of an attack: this can subsequently have an even worse impact on their reputation, customer confidence and value. Attacks thrive on both the silence of the victim and the oxygen of publicity. Remember that attackers already pool their knowledge: the war will be lost if the defence does not do the same. Hence businesses need to consider forming responsible information sharing collectives: providing others with knowledge of attacks or new information on how they were dealt with, responses that worked and responses that did not. The Centre for the Protection of the National Infrastructure (CPNI: www.cpni.gov.uk) has already established a confidential framework of Warning, Alerting and Reporting Points (WARPs: www.warp.gov.uk) to be used by public services and service providers: a similar framework should be adopted by all in the business community.

Summary

So, with these basic provisions and precautions taken for improving your defences at home and at work you can regard yourselves as being recruited into the "home guard" for defence of cyber space. However, as in the case of the real battlefield the current situation is ever developing more twists and turns and the gap between attack and defence needs to be kept constantly under review. "No plan of operations extends with certainty beyond the first encounter with the enemy's main strength" said Helmuth von Moltke the Elder in his famous quote as chief of staff of the Prussian Army in the 1800's. You need to best protect yourselves against falling victim to an attack, having your computers taken-over by the attackers and be able to respond effectively. This is developing into a specialised science and businesses would be wise to engage the experts in order to provide an ever more professional defence to an ever more professional attack.