Attack and Defend on the Net

Know your enemy and know yourself, find naught in fear for 100 battles. Sun Tzu’s advice is as true as ever, particularly when we apply it to the cyber-war going on right now, according to Microsoft security expert Carrick Dooley, who gave a roomful of CEOs, IT professionals and web developers at the Microsoft Hack and Defend workshop in downtown Vancouver a lesson today in the threats we’re facing from hackers and how to prepare to stop them.

Even if you don’t want to be part of this war, you’re already in it. “A lot of people are under the impression that they don’t have any information worth stealing on their computers,” Dooley says. “But if it’s got a processor and a hard drive and memory, hackers are interested.”

After providing an overview of hack attacks from critical infrastructure to Twitter, Dooley plunged into a demonstration of a cross-site scripting attack making use of a common browser and the victim’s trust. “Trust nothing, including that copy of Aliens vs. Monsters you just downloaded,” he added with a smirk. “Pretty much anything you do on the Internet will get you pwned.”

As such, cyber-security is everyone’s responsibility. Organizations that invest huge dollars in hardening their networks are often still vulnerable if employees click on corrupted links in phishing emails. For companies, a coordinated cyber-defense strategy involves being aware of what’s in your network, understanding the risks, and following a realistic strategy of security improvements.