如何确保你的公司在年免受网络攻击

Last year will long be remembered as the year when cyber attacks became front page news. No institution was spared — public companies, government agencies or non-profits. Heading into 2015, we have just reached the first mile of a race without a finish line, and time is of the essence when it comes to understanding the sophistication and complexity of cyber attacks.

2014年将因屡屡登上头条新闻的网络攻击事件而被人们长期铭记。无论是上市公司、政府机构还是非营利组织，没有哪类机构能够幸免于难。进入2015年，我们只是在维护网络安全这条永无止境的征途上前进了一小步。我们亟需理解网络攻击的复杂性，时不我待。

Most cyber attacks fall into one of three main threat types:

大多数网络攻击都可归类于以下三种主要的威胁类型：

oattacks on a network’s confidentiality, causing theft or release of secure information such as credit card or Social Security numbers;

o针对网络机密性的攻击，导致信用卡号或社会保险号等安全信息遭窃或泄露；

oattacks on a network’s availability by overwhelming it with so many requests that it renders the site inoperable, or by injecting code that redirects traffic away from the site; and

o针对网络可用性的攻击，通过发送大量请求导致网站无法访问，或插入代码改变访问页面的路径；

oattacks on a network’s physical integrity which alters or destroys computer code causing damage to the network’s infrastructure.

o针对网络物理完整性的攻击，改变或破坏计算机代码，以损毁网络基础设施。

In 2015, here are seven resolutions to help protect your company against cyber threats:

2015年，你的公司应该在免受网络威胁方面立下7项新年决心：

1. Tighten Your Vendor Network

1、管理好你的供应商网络

If there is one key takeaway from the cyber attacks of 2014 it’s that passwords are dead. Hackers gained access to Fortune 100 companies by stealing passwords and log-in credentials of smaller vendors, including air conditioning and food delivery companies. Replace your single passwords with two-factor authentication or “2FA.” A good example of 2FA is withdrawing money from an ATM – it requires two authentications — your bankcard and your password. Another example is signing on to a Bloomberg terminal, which requires a password and then, using biometrics, requires a fingerprint swipe for a second form of authentication that cannot easily be stolen. You should require 2FA of all vendors or employees who log on to your networks remotely.

要从2014年的网络攻击中总结出一个要点，那就是密码被破。黑客通过窃取空调和食品配送公司等小型供货商的密码和证书，进入了《财富》100强的公司网络。请修改你的简单密码，采用双重认证（2FA）的方式。双重认证的一个典型例子就是用银行卡从自动取款机上取钱——它需要双重认证：你的银行卡和你的密码。另一个例子是登录彭博社终端，首先你需要输入密码，然后采用生物测定学技术的系统还会要求你刷指纹进行二次认证。想要偷走指纹可不容易。你应该对所有远程进入公司网络的供应商和员工采用双重认证方式。

2. Detonate Malware

2、引爆恶意软件

“Spear Phishing” is an easy and effective way to attack a network. Hackers obtain names of your friends from your public social media accounts and then send you a personal note that appears to come from someone you know and trust. When you click on the attachment or link, the email installs “malware” on your network. A solution for malware is “detonation” software. Once an email with malware is opened but before it can leave your network with critical information, it is detonated in a “sandbox” to test whether it is being routed to an inappropriate site.

“网络钓鱼”是一种发动网络攻击的简单而有效的方式。黑客从你的社交媒体公共账户获得了你朋友的名字，并伪装成你认识且信任的人给你发私信。当你点开附件或链接，邮件就会把恶意软件装进你的网络。一种应对恶意软件的方法是安装“引爆”软件。一旦带有恶意软件的电子邮件被打开，在它把你的重要信息带走之前，这种软件会先将它扔进“沙盒”中进行引爆测试，看它是否指向了一个不正常的网站。

3. Guard Your “Crown Jewels”

3、保护你的“王冠”

What information matters the most to you? Is it a secret formula, proprietary IP, Social Security or credit card numbers, sensitive health care data or non-public financial information? Once you determine your company’s most important and sensitive information, compartmentalize it from the rest of your technology and network operations.

对你来说，什么信息最重要？是秘密配方、专有知识产权、社会保险号、信用卡号、敏感的卫生保健数据，还是非公开的财务信息？一旦你确定了公司最重要和敏感的信息，就把它与其他的技术和网络操作分离开来。

4. Develop a Cyber Attack Response Plan – Now

4、现在就准备好网络攻击应急计划

Develop a plan and practice it regularly. As part of your plan, hire a forensic investigatory firm to review your network and your response plan.

准备好应急计划并定期演练。作为计划的一部分，你应当雇佣取证调查公司来检查你的网络和应急计划。

5. Conduct “Penetration” Tests

5、进行“渗透”测试

Engage a third-party firm to conduct “penetration tests” to identify weaknesses in your company’s IT network and infrastructure. Based on the findings, make the necessary security improvements and comply with disclosure requirements. For example, the SEC has published guidance regarding the responsibilities of public companies to inform investors about cybersecurity vulnerabilities.

邀请一家第三方公司来进行“渗透测试”，找出公司信息技术网络和基础设施中的缺陷。根据结果来进行必要的安全性改进，同时遵守资料公开的要求。比如，根据美国证券交易委员会的规定，上市公司有义务告知投资者公司内部存在的网络安全漏洞，该委员会还专门就此发表了一份指南。

6. Embrace the Government

6、寻求政府的帮助

When it comes to cyber attacks, the famous saying that “we are from the government and we are here to help” couldn’t be more true. The U.S. government has been far out front of the business community in understanding the significance of cyber threats. Current and former cabinet officials have warned for years about the risk of a “cyber Pearl Harbor” or “cyber 9/11.” The Secret Service and FBI have repeatedly alerted unaware public companies that their systems were breached — even though neither agency was under any obligation to do so. Don’t wait until after an attack to build relationships with key officials at the FBI, the Department of Homeland Security and the Department of Justice.

在网络攻击领域，那句著名的“我们来自政府，我们将施以援手”简直是再正确不过。在理解网络威胁的严重性方面，美国政府要远远领先于商界。现任和前任内阁官员多年来一直警告称，美国有可能遭遇“网络珍珠港”或“网络9o11”袭击。美国特勤局和联邦调查局也在不断提醒毫无觉察的上市公司，他们的系统被攻破了——尽管这些机构并没有这种义务。不要等到自己被攻击之后，才开始同联邦调查局、国土安全部和司法部的核心官员搞好关系。

7. Kick the Tires in M&A

7、从事并购交易时要审查网络安全

Traditionally, the biggest security risk in a merger or acquisition transaction was confidentiality. Increasingly, cyber risk is becoming a critical, and often overlooked, factor. Heed the Department of Homeland Security’s recent warning about cyber risks in companies that you may consider buying or investing in and conduct cyber audits as part of routine due diligence.

传统上，并购交易的最大安全隐患在于保密工作。而网络风险正日益成为其中一个重要却被忽视的因素。请注意国土安全部最近发出的网络风险警告，其中也许就包括你正考虑购买或投资的公司。请将网络安全审查作为常规尽职调查的组成部分。

In 2014, the focus of many cyber attacks was stolen credit cards and financial crime. In the future, the threat will likely escalate to physical damage of technology networks and infrastructure.

在2014年，许多网络攻击的目标都是盗窃信用卡，进行金融犯罪。在未来，这种威胁可能会逐步升级为对技术网络和基础设施的物理性破坏。

During the 2014 December holiday season, the German government reported a cyber attack that caused “massive damage” to an iron plant. Utilizing a spear phishing attack, hackers disabled the electronic controls that turned off the plant’s furnaces, causing damage to the entire plant.

在2014年12月的假日季，德国政府报道了一起导致钢铁厂“严重损毁”的网络攻击事件。黑客利用网络钓鱼攻击，使得负责关闭熔炉的电子控制系统陷于瘫痪，最终造成整个工厂严重受损。

What new forms of cyber attacks will 2015 bring? Don’t wait to find out. Start 2015 off right by implementing these resolutions to help protect your company from ever-present cyber threats.

2015年将会有什么新型的网络攻击？不要再被动地等待了。即刻实施这些新年决心，保护你的公司在2015年免受无处不在的网络威胁吧。（财富中文网）

Peter J. Beshar is Executive Vice President and & General Counsel of Marsh & McLennan.

本文作者彼得oJ.o贝沙尔是Marsh & McLennan公司执行副总裁兼法律总顾问。