In computer security, it's almost impossible to tell the 'good guys' from the 'bad guys'

Even the most sophisticated of cyber attacks invariably start with a banal email and a simple attachment or URL. But how should organisations start to protect themselves against such attacks?

According to reports, there's barely an intelligence agency anywhere in the world that can trusted not to try and hack pretty much any organisation it chooses to target.

In recent years, the Stuxnet worm has targeted industrial infrastructure, supposedly in an attack on Iranian nuclear facilities, although the worm spread much further and wider than its creators intended.

The Chinese People's Liberation Army (PLA) is alleged to have not one, not two, but "more than 20" units dedicated to hacking overseas infrastructure, according to security intelligence company CrowdStrike. And neither the US National Security Agency nor GCHQ would appear to be much better, if the disclosures of whistleblower Edward Snowden are any guide.

And then, just this week, security software specialists Symantec released information about "state-owned malware" called "Regin" that appears to have targeted people and organisations in Russia and Saudi Arabia. Which state might claim responsibility for it, however, remains an open question.

The bottom line is, when it comes to computer security, it's become hard to tell the good guys from the bad guys. As such, organisations of all types have started to respond by upping security and taking no chances with online threats.

Even organisations that, in the past, have been accused of taking a lackadaisical approach to security have sharpened up, such as popular messaging app WhatsApp, which has started encrypting communications by default. And the CIO of US retailer Target was thrown overboard when the full story about how its retail systems were hacked late last year.

What is astonishing, though, is how banal most successful attacks against organisations' infrastructure often start: when the PLA wanted to find a way into the computer networks of the European aero industry in Toulouse, for example, it sent a simple PDF attachment - in this case the brochure of a yoga studio - to a lowly employee.

When the attachment was opened, the attackers were able to use flaws in an unpatched version of Adobe Acrobat to compromise the target PC and use it as a springboard for a wider attack. This formed a "genre" of attacks that CrowdStrike dubbed "putter panda" because the group behind them often targeted golf-playing conference attendees, with emails and attachments that wouldn't arouse suspicion.

Indeed, according to CrowdStrike, the threat intelligence company that has tracked Chinese state-directed cyber attacks, "they focus their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks".

And while most companies prefer to keep successful attacks against their infrastructure under wraps, aluminium-maker Alcoa, industrial giant Westinghouse Electric and US Steel were outed by the US Justice Department when it indicted five Chinese nationals for their part in attacks against US companies - the trouble is, they are all in China.

Such attacks have become widespread. When GCHQ was accused of attacking the networks of Belgium national telecoms company Belgacom, it was alleged to have used emails faked to look like they came from LinkedIn in order to direct their targets' PCs to a website bearing malware.

In order to combat these banal threats, IBM has produced a five-step strategy that it has implemented at a number of organisations.

[Please turn to page 2]

In computer security, it's almost impossible to tell the 'good guys' from the 'bad guys'

Even the most sophisticated of cyber attacks invariably start with a banal email and a simple attachment or URL. But how should organisations start to protect themselves against such attacks?

This includes using threat intelligence to identify where the most likely source of attacks is going to come from - enabling security staff and systems administrators to prioritise log and event data to investigate. Email and social media, in particular, are common initial attack vectors.

Organisations also need to stay up-to-date in terms of their anti-malware security software, while paying particular attention to keeping commonly used applications up-to-date, such as Microsoft Office, Libre Office and Adobe Acrobat Reader - and turning off features that may be the target of attacks, such as JavaScript in Adobe Acrobat.

They also need to be trained to spot anomalous behaviour that may indicate a compromised PC, as well as the preparations an attacker might make in order exfiltrate information that they have collected.

In other words, IBM's advice is to first identify the threats that really matter to the organisation and to prioritise those threats - especially as the average major organisation is subject to some 1.7 million anomalous events every week.

"Every business is affected: in the past, financial services organisations were among the primary targets of cyber criminals. Today, diverse actors move with lightning speed to steal tangible assets, intellectual property, customer information and confidential data across all sectors," warns IBM.

Of course, it may not just be "cyber criminals", but the PLA, GCHQ, the NSA or any other well-resourced national intelligence services. In cyber space, no one can be trusted.