Cyber Attacks: Can they be prevented?

Recently, I thought about the targeted attack vector, aka "spear-fishing."

Some background:

Hydraq - An Attack of Mythical Proportions
19 Jan 2010
http://www.symantec.com/connect/blogs/hydraq-attack-mythical-proportions

Cyber attack during the Paris G20 Summit
February 2011
http://en.wikipedia.org/wiki/Cyber_attack_during_the_Paris_G20_Summit

Exclusive: potential China link to cyberattacks on gas pipeline companies
2012/05/10
http://www.csmonitor.com/USA/2012/0...ink-to-cyberattacks-on-gas-pipeline-companies

Chinese cyber attacks on West are widespread, experts say
http://www.cnn.com/2013/02/01/tech/china-cyber-attacks
2013.02.01

So, is there no way this "malicious software," "Trojans," can be prevented from installing if an office worker is victimized by such an attack?

Many articles go into complicated, technical discussions of different types of prevention that can be utilized in organizations. Many of these are bloated advertisements for their particular product.

But, at least two mention "policies":

Cyber Attacks: Prevention and Proactive Responses [PDF]

20 ideas for cyber attack prevention
http://www.thenonprofittimes.com/article/detail/20-ideas-for-cyber-attack-prevention-4188

What a novel idea!

Of the many ways of instituting policies, one has been available for almost 12 years:

http://msdn.microsoft.com/en-us/library/ms974604.aspx
October 8, 2001

An Administrator can control what the workstations on the network can install.

Discussions in the past with some Administrators revealed to me that locking down individual workstations in this way would probably create an unhappy workforce.

Translation: workers have become accustomed to treating the workplace computer as their personal computer, being able to install anything they want.

But that doesn't negate the fact that there are solutions available. I know of two organizations in my area that use such solutions.

As the saying goes,

"there's them that do, and them that don't."


----
rich

 

It is the unhappy senior management that complains that then makes the admins relax the policy for them and as we can all guess infiltrating those can be a gold mine for bad folks. Ordinary workforce toes the line

 

Maybe in the beginning, but over time they get used to it, and if they don't, they can always seek employment elsewhere. A business that deploys group policy enforcement on their computer network just has to say: "you don't like it, tough luck, deal with it".

 

Enterprise environments are easy, because your IT staff owns the computers, and they can **** on the users all they like with whatever restrictive policies.

The problem is that they often focus on the wrong things, still expecting users to manage updates, and strong passwords. Password policies are easiest to look at - so many companies will enforce a password length, but then they'll throw in some idiotic policy like "change it every month" for no reason.

 

My employer, who handles several thousand client machines, handles all updates remotely administered and enforces only weak passwords, 6-8 characters, with only a mix of uppercase/lowercase and numbers, locked out after three wrong attempts, requiring change every 3 months. All network traffic outside the perimeter is monitored and filtered and all machines locked down, most everyone running SUA on a COE, so no way to install anything. Policies are unequivocal, there in writing for everyone to access, read and understand, with consequences rather dire for anyone who breeches them, although they do allow a strike or two before bringing down the hammer.