Graham Titterington, principal analyst, Ovum
AUSTRALIA: There is no magic bullet to prevent a cyber attack. Most information theft attacks are launched through an internet facing application in the corporate gateway, attacking vulnerabilities in applications using relatively predictable strategies such as SQL Injection or scripting attacks. So improving the coding standards of applications is a major step, or alternatively protecting applications by screening them with an application layer firewall. (application security is made more difficult where outsourced development or management is involved.)
Access control to systems is another area where controls are frequently circumvented, as attackers steal the credentials of legitimate users through a number of types of attack. Spyware is often inserted into the target organization well before the main attack takes place to acquire this information. Social engineering attacks work against most organisations.
Monitoring data movements, data encryption, and data loss prevention systems can also reduce the loss of information directly from electronic systems, particularly with regard to high volume theft. In this case it appears to have flagged the data breach, but not soon enough to prevent the damage being done.
However, the technologies themselves are not universal panaceas, even when the vulnerabilities have been dealt with. Data loss prevention is cumbersome and can obstruct legitimate business if it is not perfectly tuned. Encryption is only as good as key management and brings the risk of losing all access to your data if you lose the key. People are people and have innate vulnerabilities with respect to trusting the wrong people, accepting inducements, or simply having more pressing concerns at the time they are approached.