禍起蕭墻:來自合作伙伴的安全風(fēng)險(xiǎn)
????我最喜歡的一期《魔鬼經(jīng)濟(jì)學(xué)電臺(tái)》播客講的是一家高端有機(jī)連鎖餐廳Le Pain Quotidien。說的是一位顧客在它曼哈頓分店里就餐時(shí)在沙拉里發(fā)現(xiàn)了一只死田鼠。按照《魔鬼經(jīng)濟(jì)學(xué)電臺(tái)》的慣例,這個(gè)令人作嘔的故事引發(fā)了一場(chǎng)有趣的經(jīng)濟(jì)學(xué)討論:從“錨定”在影響定價(jià)行為中所起的作用,到把小企業(yè)發(fā)展成一家全國(guó)或全球性企業(yè)所面臨的挑戰(zhàn)。 ????就Le Pain Quotidien而言,這起事件對(duì)它而言是一堂很好的風(fēng)險(xiǎn)管理教訓(xùn)。公司從開設(shè)在比利時(shí)的第一家門店起步,迅速發(fā)展成一家在16個(gè)國(guó)家擁有150家門店的全球性連鎖企業(yè)。碰巧的是,對(duì)餐廳管理層而言,死蟲子和死老鼠從有機(jī)農(nóng)場(chǎng)來到顧客餐盤是一個(gè)不幸、但可接受的風(fēng)險(xiǎn)。 ????對(duì)我來說,這個(gè)故事對(duì)21世紀(jì)企業(yè)而言是很重要的一個(gè)教訓(xùn)。也就是說:供應(yīng)商和商業(yè)合作伙伴(即使是小企業(yè))的行為可能對(duì)公司的聲譽(yù)和盈利有著超乎尋常的影響力。 ????如今,各行業(yè)各大公司每天都面臨著客戶遭遇(虛擬版)“沙拉中出現(xiàn)老鼠”的境況。這只“老鼠”可能是客戶數(shù)據(jù)丟失或被竊、黑客攻擊、DDoS(分布式拒絕服務(wù))攻擊及其他網(wǎng)絡(luò)弊病。跟Le Pain Quotidien一樣,風(fēng)險(xiǎn)源頭通常存在于風(fēng)暴中心的外部。類似的風(fēng)險(xiǎn)存在于企業(yè)網(wǎng)絡(luò)、數(shù)據(jù)與商業(yè)合作伙伴、供應(yīng)商和SaaS(軟件即服務(wù))應(yīng)用提供商的網(wǎng)絡(luò)和數(shù)據(jù)的復(fù)雜整合當(dāng)中。 ????舉個(gè)例子:今年3月份,美國(guó)銀行(Bank of America)證實(shí),第三方安全公司TEKsystems受到黑客攻擊,導(dǎo)致這家銀行的內(nèi)部郵件遭到泄漏,遭泄內(nèi)部郵件記錄了它監(jiān)控包括Anonymous機(jī)構(gòu)在內(nèi)的黑客團(tuán)體的情況(在此之前,2011年也發(fā)生過相似案例,當(dāng)時(shí)Anonymous攻擊過美國(guó)銀行另一家承包商——網(wǎng)絡(luò)取證公司HB Gary)。 ????然后,今年8月份,位于澳大利亞的一家域名注冊(cè)商【公司客戶包括《紐約時(shí)報(bào)》(the New York Times)和Twitter等公司】,訪問公司網(wǎng)站的用戶被跳轉(zhuǎn)到黑客團(tuán)體——敘利亞電子軍團(tuán)(Syrian Electronic Army)的宣傳網(wǎng)頁。 ????這些事件表明,我們生活在一個(gè)數(shù)據(jù)已呈“液態(tài)”(沒有更好的詞匯來形容)的商業(yè)環(huán)境之中。這種“液態(tài)”數(shù)據(jù)會(huì)在公司防火墻的范圍之內(nèi)流動(dòng)。但它也會(huì)以難以預(yù)料、或者說難以控制的方式滲透、越過這道邊界。 ????通過裝在兜里的移動(dòng)設(shè)備,我們可以訪問企業(yè)資源。但是,移動(dòng)設(shè)備也可能被落在出租車后座上。利用VPN(虛擬專用網(wǎng)絡(luò)),承包商可從風(fēng)險(xiǎn)較高的家庭網(wǎng)絡(luò)來訪問企業(yè)關(guān)鍵的后臺(tái)系統(tǒng)。企業(yè)云應(yīng)用,比如Salesforce.com和Workday,把公司管理的IT資產(chǎn)中的敏感信息抽取到基于云計(jì)算的服務(wù)器中,我們無法控制。 ????假如說10年或15年前網(wǎng)絡(luò)是“封閉社區(qū)”——訪問網(wǎng)絡(luò)受到嚴(yán)格控制的話,那么可以認(rèn)為,如今的網(wǎng)絡(luò)就好比郊區(qū)購物中心,有許多入口、出口,供形形色色的個(gè)人消費(fèi)者出入。 ????如今,企業(yè)有許多高級(jí)的檢測(cè)和監(jiān)控工具可以選擇。然而,大多數(shù)企業(yè)完全就不了解正常的網(wǎng)絡(luò)行為該是怎樣的,而且也沒有掌握一種簡(jiǎn)單的方法來衡量基礎(chǔ)架構(gòu)合作伙伴、供應(yīng)商及商業(yè)合作伙伴的安全性與完善性。 |
????One of my favorite episodes of Freakonomics Radio concerns a diner at the Manhattan branch of high-end, organic restaurant chain, Le Pain Quotidien, who finds a deceased field mouse in her salad. As often happens on Freakonomics, this revolting tale begets an interesting discussion of economics: From the function of 'anchoring' in influencing pricing behavior to the challenge of scaling small businesses to a national or global scale. ????In the case of Le Pain Quotidien, the incident was a lesson in risk management for the company, which had grown quickly from its first store in Belgium to a global chain with 150 locations in 16 countries. As it happens, dead bugs and rodents finding their way from the organic farm to a customer's plate was an unfortunate, but acceptable risk for the restaurant's management. ????For me, the story nicely illustrates an important lesson of 21st century business. Namely: The actions of your suppliers and business partners (even small ones) can have an outsized influence on your company's reputation and the bottom line. ????Today, companies operating in many industries face the prospect of customers having a (virtual) "mouse in the salad" moment every day. The mouse comes in the form of customer data loss or theft, hacking, DDoS attacks and other online ills. As with Le Pain Quotidien, the source of the risk often resides outside the organization that is most affected. It can be found in the complex integration of enterprise networks and data with those of business partners, suppliers and SaaS application providers. ????One example: In March of this year, Bank of America (BAC) confirmed that a hack of third-party security firm TEKsystems was the source of a leak of internal e-mails that documented the company's monitoring of hacktivist groups, including Anonymous. (This after a similar 2011 Anonymous attack on another BoA contractor, cyber-forensics firm HB Gary.) ????Then, in August, an Australia-based domain name registrar used by the New York Times and Twitter (TWTR), among others, had visitors to those web properties redirected to propaganda pages for the Syrian Electronic Army, a hacktivist group. ????These incidents suggest that we inhabit a business environment in which data has become 'liquid' – for lack of a better term. It flows within the boundaries marked by your corporate firewall. But it also permeates that boundary in ways that are difficult to predict or control. ????Mobile devices put access to enterprise resources in our pocket and, therefore, into the back seat of a taxicab. Contractors use VPNs to access critical, backend systems from dodgy home networks. Enterprise cloud applications, like Salesforce.com (CRM) and Workday (WDAY), siphon sensitive information from company- managed IT assets to cloud-based servers that we do not control. ????If networks 10 or 15 years ago were "gated communities" in which access was strictly controlled, you can think of today's networks like suburban shopping malls, with many points of entrance and egress for individuals of all stripes. ????Today, enterprises can choose from a long list of sophisticated detection and monitoring tools. Still, most do not have any idea what normal network behavior looks like, nor do they have a way to easily measure the security and integrity of their infrastructure partners, suppliers and business partners. |