The IMF is the latest in a growing list of high-profile names that are the subject of APT. It begs the question – what's the solution? Disconnection is no longer a viable answer for most organizations. Certainly we should think about what needs to be connected and available anytime, anywhere and what does not necessitate immediate access. We expect remote access to everything from corporate information to personal purchasing options, with this type of lifestyle and associated demands only increasing. The challenge is how to get ahead of the curve with technology that is reasonably secure and non-intrusive.
A standard set of mutual authentication requirements should be developed for online transactions, remote access, or for any system that has access to personal information. For real mutual authentication to work, it must involve a trusted authority at a national and possibly even an international level. The system could work like our current passport and visa system used for physical travel to other countries. Certainly this is an imperfect analogy due to the issues with forgery in the current system. How many consumers will pay more to use a site that offers true PKI-based mutual authentication?
The next part of mutual authentication is the client computing device. This presents more of a problem because so many client machines have been compromised. So how do you ensure that the client is who they say they are? A secure token can be provided to the user, serving as a tamper proof identifier. In cases of high value transactions this could also have a small sandbox with a secure browser. For those opposed to additional hardware, a mobile phone can be used as a security device with the proper protections in place. In cases where anonymity is an issue, there are ways to accomplish this level of security and protect the identity of the user.
Of course and unfortunately, mutual authentication will not solve the problems of known exploits in un-patched systems. The fact of the matter is, many organizations do not patch their systems in a timely fashion, despite the existence of global security organizations that produce alerts and list patch recommendations. Vendors provide security patches that never get applied due to a lack of enforceable policies regarding how patches are tested and applied. Any change to an operational system entails risk.
The battle will continue because fundamentally, anything a man can make a man can break. While there is a benefit to governments and international organizations providing legislation and policy examples, it is still ultimately up to companies and individuals to determine how to implement policies to better secure the Internet. I am afraid that legislation, while well-intended, will be about as effective as moral laws are in curbing behavior that some view as unacceptable. Until each individual understands their responsibility, security will continue to be a huge issue.
View All 
