Page 75 - NO.153銀行家雜誌
P. 75
式,只有一小部分能夠成為資安破口,所以 方法,就是用蒐證偵緝的方式,了解潛在入
從整體國家的角度來看,改善資安的第一要 侵者面貌,盡量建立一個完整的威脅模型。
務,就是自己打造健全的軟體產業。自己能 《網路戰兵法》(T h e A r t o f C y b e r-
夠生產安全軟體之後,也就更會知道如何正 warfare)的作者Jon DiMaggio,曾在某次
確使用來自外部的軟體,因為無論是什麼組 訪談中指出幫入侵者分類的重要性。「高級
織,平常使用的軟體大部分都是從外面買來 威脅的主要特徵……就是入侵者的目標都相
的,而大部分的破口都來自這些外部軟體。 當明確。在入侵孟加拉銀行之前,北韓就花
再者,絕大多數公司只要真正了解自己需要 了一整年時間來準備,然後才真正發動假交
怎樣的資安環境,都可以直接購買產業中頂 易。一整年!你平常看到的網路犯罪或機器
尖軟體業製作的系統,來儲存密碼之類的敏 騷擾,別說要準備一年,大概連準備一天都
感資料。所以只要這個軟體業更加蓬勃,勢 不願意吧。」
必能改善台灣依賴過時軟體和危險作業系統 DiMaggio認為,這種高級威脅不會消
的迫切問題。 失。「即使他們駭不進你的網路……也會做
當然,台灣的最終目標並非軟體開發,而 出其他破壞 。這種攻擊一 定 會 同 時 設 定 好
是要能夠抵禦國家級攻擊。所以不能只靠程式 幾個目標。只要是面臨某個高級威脅,你
設計,而是得從公開來源情報(OSINT)解決 就一定會同時受到好幾種攻擊。」此外,
問題。這個領域相當廣泛,其中守護資安的 這類威脅除了瞄準組織,也會同時攻 擊 個
designed with the opposite approach. There are Know your attacker
several aspects to this safe design, but one of the
most important is simply error management. And Most mistakes simply reduce the functionality of
errors are fundamentally nothing more than text strings a program, if they have any effect at all; only a fraction
which are meant to be read by humans (programmers turn into vulnerabilities. Thus, the most important way
themselves, others within the organization, or less to improve cybersecurity from a national perspective
ideally end users). is to build a software industry. Notably, the skills
This comparison should make it clear that many to create safe software align closely with those to
problems in software development are in fact issues correctly use outside software – which will be the vast
of organizational management, rather than purely majority of software in any organization, and also
programming. That realization should both encourage the most important source of vulnerabilities. Notably,
those without technical skills not to be scared of the the vast majority of companies can simply import
topic of cybersecurity, and also point to the connection systems made by industry leaders for sensitive tasks
been safe software and other aspects of management like password storage, as long as they understand
processes. their security requirements. A vibrant software industry
台灣銀行家2022.9月號 75
1 5% JOEE