Yahoo announced within the past month that user data from more than 500 million accounts had been compromised. E-mails and documents were stolen from the Democratic National Committee's servers and leaked to the media. Several major hospitals disclosed that their internal computer networks had been shut down and files encrypted by criminal gangs demanding ransom. And last month, hackers unleashed a massive denial of service attack that enlisted thousands of compromised devices like DVRs and cameras to shut down a popular cybersecurity website.
The threats seem to be coming from everywhere, and businesses large and small are struggling to keep up. How can they identify their risks, implement solutions, and avoid the hype and hysteria that has become so pervasive?
Those questions were atop the minds of attendees at the annual Rochester Cybersecurity Summit this past week. How can small businesses or major corporations protect their computer networks in the face of threats that are constantly evolving?
“Many CEOs are relying on threat intelligence to keep informed" said Reg Harnish, CEO of Albany-based GreyCastle Security and of the event's expert speakers. "But they're being overwhelmed by data, and potentially good information can become just another distraction."
Rather than trying to keep up with the the latest technologies being used by hackers and the cutting edge counter measures, Harnish says that businesses should focus on the fundamentals of computer security.
The way to think of threats, Harnish says, is to begin by understanding the five things you need to protect: your money, credit card transactions, identities, people and reputation.
Once you understand what needs to be protected, you can think about the types of groups (or individuals) who might go after them.
- Hackers are financially motivated. They want to steal your money or steal your files and sell them online.
- Hacktavists are politically motivated or have an ideological agenda. Their goal is to damage your reputation or hurt your company in other ways.
- Spies are interested in your company's intellectual property.
"There are third-world countries whose entire GDP is based on stealing those secrets," Harnish said. "Once they have your blueprints or design documents, they'll build a knockoff of your product and sell it for half the price."
Whether it's criminal organizations or lone actors, cyber-attacks often aren't terribly sophisticated. Like home burglars, they look for vulnerabilities and exploit them. Burglars don't need to pick the locks on your front door if you've left the kitchen window open.
Hackers often employ social engineering, trying to get one of a company's employees to inadvertently share their login credentials, often through an email that tricks them into clicking a link or opening a document they think is business related.
In an appearance in Rochester last year, hacker Kevin Mitnick explained how it usually works.
"Imagine a hacker using a website like Linkedin to identify people within an organization and then looking for their circle of trust," Mitnick said. "Who would that person trust receiving an email from?"
Mitnick served five years in prison for his hacking activities and now runs his own computer security consulting company.
One of the most common methods, Mitnick says, is a technique called "phishing." Hackers send an email that purports to be from a trusted source. The recipient will click the link and be prompted to type their username and password, thinking they're being asked to log in to their own network. Instead, those credentials get sent to the hacker. The employee doesn't even realize they've just unlocked the door to their company's network. Thieves or spies can access e-mails, financial documents, or customer data and get out without ever being detected.
Experts say that may be what happened to Excellus BlueCross and BlueShield, which announced last year that hackers had breached its systems and accessed personal information on more than 10 million people. It took almost 20 months for the intrusion to be detected. A spokesman for Excellus decline to comment on the company's experience or how its security efforts have changed in the aftermath. Other companies also said they didn't want to discuss what they were doing with regards to cybersecurity, even in general terms.
Hanish says businesses should be focusing on building a detection capability so they know when something bad happens and how to correct it.
"Networks are continuously being probed, intruded on, or worse," Harnish said. "You have to build your security around the assumption that you have been compromised already and that it's going to happen again. Mature organizations recognize that it's a fact of doing business."
Small businesses have to deal with the same sort of issues with fewer resources. It may be easier for them to acknowledge that they need outside help, rather than assuming they can fend off the threats on their own. Bigger companies often lull themselves into believing the security plan they've designed is working.
"There are no silver bullets in cybersecurity," he said. "Most of it is hard work, just like losing weight. Nobody wants to hear that the solution is diet and exercise. Focusing on the fundamentals is not as sexy as talking about the latest whiz bang technology."
Source: Democrat & Chronicle