Cyber threats impact businesses large and small

Yahoo announced within the past month that user data from more than 500 million accounts had been compromised.  E-mails and documents were stolen from the Democratic National Committee's servers and leaked to the media.  Several major hospitals disclosed that their internal computer networks had been shut down and files encrypted by criminal gangs demanding ransom.  And last month, hackers unleashed a massive denial of service attack that enlisted thousands of compromised devices like DVRs and cameras to shut down a popular cybersecurity website.

The threats seem to be coming from everywhere, and businesses large and small are struggling to keep up. How can they identify their risks, implement solutions, and avoid the hype and hysteria that has become so pervasive?

Those questions were atop the minds of attendees at the annual Rochester Cybersecurity Summit this past week. How can small businesses or major corporations protect their computer networks in the face of threats that are constantly evolving?

“Many CEOs are relying on threat intelligence to keep informed" said Reg Harnish, CEO of Albany-based GreyCastle Security and of the event's expert speakers. "But they're being overwhelmed by data, and potentially good information can become just another distraction."

Rather than trying to keep up with the the latest technologies being used by hackers and the cutting edge counter measures, Harnish says that businesses should focus on the fundamentals of computer security.

The way to think of threats, Harnish says, is to begin by understanding the five things you need to protect: your money, credit card transactions, identities, people and reputation.

Once you understand what needs to be protected, you can think about the types of groups (or individuals) who might go after them.

  •  Hackers are financially motivated. They want to steal your money or steal your files and sell them online.
  •  Hacktavists are politically motivated or have an ideological agenda. Their goal is to damage your reputation or hurt your company in other ways.
  •  Spies are interested in your company's intellectual property.

"There are third-world countries whose entire GDP is based on stealing those secrets," Harnish said. "Once they have your blueprints or design documents, they'll build a knockoff of your product and sell it for half the price."

Whether it's criminal organizations or lone actors, cyber-attacks often aren't terribly sophisticated.  Like home burglars, they look for vulnerabilities and exploit them.  Burglars don't need to pick the locks on your front door if you've left the kitchen window open.

Hackers often employ social engineering, trying to get one of a company's employees to inadvertently share their login credentials, often through an email that tricks them into clicking a link or opening a document they think is business related.

In an appearance in Rochester last year, hacker Kevin Mitnick explained how it usually works.

"Imagine a hacker using a website like Linkedin to identify people within an organization and then looking for their circle of trust," Mitnick said. "Who would that person trust receiving an email from?"

Mitnick served five years in prison for his hacking activities and now runs his own computer security consulting company.

One of the most common methods, Mitnick says, is a technique called "phishing." Hackers send an email that purports to be from a trusted source.  The recipient will click the link and be prompted to type their username and password, thinking they're being asked to log in to their own network. Instead, those credentials get sent to the hacker. The employee doesn't even realize they've just unlocked the door to their company's network.  Thieves or spies can access e-mails, financial documents, or customer data and get out without ever being detected.

Experts say that may be what happened to Excellus BlueCross and BlueShield, which announced last year that hackers had breached its systems and accessed personal information on more than 10 million people. It took almost 20 months for the intrusion to be detected. A spokesman for Excellus decline to comment on the company's experience or how its security efforts have changed in the aftermath.  Other companies also said they didn't want to discuss what they were doing with regards to cybersecurity, even in general terms.

Hanish says businesses should be focusing on building a detection capability so they know when something bad happens and how to correct it.

"Networks are continuously being probed, intruded on, or worse," Harnish said. "You have to build your security around the assumption that you have been compromised already and that it's going to happen again. Mature organizations recognize that it's a fact of doing business."

Small businesses have to deal with the same sort of issues with fewer resources. It may be easier for them to acknowledge that they need outside help, rather than assuming they can fend off the threats on their own. Bigger companies often lull themselves into believing the security plan they've designed is working.

"There are no silver bullets in cybersecurity," he said. "Most of it is hard work, just like losing weight.  Nobody wants to hear that the solution is diet and exercise. Focusing on the fundamentals is not as sexy as talking about the latest whiz bang technology."

Source: Democrat & Chronicle

Topics: Social Engineering, BlueShield, GDP, Grey Castle Security, penetration testing, World's Most Famous Hacker, Yahoo, Excellus BlueCross, hackers financially motivated, ideological agenda, keynote speaker, protect credit card transactions, Reg Harnish, security awareness training, security consultant, intellectual property, malware, Rochester Cybersecurity Summit, simulated phishing, Spam, cybercrime, cybersecurity vulnerabilities, demanding ransom, Democratic National Committee, files encrypted by criminal gangs, identities, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

PCI Testing: Everything You Need To Know

Penetration testing is crucial for businesses to help ensure that their security posture will stand against threat actors. For businesses that handle ..

Read more ›

The 4 Phases of Penetration Testing

So, you’ve done your research on penetration testing and are ready for the pentest engagement. But before you choose just any pentesting vendor, it’s ..

Read more ›

What is Web Application Penetration Testing?

Is your company in the process of developing a new application? There are a lot of moving parts involved in developing and deploying cutting-edge appl..

Read more ›