No One is Beyond Reach
Take a tip from one of the world’s best known hackers, Kevin Mitnick, who for 20 years was on the FBI’s most wanted list until he was caught in 1995 and jailed for five years. Today Mitnick runs a private consulting company that claims a 100 percent successful track record of penetrating the security of any system he is paid to hack.
His advice: Be smart. Be paranoid. And good luck.
Good luck indeed. Cybersecurity has become either a pay-me-now or pay-me-later line item expense.
“You will write a check to someone,” says Grand Ledge, Mich.-based Dan Lohrmann, chief security officer/chief strategist for Security Mentor of Garden Grove, Calif., and former chief security officer for the state of Michigan.
That’s also the message delivered to executives around the country by Chris Pogue of Nuix, a software company based in Herndon, Va.
Pogue adds that if you take appropriate protective measures for online assets, such as mitigating cyber vulnerabilities, conducting penetration tests, building good cyber defense intelligence and ensuring that the right team is in place, the check will be much smaller overall than the bill you pay when a data breach inevitably happens.
The Target fallout
The check written for a cyber breach can be huge. Last year, Target agreed to pay $10 million to settle a class-action lawsuit related to the discount retailer’s 2013 data breach. Court documents show hacking victims could get as much as $10,000 apiece. The company estimates that about 42 million people had their credit or debit information stolen, according to court documents.
How did hackers get into the Target corporate network? Through a third-party vendor, Fazio Mechanical, a refrigeration contractor. A phishing e-mail duped at least one Fazio employee, allowing malware to be installed on Fazio’s computers. The attackers then waited until the malware served up Fazio’s login credentials to access the Target corporate network.
Phishing is a form of social engineering that involves tricking someone into believing an e-mail is coming from a trustworthy source. If the target opens the e-mail, or visits a website in the fake e-mail, a malicious payload gets downloaded and the network is breached.
Education is key
An educated workforce is critical to keeping computer networks secure, says Lohrmann. He’s seen a lot of cyberattacks in his career, having served nearly two decades at the state of Michigan where he helped protect the state’s computer system.
- Conduct a rick assessment. Know where your data is and what you are doing to protect it. Use audit findings to help guide priorities and include a penetration test in your process. Make sure you address these findings when they are available.
- Mitigate known vulnerabilities and network holes. Make sure you do the basic “blocking and tackling” with firewalls and malware detection and fix backup systems.
- Train your people — both end users and technical staff. Have an ongoing security awareness program to keep up with emerging threats and technology changes.
- Build an incident management plan. Know what to do and where to go if you have a cyber incident or data breach. Practice the plan with tabletop exercises (meetings to discuss simulated emergency situations).
- Make sure executives support the security program with the right resources and people. Getting the right cyber talent is key, including a good cybersecurity leader who can champion the effort.
Staying ahead of hackers
Businesses and consumers also have to be wary of several common cybersecurity attack vectors, or ways in which a hacker can gain access to a computer or network server. For instance, Mitnick warned about common mobile threats from USB thumb drives. In a hack, a thumb drive can trick a PC into thinking it’s a keyboard, rather than a storage device. The hacker injects keystrokes and commandeers the device.
Mitnick also warns about the dangers of connecting to a public Wi-Fi, typically found at coffee shops. A hacker can tell the Wi-Fi router to boot all the current users off the network. When they reconnect, the hacker substitutes his Wi-Fi network with the same name. Once users connect, a malicious payload is delivered.
The key to keeping hackers at bay, in most cases, is education, says Nick Lumsden, vice president of technology and product strategy at Online Tech in Ann Arbor, Mich.
“Then practice, test and educate again,” Lumsden says. “There are many tools you can buy to protect your systems, but the biggest threat is your people. Even the best tools won’t protect you from the Kevin Mitnicks of the world.”
The same is true for consumers on home networks. Lumsden urges them to employ the same basics as business to mitigate cyber risks.
“Buy secure products and employ basic network security in the home,” Lumsden says. “Change default user names and passwords, require secure communications and secure your home Wi-Fi.”