Cyber Survival
While most cybercrimes are driven by the allure of financial gain, there are other motives that organizations need to protect against.
By Carolyn Kmet | Winter 2017
On July 29, 2017, Equifax, one of the three largest credit
agencies in the United States, discovered it was the target
of perhaps the most critical data breach in history. Hackers
exploited a vulnerability in an open-source software package
that allowed them to heist Social Security numbers, driver’s
license numbers, birthdates, addresses, full legal names,
and other sensitive personal information of more than 143
million consumers. This single attack, just one of many in
recent times, exposes more than 40 percent of the U.S.
population to a very high risk of credit fraud. You, me, your
clients and customers—all are at risk, not just from this attack
but also from the ones yet to come.
BIGGER & BOLDER
Cyberattacks of scale are on the rise. According to IdentityForce, a provider of identity theft, privacy, and
credit protection solutions, the number of reported data breaches from
2015 to 2016 jumped 40 percent. And while 2017 isn’t quite over, some
of the largest companies we know, companies such as Blue Cross
Blue Shield/Anthem, Deloitte, Dun & Bradstreet, InterContinental
Hotels Group, Whole Foods, and many more, have all been breached
by varying degrees this year.
As our reliance on connected technologies and the internet grows, so
do the threats. Today, the data landscape is vastly different. Everything
exists in digital form: financial records, medical reports, legal data—
and it’s all fair game for motivated hackers.
Greg Edwards, CEO of cybersecurity provider WatchPoint, believes
that one of the primary drivers behind the increased number of data
breaches is the increasing ability of cyber criminals to monetize stolen
data. Stolen personally identifiable information (PII) records are
advertised for sale on the “deep web,” which is the sub-realm of the
internet not indexed by standard search engines. Cyber criminals or
syndicates who purchase the data use it to commit a variety of crimes
including fraud, identity theft, espionage, blackmail, and extortion.
According to TrendMicro, health information and medical data fetch an
average of $59.80 per individual record. Passwords are the most
valued pieces of data, averaging $75.80 each. Social Security
numbers ring in at $55.70.
The hacking industry has become, in a sense, industrialized. “While
cyberattacks in the past were poorly planned, opportunistic efforts by
individuals or small groups, today there are large, well-funded
organizations taking a business-like approach to committing
cybercrime,” says Kip Boyle, founder and CEO of Cyber Risk
Opportunities, an executive cyber risk advisory firm.
Today’s hackers have access to a vast marketplace of criminal
technology. A decade ago, hackers needed a broad range of technical
expertise to breach security systems and monetize the data. In
contrast, today’s hackers just need to know who to approach to buy
the expertise they need to get the job done.
“Hacking has been democratized, so now anyone can do it,” says Mark
Herschberg, a cybersecurity expert and CTO at Averon. “Today, there
is an ecosystem as complex as any we find in legitimate industries.
Individuals and teams specialize in each step. For example, you can
buy ransomware created by one hacker, phishing email tools from
another, and an email list from a third. You simply use the phishing tools
to email people with links that install the ransomware, and then you sit
back and make money.”
While most cybercrimes are driven by the allure of financial gain, there
are other motives that organizations need to protect against.
“An angry employee might reveal a trade secret. A political hacking
group might want to deface your website or send embarrassing tweets
from your account. Someone else might want to steal your client’s
account details. Others may just want to extort money from your
company. These are different people with different motives and
different types of attacks,” Herschberg warns.
For example, in 2012, hackers associated with an activist group
identified only as Anonymous, published over three gigs worth of
email and data taken from Puckett & Faraj, the law firm representing a
staff sergeant accused of leading a group of Marines responsible
for the deaths of 24 unarmed Iraqi civilians. The firm never recovered
from the breach.
As long as attackers believe they have a chance
to succeed, attacks will keep coming.
“First, hackers collaborate across geographical locations, making it
difficult to track the attacking source. Second, complexity and attack
payloads are evolving rapidly, making it slow to monitor and prevent
many vulnerabilities and consequences in synergistic cyber networks.
Third, advanced, persistent threats are implanted across multiple
stages, making it troublesome to catch real-time incidents out of normal
network traffic. Last but not least, it is extremely hard to manage the
volume, velocity, and complexity of the data generated by the myriad
of security tools,” explains Swapnil Deshmukh, a senior director at Visa
responsible for attesting security for emerging technologies.
Swapnil’s harsh reality means organizations must be far more proactive
rather than reactive in their defenses, investing in policy management,
automation, and continual analysis to stay ahead of attackers.
“A proactive measure of defense, like a backup or disaster recovery
strategy, is much less costly and effective in the event of a ransomware
attack,” says Jeremy Steinert, CTO at WSM International, a provider of
migration and specialized cloud services. For example, network
segmentation can help mitigate risks and costs. “The first thing we look at is segmentation and separation of workloads to isolate the servers
with special compliance requirements. The goal is to reduce the target
footprint within the IT infrastructure,” Steinert explains.
Other defenses should include active threat monitoring, and regular
security and software patches and updates. The costs associated
with these activities vary by IT infrastructure, but can be a fraction
of what’s incurred due to a business disruption or remediation
steps following a breach.
“We are a tremendously digital world, and yet too many people and
companies still do not update their software programs or security
software,” Steinert says. While this may seem like commonsense, the
Equifax data breach may have been avoided or minimized if a security
patch issued months earlier had been applied. The WannaCry
ransomware attack that shut down U.K. hospitals, crippled FedEx, and
infiltrated Deutsche Bahn in May 2017, exploited vulnerabilities in the
Windows XP operating system, a platform that has been long
abandoned and is no longer updated by Microsoft. “No one should
have been using that operating system,” Steinert says. “And yet, even
today, many still do.”
Another commonsense, yet often overlooked, is employee training.
“Hackers seek information to exploit IT systems, and people are a
weak link in the chain, from the executive suite to the receptionist,”
Steinert emphasizes.
In 2015, an estimated $246 million was lost when hackers sent
messages from spoofed email accounts of CEOs or CFOs, tricking
employees into transferring large sums of money to accounts
controlled by criminals. Similar tactics have been used to trick
HR employees into sending W-2 forms to hackers, who then use
the information for identity theft. In another approach, hackers
used personal information gleaned from social media profiles to
impersonate employees and get help from duped coworkers to enter
the company’s infrastructure using reset credentials. Regardless of
how sophisticated the cyberattack is, system access is very often
granted by unsuspecting employees.
So, what’s the best line of defense? “Think like the enemy,” urges Josh
Mayfield, platform lead for Immediate Insight at FireMon, an intelligent
network security management provider. “Take an honest look at
yourself. What needs improvement? Those with the courage to put on
attacker spectacles and regularly inspect their own blind spots are
those who will be resilient in this new world.”
This “new world” is one without borders. Because attacks infiltrate
organizations through digital networks, there are no physical boundaries
to enforce, which means cyberattacks can originate from anywhere.
QUANTIFYING YOUR RISKS
In June 2017, the Ponemon Institute partnered with IBM
Security to conduct a global study of 419 companies that
experienced data breaches. The study weighed several
factors to better understand how organizations are impacted
by data breaches, examining the loss of customers following
a breach; the size of the breach or the number of records
lost or stolen; the time to identify and contain a breach;
the detection and escalation of the breach incident; post-breach
costs, including the cost to notify victims; and, whether
the attack was led by a malicious insider versus system
glitches or negligence.
The study found that the average total cost of a data breach
was $3.62 million, down from $4 million in 2016. However,
while costs decreased, the average size of a breach breaches
increased by nearly two percent. And with breaches becoming
larger and more frequent, there’s more for organizations to
consider than costs.
Mayfield says that the first step in gauging the severity of a
cyberattack is to identify the potential outcome of the event
itself. “Some attacks are meant to deny services, like standing
in the way of a user accessing an application or a system in
a manufacturing plant stalling out because of a network
malfunction. No data is stolen in these circumstances, but one
can easily achieve the goal of disrupting commercial activities.”
In the cases where data could be stolen, Mayfield advises
assessing the relative value of that data. “If what’s stolen are
the Social Security numbers of the deceased, those have a
markedly different value than those of living twenty-somethings.
Each data element has its own value, and understanding the
price each can fetch is the best way to assess the value of your
organization’s data,” Mayfield explains.
When defending against cyberattacks, the key to remember
is that any system can be hacked. There is no silver bullet
solution. Hackers will attack a system if the desired outcome
is worth their time and effort. “Protection should not be
ultimate, it should be such as to make an attack meaningless,
by making attackers spend more than can be gained,” explains
Maxim Kovtun, solution architect at Sigma Software. Like
businesses, cyber criminals seek the greatest pay-off for the
least amount of effort.