insight magazine

Cyber Survival

While most cybercrimes are driven by the allure of financial gain, there are other motives that organizations need to protect against. By Carolyn Kmet | Winter 2017

Cyber Survival-800

On July 29, 2017, Equifax, one of the three largest credit agencies in the United States, discovered it was the target of perhaps the most critical data breach in history. Hackers exploited a vulnerability in an open-source software package that allowed them to heist Social Security numbers, driver’s license numbers, birthdates, addresses, full legal names, and other sensitive personal information of more than 143 million consumers. This single attack, just one of many in recent times, exposes more than 40 percent of the U.S. population to a very high risk of credit fraud. You, me, your clients and customers—all are at risk, not just from this attack but also from the ones yet to come.

BIGGER & BOLDER

Cyberattacks of scale are on the rise. According to IdentityForce, a provider of identity theft, privacy, and credit protection solutions, the number of reported data breaches from 2015 to 2016 jumped 40 percent. And while 2017 isn’t quite over, some of the largest companies we know, companies such as Blue Cross Blue Shield/Anthem, Deloitte, Dun & Bradstreet, InterContinental Hotels Group, Whole Foods, and many more, have all been breached by varying degrees this year.

As our reliance on connected technologies and the internet grows, so do the threats. Today, the data landscape is vastly different. Everything exists in digital form: financial records, medical reports, legal data— and it’s all fair game for motivated hackers.

Greg Edwards, CEO of cybersecurity provider WatchPoint, believes that one of the primary drivers behind the increased number of data breaches is the increasing ability of cyber criminals to monetize stolen data. Stolen personally identifiable information (PII) records are advertised for sale on the “deep web,” which is the sub-realm of the internet not indexed by standard search engines. Cyber criminals or syndicates who purchase the data use it to commit a variety of crimes including fraud, identity theft, espionage, blackmail, and extortion. According to TrendMicro, health information and medical data fetch an average of $59.80 per individual record. Passwords are the most valued pieces of data, averaging $75.80 each. Social Security numbers ring in at $55.70.

The hacking industry has become, in a sense, industrialized. “While cyberattacks in the past were poorly planned, opportunistic efforts by individuals or small groups, today there are large, well-funded organizations taking a business-like approach to committing cybercrime,” says Kip Boyle, founder and CEO of Cyber Risk Opportunities, an executive cyber risk advisory firm.

Today’s hackers have access to a vast marketplace of criminal technology. A decade ago, hackers needed a broad range of technical expertise to breach security systems and monetize the data. In contrast, today’s hackers just need to know who to approach to buy the expertise they need to get the job done.

“Hacking has been democratized, so now anyone can do it,” says Mark Herschberg, a cybersecurity expert and CTO at Averon. “Today, there is an ecosystem as complex as any we find in legitimate industries. Individuals and teams specialize in each step. For example, you can buy ransomware created by one hacker, phishing email tools from another, and an email list from a third. You simply use the phishing tools to email people with links that install the ransomware, and then you sit back and make money.”

While most cybercrimes are driven by the allure of financial gain, there are other motives that organizations need to protect against.

“An angry employee might reveal a trade secret. A political hacking group might want to deface your website or send embarrassing tweets from your account. Someone else might want to steal your client’s account details. Others may just want to extort money from your company. These are different people with different motives and different types of attacks,” Herschberg warns.

For example, in 2012, hackers associated with an activist group identified only as Anonymous, published over three gigs worth of email and data taken from Puckett & Faraj, the law firm representing a staff sergeant accused of leading a group of Marines responsible for the deaths of 24 unarmed Iraqi civilians. The firm never recovered from the breach.

As long as attackers believe they have a chance to succeed, attacks will keep coming.

“First, hackers collaborate across geographical locations, making it difficult to track the attacking source. Second, complexity and attack payloads are evolving rapidly, making it slow to monitor and prevent many vulnerabilities and consequences in synergistic cyber networks. Third, advanced, persistent threats are implanted across multiple stages, making it troublesome to catch real-time incidents out of normal network traffic. Last but not least, it is extremely hard to manage the volume, velocity, and complexity of the data generated by the myriad of security tools,” explains Swapnil Deshmukh, a senior director at Visa responsible for attesting security for emerging technologies.

Swapnil’s harsh reality means organizations must be far more proactive rather than reactive in their defenses, investing in policy management, automation, and continual analysis to stay ahead of attackers.

“A proactive measure of defense, like a backup or disaster recovery strategy, is much less costly and effective in the event of a ransomware attack,” says Jeremy Steinert, CTO at WSM International, a provider of migration and specialized cloud services. For example, network segmentation can help mitigate risks and costs. “The first thing we look at is segmentation and separation of workloads to isolate the servers with special compliance requirements. The goal is to reduce the target footprint within the IT infrastructure,” Steinert explains.

Other defenses should include active threat monitoring, and regular security and software patches and updates. The costs associated with these activities vary by IT infrastructure, but can be a fraction of what’s incurred due to a business disruption or remediation steps following a breach.

“We are a tremendously digital world, and yet too many people and companies still do not update their software programs or security software,” Steinert says. While this may seem like commonsense, the Equifax data breach may have been avoided or minimized if a security patch issued months earlier had been applied. The WannaCry ransomware attack that shut down U.K. hospitals, crippled FedEx, and infiltrated Deutsche Bahn in May 2017, exploited vulnerabilities in the Windows XP operating system, a platform that has been long abandoned and is no longer updated by Microsoft. “No one should have been using that operating system,” Steinert says. “And yet, even today, many still do.”

Another commonsense, yet often overlooked, is employee training. “Hackers seek information to exploit IT systems, and people are a weak link in the chain, from the executive suite to the receptionist,” Steinert emphasizes.

In 2015, an estimated $246 million was lost when hackers sent messages from spoofed email accounts of CEOs or CFOs, tricking employees into transferring large sums of money to accounts controlled by criminals. Similar tactics have been used to trick HR employees into sending W-2 forms to hackers, who then use the information for identity theft. In another approach, hackers used personal information gleaned from social media profiles to impersonate employees and get help from duped coworkers to enter the company’s infrastructure using reset credentials. Regardless of how sophisticated the cyberattack is, system access is very often granted by unsuspecting employees.

So, what’s the best line of defense? “Think like the enemy,” urges Josh Mayfield, platform lead for Immediate Insight at FireMon, an intelligent network security management provider. “Take an honest look at yourself. What needs improvement? Those with the courage to put on attacker spectacles and regularly inspect their own blind spots are those who will be resilient in this new world.”

This “new world” is one without borders. Because attacks infiltrate organizations through digital networks, there are no physical boundaries to enforce, which means cyberattacks can originate from anywhere.

QUANTIFYING YOUR RISKS 

In June 2017, the Ponemon Institute partnered with IBM Security to conduct a global study of 419 companies that experienced data breaches. The study weighed several factors to better understand how organizations are impacted by data breaches, examining the loss of customers following a breach; the size of the breach or the number of records lost or stolen; the time to identify and contain a breach; the detection and escalation of the breach incident; post-breach costs, including the cost to notify victims; and, whether the attack was led by a malicious insider versus system glitches or negligence.

The study found that the average total cost of a data breach was $3.62 million, down from $4 million in 2016. However, while costs decreased, the average size of a breach breaches increased by nearly two percent. And with breaches becoming larger and more frequent, there’s more for organizations to consider than costs.

Mayfield says that the first step in gauging the severity of a cyberattack is to identify the potential outcome of the event itself. “Some attacks are meant to deny services, like standing in the way of a user accessing an application or a system in a manufacturing plant stalling out because of a network malfunction. No data is stolen in these circumstances, but one can easily achieve the goal of disrupting commercial activities.”

In the cases where data could be stolen, Mayfield advises assessing the relative value of that data. “If what’s stolen are the Social Security numbers of the deceased, those have a markedly different value than those of living twenty-somethings. Each data element has its own value, and understanding the price each can fetch is the best way to assess the value of your organization’s data,” Mayfield explains.

When defending against cyberattacks, the key to remember is that any system can be hacked. There is no silver bullet solution. Hackers will attack a system if the desired outcome is worth their time and effort. “Protection should not be ultimate, it should be such as to make an attack meaningless, by making attackers spend more than can be gained,” explains Maxim Kovtun, solution architect at Sigma Software. Like businesses, cyber criminals seek the greatest pay-off for the least amount of effort.