Feb. 24--Security experts warn that the recent cyberattacks on Apple and the New York Times are only the highest-profile examples of an escalating problem that threatens American businesses and undermines national security.
"A new frontier for people who are not our friends is attacking our infrastructure and disrupting our day-to-day lives and our economy," said Jay Kesan, a University of Illinois professor of law and computer engineering. "It's not traditional warfare, but it should be a matter of very high priority."
Last week, the Obama administration announced a new effort to fight the growing theft of American trade secrets after Apple's and Facebook's revelations that they had been hacked, and new evidence linking years of cyberattacks against more than 140 U.S. companies to the Chinese military. The administration's plan includes a new diplomatic push and better coordination at home to help companies protect themselves. The next meeting of NATO defense ministers will include a major focus on cybersecurity.
While the theft of online banking information and payroll credentials is among the most common types of attacks, some of the greatest threats, Kesan said, are to industrial control systems such as those of airlines, railways and utilities.
"Once you get ahold of them, you can cause a lot of havoc," he said. "The threat is real. The only way to address this is to have the public and private sectors work together."
The most costly cybercrimes are those caused by denial of service, malicious insiders and Web-based attacks, according to the Ponemon Institute, a Michigan cybersecurity think tank.
A 2012 study of 56 companies by the institute found that the average annualized cost of cybercrime was $8.9 million, a 6 percent increase from the previous year, and the companies experienced a total of 102 successful attacks per week, up 42 percent from 2011.
Some attacks involve the way companies have implemented their systems. Ian Abreu, a consultant at Core Security in Boston, gave the example of an online retailer that puts its sales database on the same server as its business analytics database.
"This created a big problem when we found a certain type of attack aimed at the e-commerce platform allowed us to access company financial records and information as well," Abreu said.
Other attacks involve "spear phishing," carefully targeted strikes on specific employees to gain access to sensitive internal communications and trade secrets, said Richard Wang, manager of SophosLabs U.S. in Burlington.
To guard against such attacks, many companies now require employees to log into their computers using not only a password, which must be changed periodically, but also some other form of identification, such as a fingerprint, said Srini Devadas, a professor of electrical engineering and computer science at MIT.
"It's all about armor and ammunition," he said. "You have to double-lock everything."
Devadas also recommends that companies update their operating systems and software frequently, and train employees in basic self-defense, such as knowing not to click on links without knowing where they lead.
Still, there is no fool-proof way for businesses and their employees to protect themselves, said Sven Dietrich, assistant professor of computer science at Stevens Institute of Technology in Hoboken, N.J.
"There are lots of things you can do, but in the end, software is written by humans and will always have vulnerabilities," Dietrich said. "You just have to be careful. It's dangerous out there. It's not a cozy neighborhood."
Copyright 2013 - Boston Herald