Drawing upon popular stereotypes portrayed in movies and television shows, many people today have bought into the idea of computer hackers as being tech-savvy social outcasts looking to make a quick buck or cause mayhem from the comfort of their parents’ basement. In reality, hacking is treated more like a formal occupation – complete with salaries, benefits, vacation time, and bonus incentives – by the organized crime syndicates and nation-states that have been behind some of the more large-scale attacks and data breaches in recent years.
Dispelling some of these false notions and helping security practitioners better understand how cyber criminals think was the focus of a panel discussion at last month’s Verint’s Engage 19 conference in Orlando. Among the panelist included: Eric Michaud, CEO and Founder of Rift Recon, Valerie Thomas, Executive Consultant at Securicon, Joe Luna, Founding Partner at Furtim, and Terry Gold, Principal Analyst at D6 Research, who moderated the discussion.
According to Luna, one of the biggest problems for organizations today in combatting cyber-attacks is that they misidentify the threat.
“They think it is the kids in the basement or younger groups of people just having fun… they’re just wreaking havoc. But there is a very large business of hacking and nation-states, so I think the misunderstanding is just classifying it wrong to begin with,” Luna says. “You’re looking in the wrong shadows.”
Another common misconception, according to Gold, is that people think the majority of breaches end up being publicized in the media, which couldn’t be further from the truth.
“Society generally thinks that we hear about most of the hacks that are going on because we hear about them every day but the reality is there are only a couple of things that are required by law to be disclosed – most of which just require that it involves PII, personally identifiable information, which leads to credit cards, banking information and that type of stuff,” Gold explains. “All of the other stuff –trade secrets, formulas and information or compromising operations – you are not required to go ahead and report that. Maybe as a publicly-traded company if it affects your earnings you may have to do some disclosure on your financial reports for the SEC, but aside from that a) most hacks aren’t discovered and b) most of them certainly aren’t reported.”
And while some attacks require a high-level of skill and the ability to use a number of tactics to successfully pull off, others can be done by relative novices. In fact, according to Michaud, ransomware, which has brought the operations of many large organizations and municipalities around the world to a standstill, is now offered as a service to criminals.
“It’s a marketplace, you choose your vendor, you choose your SLA… you don’t even have to know what you’re doing,” Michaud says. “You buy bitcoin or more of a privacy-centric cryptocurrency and they say, ‘Alright, well you need 1,000 machines and 1,000 IPs.’ You send the money and you get a user interface, you get a chat room, you get customer support… they want to make sure you come back.”
Poor Cyber Hygiene
While cyber schemes have greatly evolved in sophistication over the years, one of the biggest reasons why many businesses and government agencies continue to be compromised is due to lack of good cybersecurity practices on the part of employees. For example, Luna says his firm has recently seen a substantial increase in business email compromise scams looking to exploit personnel in corporate finance departments.
“They will essentially target people in finance in the organization through phishing or mail them a (malware-infected) thumb drive with their company logo printed on it and say, ‘Hey, we’re a thumb drive manufacturer, here’s a free sample and they plug it in,” Luna explains.
In carrying out the attack, the attacker will impersonate a high-ranking executive in the company, typically the CEO, and tell someone in the accounting department to send money quickly to the account of a new supplier or something along those lines. “To have a corporate controller get on the phone and tell someone to prove who they are is just not in the DNA of some companies,” Gold adds.
Physical Security’s Vulnerabilities
Though much has been written about the vulnerability of video surveillance cameras and other IP-enabled security devices given how they’ve been leveraged by cyber criminals in the past, the potential implications of a hacker bypassing or even compromising an organization’s physical security infrastructure go well beyond that of the inconvenience caused by a distributed denial of service (DDoS) attack.
“If we think about this in IT terms, access control systems have admin rights just like we do in IT. So, if I’m the equivalent of a domain admin on the physical access control network, I’m the goddess of the physical access network,” Thomas says. “The physical access system has one job: to open the door when it is supposed to, but if I can override that and open any door whenever I feel like it, now we have a problem.
“And once I’m the goddess I can rearrange those access groups, so if I’m in a particularly evil mood – and I’m calling this my prediction for the new ransomware – I can take everybody out of the access group for the whole building and then get them to evacuate,” Thomas continues. “You want to talk about massive disruption, how much would you pay to reopen JFK Airport? Nobody can get back into the airport without breaking all of their systems. I don’t think we’re there yet, but that will be the new (trend) in a few years.”
So, how can organizations better prepare themselves for the myriad cybersecurity threats facing their businesses today? Michaud advises companies to be honest about their limitations in trying to mitigate various cyber risks and try to make themselves an appealing place to work for cybersecurity professionals.
“Be extremely open and humble about what you don’t know,” Michaud says. “Maybe visit other conferences that are very different just to meet those people and show that you’re out there and if you’re that progressive person you may actually get better people to hire. Generally, big companies don’t get good hackers because they have really bad, I think, work environments. So, if you’re seen as that one that is awesome to work with and you’ve got really cool problems to solve and they can be a force multiplier – that’s awesome for you.”
Thomas adds that companies who invest in technology solutions over people do so at their own peril when it comes to cybersecurity. “Looking for anomalies, installing new tools and upgrading firewalls are great things but if you’re not going to invest the money in the staff and train them to use those tools properly to give them a good view of the entire organization, you might as well just give that money to me because it’s not doing you any good,” Thomas told the crowd of attendees.
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].