How To Keep Your Organization Hack-Free
In the previous installment of this series, we discussed how to identify and protect ourselves from phishing attacks. In this post, we review some of the latest incidents and suggest ways in which they could have been prevented.
Computer crime is big business with major growth opportunities. In fact, it has created its own dark economy.
Cyber criminals can buy sophisticated tools such as vulnerability exploitation kits to promote their chances of success. They can even rent many of those tools as a service—MaaS (Malware as a Service) is one example. There are exchanges where they can sell their stolen information and where they can buy that stolen by others. They even have their own currency—the bitcoin. And they can earn millions—maybe even hundreds of millions – of real dollars for their efforts.
According to Internet security company Kaspersky, just one initiative alone may have grossed a billion dollars. Between 2013 and 2015, the Carbanak cyber gang targeted financial institutions across the world. Their onslaught consisted of hundreds of raids, each two to four months in the making and netting up to $10 million each time. Most worryingly, the attacks went largely undetected until the banks reconciled their internal accounts and those held with other financial institutions. By that time the criminals had destroyed most of their traces.
As well as organized crime, there are also state actors. No one knows the resources that are invested with them but their main interest is espionage, says Verizon. And their main targets are in government, followed closely by manufacturing and professional & information services. Sabotage is also thought to be an aim of these nation-sponsored groups.
Unlike criminal gangs, governments have time. Weaknesses planted in their targets’ systems may not be activated for years, if ever. Information gleaned may never become public.
In June of last year, The US Government’s Office of Personnel Management discovered that the background investigation records of 21.5 million current, former, and prospective contractors and Federal employees (as well as their families) had been stolen. The incident led to the US Central Intelligence Agency pulling a number of officers from its embassy in Beijing. That much is known, but many other consequences may not have been reported.
According to Internet security company Kaspersky, just one initiative alone may have grossed a billion dollars.
In September of this year, a US House of Representatives report concluded that the OPM was guilty of a cascading series of cybersecurity blunders from the agency’s senior leadership on down to the outdated technology used to secure the sensitive data. The breach jeopardized “national security for more than a generation,” the report stated.
Other recent events that have been attributed to state-sponsored attackers include the hacking of the World Anti-Doping Agency, Sony Pictures, the Democratic National Committee, and emails from presidential candidate Hillary Clinton’s campaign. An attack on Yahoo in which 500 million records were stolen, at first thought to be by state-sponsored hackers, is now believed to have been carried out by a criminal gang.
So what can we learn from these organized-crime and state-sponsored incidents? And how can we apply the lessons to keep our organizations hack-free? Here is some advice from those who have followed the attacks.
Start at the top.
Boards are not sufficiently proactive regarding cyber threats, and generally do not understand their organization’s digital footprint well enough to properly assess the risks, says business advisory PwC in its latest Global Economic Crime Survey. But as the effects of cyber crime go far beyond the IT department, the responsibility for redressing cyber vulnerabilities starts at the top. Make cyber security a board-level issue.
Make a plan.
You cannot avoid all breaches so be prepared for the consequences when they happen. Only 37 percent of respondents to the 2016 PcW Global Economic Crime Survey—most of them in the heavily regulated financial services industry—had a fully operational incident response plan. Three in ten had no plan at all, and of these, nearly half didn’t think they needed one. Make and practice a detailed incident response plan covering the entire organization, not just IT, recommends PwC.
An increasingly and international mobile workforce faces near constant temptation to take shortcuts such as using free Wi-Fi and other networks outside the control of the organization. One solution is to insist that all equipment is fitted with end-to-end encryption and that full muse is made of virtual private networks. But at the end of the end of the day this will only work if employees are trained and constantly reminded of required practices.
Report incidents to law enforcement, says Kaspersky. Only in this way can a body of knowledge be built to anticipate and counteract cyber crime. Also, the reality is that if a determined, state-sponsored adversary wants your data, they’re going to get it unless another state-sponsored entity helps you defend it, says Verizon.
Don’t forget the basics.
Attacks—no matter how sophisticated they end up—usually start with a single simple step, says US carrier and Internet service provider Verizon in its 2016 Data Breach Investigations Report. The Carbanak gang, for instance, began by gaining entry into an employee’s computer through spear phishing, infecting the victim with malware, says Kaspersky. So basic endpoint, email and network protection remains crucial. In particular, regularly update anti-virus, browser and plug-in software, employ the best spam protection, list blocking and header analysis you can, set up reporting procedures for suspected phishing attempts, use two-factor authentication and segment the network, and monitor and audit accounts and logs, says Verizon.
In the next post in this series of three, we take a look at how good old fashioned offline skullduggery affects information system security and at what we can do to stop it.
All posts in this series: