One look at the news is enough to make you swear off computers forever. Headline after headline screams of yet another security breach at yet another huge corporation or government agency exposing millions of customer records and straining the trust these organizations work so hard to foster with their customers.
But are security breaches really increasing at a phenomenal rate or is it simply a perception bred by increased media coverage?
“That is a difficult thing to answer,” said Aaron Higbee, CTO of PhishMe, a user driven phishing attack emulation service. “Perhaps the volume of big breaches has remained the same, but three things have changed.”
The first thing is that huge corporations are more willing to own up to security hits these days since so many companies have already done so.
“Two years ago it was embarrassing to admit that a spear phishing incident led to a data breach,” he said. “Now, it’s just accepted that technology falls short and we desperately need user awareness education to step up.”
The second thing is that now corporate victims have a nail to hang an excuse on.
“The security industry’s marketing machine has catapulted the term advanced persistent threat (APT) into an excuse that most organizations can use for everything,” explained Higbee. “‘Whoops! Our Bad! We are doing everything we can; it was the APT that did us in!’ That is generally followed by a string of four-letter words and more excuses. ‘What do you expect from us?’ Even Google was susceptible to an APT, and they are … Google. And after their excuses, they shrug.”
The third big change is the arrival of glory seeking social activists who also hack and are often referred to as hacktivists.
“Hactivisits who are motivated by the exposure and notoriety and less by monetary profit are dumping data gleaned from breaches for all to see,” he said. “Before, individual hackers or groups would keep data caches to themselves instead of relinquishing it to the Internet solely for lulz.”
So, yes, all the media coverage is heightening the alarm. It would be a mistake, however, to assume the dangers have been over played by the press.
“The increase in reported cyber attacks on companies across a wide range of industries is unsettling, particularly as they have shown fundamental weaknesses in presumably hardened networks,” said Jim Ricotta, president and CEO of Verdasys, which markets data protection solutions for large global organizations and government agencies.
“An even worse fact is that for every one disclosed attack, there are hundreds — perhaps thousands — more which go unreported or have yet to be detected.”
While social hacktivists such as LulzSec, Anonymous and Wikileaks get plenty of press and expose our collective and individual vulnerabilities to the world, it is arguably the unreported and undetected attacks that are wreaking the most damage.
Finserv
The banking and finance industry has been especially hard hit. Since banks in the U.S. are liable for losses, rather than banking customers, much of the damage is downplayed so that customers will be lulled into a sense of security and continue using the bank’s services. It’s ironic that banks need their customers to use online banking in order to help spot criminal activity sooner, yet it is online banking that presents the most opportunity for criminal activity. Meanwhile, banks are continuously struggling to find a better way to stop the attacks.
“There is a whole credit card and financial data theft ecosystem alive and well on the Internet that involved the hackers stealing the data, other hackers distributing tools for hacking and account verification, cloners making new debit and credit cards from stolen information and links to criminal networks for buying and selling the information,” explained Brian Dykstra, senior partner at Jones Dykstra and Associates, an eDiscovery, computer forensics and cyber crime response company.
In an effort to thwart some of the attacks, “several major banks have implemented security protocols that require multiple identification points and sensitive information is stored in different secure systems,” said Paul Liu, CIO of Freeborders, a global consulting, technology and outsourcing services firm.
World view
The attacks are not limited to the U.S. “Recently Sony Japan, UK banks and the UK British Health System have been infiltrated by hackers” points out Red Earth Software’s CEO, Deborah Galea.
Indeed, the question is no longer whether any particular company or government agency will be infiltrated; it’s just a question of when. And while attacks happen for a variety of reasons, there are attacks designed to cripple entire countries. Such threats led President Obama to state publicly that computer hacking by foreign countries will be considered an act of war and responded to militarily.
That policy is not just for show.
“Russian computer hackers have attacked our military computers in the past and China is implicated in recent hacks,” explained Steven Weisman, an attorney and professor at Bentley University and the author of The Truth About Avoiding Scams.
But it is not just foreign governments that hack into government and business computers.
“Organized crime throughout the world, particularly in Eastern Europe has been active in hacking into large banks and companies with information that can be used for identity theft and scams,” said Weisman.
Although hackers and cyber criminals appear to always be at least one step ahead of security efforts, there are steps organizations can take to better secure sensitive data.
“Organizations should focus on implementing proactive security and training their workforce, create awareness for security and how these threats work,” said Check Point’s security researcher, Tomer Teller. “It’s like a neighborhood watch: You need to be able to rely on your people to become the first line of defense. People, along with good security policy and enforcement, can ensure that security is practical and more effective.”
A prolific and versatile writer, Pam Baker’s published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).
