What CIOs can learn about security threats from 4 recent hacks
Four recent high-profile hacks demonstrate that cybercriminals are breaching networks, stealing data and using social engineering to trick employees. We asked several security experts to weigh in on these cases, how they occurred and what CIOs should do to reduce the likelihood of a similar compromise. Hint: it’s more than just installing a new firewall and insisting that employees use antivirus apps.
This high-profile data breach is disconcerting because the Office of Personnel Management (OPM) handles security clearances and background checks for federal employees. At last count, 21.5 million government employee records were stolen. Most reports indicate that the OPM hack occurred because of a lack of basic security infrastructure precautions. A former subcontractor stole the data while doing background checks, according to both the public hearings on the breach and to data security expert Alan Kessler.
[Related: How OPM data breach could have been prevented]
Kessler, CEO of data security company Vormetric, says there was a long history of OPM relying on legacy systems and not investing in security infrastructure. The big lesson for CIOs, according to Caleb Barlow, vice president of security at IBM, is to avoid the “shiny new object” problem in security. Some CIOs are drawn to a new innovation or the latest technique, but forget the fundamentals. “Basic security needs, such as patching, monitoring who has privileged access, identifying risks, and knowing where the organization’s critical data resides, need to be met before anything else,” he says.
Yorgen Edholm, CEO of enterprise file-sharing company Accellion, told says the OPM breach is a reminder to CIOs that hackers are not just trying to steal credit card numbers at banks or other financial info. The breach involved social security numbers, healthcare records and even fingerprints stored in a database. CIOs need to investigate ways to protect all systems instead of relying on measures that protect only financial data.
This recent breach involved an employee (or group of employees) stealing such sensitive data as player evaluations and stats from a rival baseball team. It’s unique in that it’s one well-known entity attacking another entity (as opposed to an obscure, foreign cybercriminal). It points to a need for CIOs to look within the four walls of a company for attack vectors.
Matt Suiche, the well-known entrepreneur who now works at VMware, says companies need to do a better job of protecting data from employees, subcontractors and third-party vendors. He says there are too many lines of attack, so the idea of just protecting a company using a firewall and antivirus software from outsiders doesn’t make sense. It’s better to have a multi-factor security approach that impedes any cybercriminal.
[Related: FBI investigates St Louis Cardinals over Houston Astros hacking]
“Companies hire away employees from competitors all the time, and using the same passwords in your old and new company is an invitation for problems,” says Stu Sjouwerman, the CEO of security company KnowBe4. “Password management and creating strong passwords is a must these days, until we deploy stronger authentication procedures like two-factor authentication and/or biometric security measures like fingerprints and facial recognition.”
“Sometimes the biggest breaches are not the work of spy agencies, organized crime syndicates or even sophisticated hackers, but rather the act of a former employee or business competitor,” says Accellion’s Edholm. He says corporations should protect systems against rogue employees, use unique and complex passwords for all employee access, own and track all encryption keys, and train employees thoroughly on cybersecurity best practices.
This ingenious hack has many variations, but it’s essentially a con against an employee where the hacker sends in a resume as a compressed (.zip) file. The employee opens the file, which triggers a malware app that encrypts the hard drive and any shared network drives. The hacker then demands a ransom payment to remove the malware and restore the drive. It’s not a dissimilar approach to a recent scam where hackers purloined financial information from pre-published press releases…and then made bank on said information.
One of the most nefarious examples of ransomware came last year when an Australian news channel was hacked using a Cryptolocker; the hackers demanded payment to release the data. In many cases, the ransom payment must be sent in untraceable Bitcoins.
KnowBe4’s Sjouwerman says the problem with this scam is how effective it can be. In their own tests, they found that 60 percent of employees tested at a bank opened a resume sent by email. He says the most recent attacks involve the name of fictitious female applicant.
IBM’s Barlow says there is ultimately one main solution to a phishing attack, which is to constantly educate employees. There are always new attacks. The education should involve phishing tests where employees have to make the right decision (such as not clicking a link or not responding). If they fail the test, the company needs to do additional training.
This last type of security breach is making headlines because it specifically targets the executive teams at large companies. It’s mostly a social engineering hack: A criminal first gains access to the executive’s email, likely by guessing a password or running a password generator. They use the exec’s account to request a money transfer through the accounting department. It’s ingenious because the accounting department assumes the credentials are valid (because they are).
KnowBe4’s Sjouwerman says one such attack involved the international magazine publisher Bonnier Group and resulted in a money transfer of at least $1.5 million. The hacker used the email of the former CEO, David Freygang, and requested that the transfer remain urgent and confidential. In some ways, this hack plays on fears (not doing what the CEO asks, or the CEO getting in trouble) that are similar to the recent Ashley Madison hack, a dating website for married people looking to have an affair, that retained detailed profiles on its customers.
The frightening stat here, according to the IBM’s X-Force Threat Intelligence Quarterly Q2 2015, is that 25 percent of all cyberattacks involved conning one particular employee. It also bypasses all traditional security measures, such as encryption, firewalls and anti-malware attacks. It’s not even a technical breach, says IBM’s Barlow, because it could be one hacker gaining access by guessing one password for a high-ranking official.
The answer, he says, is in collaboration. Phishing attacks should be categorized, documented and discussed – similar to how hackers use the Dark Web to make their plans and share information. “The ‘good guys’ need this same type of collaboration to stand a chance against them,” he says.