Based on popular stereotypes depicted in movies and television shows, many people today have accepted the idea that hackers are marginalized social tech savvy seeking to make quick money or cause chaos from the comfort of their parents' basement. In reality, hacking is treated more as a formal occupation (complete with salaries, benefits, vacations, and additional incentives) by organized crime syndicates and national states that have been behind some of the larger scale attacks and the data breaches in recent years.
Dispelling some of these false notions and helping security professionals better understand how cybercriminals think was the focus of a round table at Verint's Engage 19 conference last month in Orlando. Among the panelists were: Eric Michaud, CEO and Founder of Rift Recon, Valerie Thomas, Executive Consultant at Securicon, Joe Luna, Founding Partner at Furtim, and Terry Gold, Principal Analyst at D6 Research, who moderated the discussion.
According to Luna, one of the biggest problems for organizations today to combat cyber attacks is that they misidentify the threat.
"They think it's the kids in the basement or groups of younger people who just have fun … they're just wreaking havoc, but there's a big piracy business and national states, so I think the misunderstanding is just classifying it as wrong. , to begin with, "says Luna. "You're looking in the wrong shadows."
Another common mistake, according to Gold, is that people think that most of the violations end up being publicized in the media, which could not be further from the truth.
"Society generally thinks that we hear about most of the attacks that are taking place because we hear about them every day, but the reality is that there are only a couple of things that the law requires to be revealed, most of which only they require that it involves PII, personally identifiable information, which leads to credit cards, banking information and that sort of thing, "explains Gold. "All other things, trade secrets, formulas and information or compromising operations, are not required to go ahead and report that. Maybe as a publicly traded company if it affects your profits, you may have to make some disclosure about your financial reports to the SEC, but other than that a) most hacks are not discovered and b) most of them they do not inform "
And while some attacks require a high level of skill and the ability to use a series of tactics to perform successfully, others can be performed by beginners. In fact, according to Michaud, ransomware, which has paralyzed the operations of many large organizations and municipalities around the world, is now offered as a service for criminals.
"It's a market, you choose your provider, choose your SLA … you do not even have to know what you're doing," says Michaud. "You buy bitcoin or more than one cryptocurrency focused on privacy and they say:" Okay, they need 1,000 machines and 1,000 IPs. "You send the money and get a user interface, get a chat room , get customer support … they want to make sure you come back. "
Bad cybernetic hygiene
While cybernetic schemes have evolved enormously in sophistication over the years, one of the main reasons why many companies and government agencies remain committed is due to the lack of good cyber security practices on the part of employees. For example, Luna says that her firm has recently seen a substantial increase in commercial e-mail engagement scams that seek to exploit the personnel of corporate finance departments.
"Essentially, they will address finance people in the organization through phishing or they will send you a USB disk (infected with malware) with your company logo printed on it and they will say: & # 39; Hello, we are a device manufacturer flash, here is a free sample and they plug it in, "Luna explains.
In carrying out the attack, the attacker will pose as a senior executive in the company, usually the CEO, and will tell someone in the accounting department to send money quickly to a new provider's account or something similar. . "For a corporate controller to get on the phone and tell someone to prove who they are, it's simply not in the DNA of some companies," Gold adds.
Physical security vulnerabilities
While much has been written about the vulnerability of video surveillance cameras and other IP-enabled security devices since cybercriminals have exploited them in the past, the possible implications of a hacker avoiding or even compromising the security infrastructure physical of an organization are good. beyond the inconveniences caused by a Distributed Denial of Service (DDoS) attack.
"If we think about this in terms of IT, access control systems have administrator rights as we do in IT. So, if I'm the equivalent of a domain administrator in the physical access control network, I'm the goddess of the physical access network, "says Thomas." The physical access system has only one job: to open the door when Suppose you have to do it, but if I can override that and open any door whenever I want, now we have a problem.
"And once I'm the goddess, I can rearrange those access groups, so if I'm in a particularly evil mood, and I call this my prediction for the new ransomware, I can get everyone out of the access group for the entire building. and then evacuate them, "continues Thomas. "If you want to talk about a massive disruption, how much would you pay to reopen JFK Airport?" No one can return to the airport without breaking all their systems, I do not think we have arrived yet, but that will be the new one (trend) in a few years. "
So, how can organizations better prepare for the myriad of cybersecurity threats their businesses face today? Michaud advises companies to be honest about their limitations in trying to mitigate various cyber risks and that they become an attractive place to work for cybersecurity professionals.
"Be extremely open and humble about what you do not know," says Michaud. "Maybe I'll visit other conferences that are very different just to meet those people and show that they are there and if you are that progressive person, you can get better people to hire." In general, large companies do not get good hackers because they have very bad work environments, I think. So, if you see that it's amazing to work with him and he has really great problems to solve and that can be a force multiplier, that's amazing for you. "
Thomas adds that companies that invest in technological solutions on people do so at their own risk when it comes to cybersecurity. "Looking for anomalies, installing new tools and updating firewalls is a great thing, but if you are not going to invest the money in the staff and train them to use those tools correctly so that they can have a good view of the entire organization, you can Just give me that money because it's not doing you any good, "Thomas told the crowd.
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach it in firstname.lastname@example.org.