By Paul A. Ferrillo & Dr. Christophe Veltsos
Hi. We are back. We had hoped to delay this update at least one more year, but that turned out not to be possible as, early on in 2016, the ransomware plague affected large swaths of corporate America and the healthcare system. And things have gotten uglier over the past few months.
Companies and organizations of great notoriety suffered cyber attacks, like the recent hacks of the Democratic National Committee (DNC),(1) the alleged hack on The New York Times by unknown sources, and very powerful distributed denial of service attacks against the website of famed blogger, Brian Krebs; a French media company called OVH; and a top-level domain name server company called Dyn.(2)
There have been point of sale (POS) hacks we definitely know about and hacks where we still don’t really know the full story.(3) All these hacks and attacks make us wonder exactly how far we have come in the race for cybersecurity.
We continue to play “whack-a-mole” with cyber attackers. According to a headline summing up one expert’s view, “cybercrime will cost the world in excess of $6 trillion annually by the year 2021.”(4) This is up from 3 trillion in 2015. We can honestly say that while many organizations have made incremental (and, for some, major) progress, most have not. Many have done nothing helpful, refusing to admit they may be a target or maintaining that information security efforts are not in the budget. One step forward; two steps back.
And so we are back for a “pep talk,” and to bring some solid good news on the advanced fronts of cybersecurity, especially as it relates to the future efforts involving artificial intelligence and machine learning.
As 2016 has shown, every organization, no matter the size or the industry it’s in, is likely just a breach away from disaster.(5) This is due to many factors, including decades of relegating information security to “just an IT (Information Technology) issue.” In the process, organizations and their leaders created an environment where technologists were in charge of making risk decisions, and business units — tired of being told, “No, you can’t do this for security reasons!” — simply sought out ways to bypass the internal IT and security functions. Furthermore, budgets for IT, in most cases, never seem to comport to actual needs of the IT department to keep pace with the cybersecurity ecosystem in which we live.
The good news is this trend is now actively being remedied by elevating the importance and the voice of those who report on and manage cybersecurity. But these changes take time, time that your organization may not have. While the purpose of this book isn’t to spell out the doom-and-gloom of all possible disaster scenarios that may hit your organization, it is important for readers to be cognizant, if not convinced, of the reality of the situation, and the many threats organizations face in this cyber domain. So what other cyber issues contribute to the precarious state of cybersecurity? Here is a partial, non-exhaustive list:
Your organization is facing a multitude of potential attackers whose motives are as varied as there are types of weeds. Some attackers might be after you to make a quick buck; some might be disgruntled employees or former employees looking to make a statement or take revenge for a perceived wrong;(6) some might be working for nation-states, looking to infiltrate your networks and steal sensitive email traffic or intellectual property,(7) or ruin decades of research; some might be looking to sabotage your systems because of what you stand for,(8) or because of how popular you’ve become. Possible motives are nearly endless, as is the patience of the most determined attackers who wait like a hunter for their prey to let down its guard.
Your organization is a hodgepodge of technologies: some dating back decades, some adopted more recently, and both potentially insecure — either insecure right out of the box or due to the number of changes to their specifications or configuration.(9)
Your organization is rapidly adopting new technologies — since failure to do so gives your competitors an edge — without properly addressing associated cyber risks in a systematic way and at appropriate levels. The advent of the Internet of Things (“IoT”), for example, means that even if your primary business function has nothing to do with technology, your organization has been or will soon be invaded by a multitude of IoT devices, including refrigerators, “smart” TVs, coffeemakers, air quality sensors, and light-control switches. Each of these devices could be the one an attacker uses to get in, or stay in, and commence an attack.(10)
Your organization has likely suffered one or more episodes of ransomware — malware that takes over one or more of your systems, encrypts the data, and holds it for ransom. This is no laughing matter. It has happened to hospitals, police stations, schools, universities and even county government offices. In many cases, paying the ransom was the victim’s only recourse for getting back their own data.(11)
Your organization’s cybersecurity function is likely understaffed, partly due to the tight labor market, top-of-the-scale salaries, and an abundance of opportunities for those willing to jump ship. It’s also likely underfunded, especially if the security function in your organization is still housed under the IT umbrella. And it is probably under-represented and under-estimated, as only the more mature organizations have elevated the function of Chief Information Security Officer (CISO) to report directly to the CEO or in some cases to the Board of Directors directly.
Your organization’s staff is likely ill-informed and ill-prepared to deal with the onslaught of phishing attacks it is facing — attacks that exploit the human element in your organization. This issue isn’t just limited to low-level staff. Executives, given their important role in the organization, are juicy targets for an attacker, a fact giving rise to the terms “whaling,” which describes phishing attacks targeting the very top leadership, and “spear phishing campaigns,” which target specific personnel with near-surgical precision — obviously requiring many hours of research about the targets. These attacks may be seeking personally identifiable information held by the organization spread ransomware on your network, or worse, steal secret plans to steal or IP that you don’t want a third party to have access to.(12) Of course, your reply should be Security Awareness training, but how effective is that training? How often are you doing the training? Is there a metric that you are measuring, tracking, correlating with observations on the ground, and carefully improving upon every year, or are you like the thousands of businesses taking a one-size-fits-all approach to security awareness and requiring your employees to attend a mind-numbing, hourlong presentation or webcast?
Judging by the amount of news coverage of data breaches, attackers are quite resourceful, and obviously quite successful, regardless of their sophistication or age. The Dyn attack proved this point. But this isn’t a book about data breaches. And there are so many data breaches that even data breach consultant or remediation websites get breached or attacked (or the people that operate them).(13)
You have likely heard the expression before: it’s not a matter of IF; it’s a matter of WHEN. Are you ready? Are you and your organization doing what you can to understand the risks to your continued success, and can you adequately handle those risks?
Some of you might still be thinking, “But who would want to attack ME? I don’t have much of value to would-be attackers, do I?” Or the most common refrain: “Oh, I am not a target.” The reality of who has been attacked over the past decade speaks for itself. Obviously major banks and financial institutions have been attacked, usually by attackers looking for a quick buck. The defense industrial base has been attacked, since it is rich with plans for the latest jet fighter, submarine, or next-gen weapons. The federal government has been attacked, including the Internal Revenue Service (“IRS”) and the Office of Personnel Management (“OPM”) in breaches that exposed millions of records of the people with some of the highest clearances. Critical infrastructure companies have been attacked,(14) and such attacks pose a grave threat to our very way of life and to the water, electricity, oil, and gas that power our nation. Stock markets have been attacked in attempts to disrupt our economic engine and the foundations of our way of life.
But beyond what most would consider juicy targets, thousands of other businesses in the U.S. and beyond have been attacked. Healthcare providers have been attacked, given the treasure-trove of data on their patients and the patrons who pay the bills. Movie companies and game-makers have been attacked, often because of what they stand for or how they go about their business. Universities and colleges have been attacked, as they can be a one-stop-shop for those looking to steal the identities of the bright minds that are our future generations. The hospitality industry has found itself in inhospitable waters with tens or hundreds of hotels, restaurants, and tour operators finding their systems and networks infiltrated with credit card skimming software. Retailers, from the mega-box stores down to the mom-and-pop shops, have suffered from attacks against their networks and the Point-of-Sale (PoS) systems where our credit cards go “chi-ching” with every purchase.