How companies can defeat modern-day hackers
Find out who the hackers are, what they want, and how your company can prevent the next cyberattack that could cost you billions.
When you look at the analysis and the pathology of how malware gets on a system, you’re going to find that the major percentage comes from clicking on an email attachment.
The recent data breaches and cyberheists across the world unmasked one of the scariest enemies of private and public entities alike: cyber criminals. And if the progression of the recent attacks are anything to go by, we can only expect these perpetrators to become even more sophisticated and aggressive over time. This was one of the topics discussed at the 2017 Netevents Global Press & Analyst Summit in San Jose, California held on September 27 to 29. In one of the keynote sessions, MK Palmore, information security risk management executive at the Federal Bureau of Investigation San Francisco, said the most prolific computer network intrusion activities throughout the world are those motivated by financial concerns. He said the attackers who do it with almost 100% anonymity are “mostly self-taught males aged 14-32 years old who have access to the dark web and to a limitless amount of information.” What’s more alarming is the fact that these attackers, particularly in the financial sector, all know each other. Ronald Layton, deputy assistant director at the US Secret Service, said, “They all are collaborative, they all use Russian as a communications modality.” He added that the technological sophistication and capability of threat actors have increased. “The toolsets that you see today that are widely available would have been highly classified 20 years ago. Sophistication has gone up exponentially,” he said. So with these threats looming, how can companies prevent the attacks? Michael Levin, former deputy director of the US Department of Homeland Security, said it all boils down to the basics of security. “We’re hiring new people and putting them in important roles, but we’re not telling them what they can and cannot do. Many organisations do not want to take the time to educate their people. It’s about time that every institution starts figuring out a way to educate people to protect themselves,” he added. Layton concurred and said organisations pay a lot of attention to what the ‘bad guys’ will use to further their own illicit gain without checking if proper internal barriers are in place. “Convenience is the new nicotine, and the new caffeine is curiosity. When you look at the analysis and the pathology of how malware gets on a system, you’re going to find that the major percentage comes from clicking on an email attachment. Human factors and the psychology of cyber is something we must pay attention to. One way to counter this is through cyberhygiene,” he noted. This message, whilst simplistic, is not being followed by businesses. “When you go through information security training, there are basics you are taught about protecting systems. We always find that there’s some gap in coverage in security that boils down to the fundamental issue of security protection. We’re talking about simple things such as patch management, audit and log management, security and vulnerability assessments, or buy-in from leadership and management,” Palmore said.
Enterprises can do three things to up their game against cybercriminals, according to Palmore. First, there has to be a commitment from the leadership to invest in cybersecurity. Second, they have to practice the information security fundamentals, and lastly, they have to engage in information sharing. “As a business, you do not see the entire cyber threat landscape. You have to plug yourself into an intelligence apparatus,” he added. In the private sector, Levin said the concept of encryption is an important piece of the puzzle. “One of the things we see all the time is people send emails with very sensitive information. This is why we are seeing more organisations encrypting their emails. So as the crooks get more sophisticated, the private sector needs to be more sophisticated,” Levin said. He added that it is equally important for firms to establish a practice that creates a sense of community for security. “If you can create that sense within the organisation, you’ll see a better result,” he said.
MK Palmore, Dr Ronald Layton, and Michael Levin spoke at the Opening Keynote Session