Growing sophistication of cyber attacks requires defense and employee training

By Robin Roenker

shutterstock_287395955

Details of cybersecurity breaches across government, education and industry sectors made headlines – repeatedly – over the past year, with no signs of slowing down. Yet despite the frequent incidence, 66 percent of companies report they are unprepared for a major cybersecurity attack, according to a national survey released in November by the Ponemon Institute.

Last February, hackers breached the U.S. Department of Justice’s database, releasing personal information on 10,000 Department of Homeland security employees and 20,000 FBI employees. That same month, the IRS announced that a 2015 breach compromised the information of some 700,000 American taxpayers, while the University of California-Berkeley revealed a records breach affecting 80,000 students, alumni and employees.

In October, Yahoo reported that a breach believed to have occurred in 2014 affected as many as 500 million user accounts – one of the largest such breaches to date. On Oct. 21, cyber attackers took down the internet for a large swath of the Eastern United States for most of the day, using a malware virus known as Mirai that attacks vulnerable internet-connected devices such as web cameras, DVRs and routers.

As these high-profile cases make clear, today’s cyber attackers are highly sophisticated.

“These attacks just keep happening over and over again. Businesses are very anxious, and even fearful,” said Scott Logan, technical director of security for NetGain Technologies Inc., Kentucky’s largest managed IT firm with offices in Lexington, Louisville and out of state. “Many of these attacks could not only force you to lose information, but they could also ruin your brand. If you’re a bank and you become breached, how do you assure your customers that you’re going to be able to protect their money?”

The bottom line is simple.

“Companies are going to need to invest in more technology to protect them from security threats,” said Brendan Jacobson, co-founder of NetGain Technologies. “It is just going to get worse.”

It’s not necessarily that the attack tools are getting smarter; it’s the manner in which they are being used. Malicious players don’t even have to be highly tech savvy, said Cody Shackelford, systems engineer with Data Strategy, which acquired Louisville-based boice.net this year.

Basic malware or ransomware packages are readily available on the black market or dark web, he said. Attackers today are succeeding by researching a target company or agency to determine a weak link – for example, a “socially engineered” phishing campaign with an email that looks like it came from and is written in the style of a regular communication partner, perhaps even a coworker.

Organizations can achieve very high levels of protection, though, by employing multiple levels of defense that screen all incoming digital traffic, that restrict anything that does get through to an individual work station, and especially that train workers in best practices for handling data, Shackelford said.

Cybersecurity best practices

Kentucky cybersecurity experts agree: The worst possible response to the increasing threat of cyberattack is to assume you’re not at risk.

“For a long time, small businesses just didn’t feel like they were a big enough player to be worried about threats,” Logan said. “Their mindset was, ‘I’m not Chase Bank or Anthem (Blue Cross Blue Shield),’ and they believed they didn’t have to worry about an attack. But now even small businesses have begun to realize that hackers are increasingly targeting smaller entities, on the assumption that they may be less secure and therefore easier targets.”

To shore up their defense against attack, businesses should first work with their IT or information security team to do a comprehensive risk assessment, Logan said.

“We often see new clients who simply don’t know what their vulnerability to an attack is, because they’ve never had a risk assessment done,” he said.

Gui Cozzi, director of the security consulting group at SDGblue, an information security and IT managed service company based in Lexington, agreed. Conducting a risk assessment is not only a crucial first step in identifying where a business’s cyber weaknesses may lie, but also in “understanding what its risk appetite is,” Cozzi said – in other words, how much, or how little, risk of attack the company is comfortable with. Understanding that threshold is essential in determining “an appropriate response in terms of investment.”

Unfortunately, there is no single, one-size-fits-all approach to cyber safety.

“Some organizations have been told that if they buy a specific product, that it will be a magical solution to all their cybersecurity needs,” Cozzi said. “But that single silver bullet doesn’t exist. You have to apply sound principals, and you have to have a security program that’s layered.”

“I think the biggest trend is that folks are seeing that the way they have been doing security is not comprehensive enough,” said Todd Hamill, an account manager in the Lexington, Ky. office of Integration Partners, a Massachusetts-based IT firm. “Security issues reach across multiple aspects of the organization. It’s not just an IT issue. Security has to be viewed holistically.”

And while each firm’s cybersecurity approach will be specific to its own unique needs, experts did offer these general rules to consider.

Ensure baseline security is up-to-date. This includes use of anti-virus software; patching on servers, work stations and routers; implementing a sound backup system; use of firewalls; and “a layered security approach, where there’s multiple points to protect you,” said Joe Danaher, vice president of operations for Integrity IT, a Lexington-based IT and internet security firm.

If your current firewall system is more than five years old, consider investing in a newer one. New models include state-of-the-art intrusion detection prevention systems (IDPS) built in, which can help identify security threats at the perimeter, before they reach the network, Logan said.

Install end-point protections. In the past, “end points” (i.e., individual employee computer stations) typically received only a simple anti-virus install, Logan said. In today’s threat climate, that’s not enough.

“They need to have their own intrusion prevention system at that end point so that if it becomes infected, it can’t spread throughout the network,” Logan said. “There are also controls like application control, which can prevent applications that are not business applications from running on a business model PC. There’s device control, which would restrict the user from, say, sticking in a USB stick and downloading a virus. There are a lot more end-point protections that you can employ now than ever before.”

Update data routinely, locally and off-site. “Because the threats have increased so much, it’s important that you have a good, secure backup,” said Danaher. “Usually what you do, is a full back-up daily and then incrementals timed throughout the day, based on how much data you can stand to lose. Most customers still do an onsite backup, and it’s very important for disaster recovery to have an off-site backup as well,” he said.

Phishing emails can spread ransomware. In years past, bogus phishing emails were easy to spot. Not so today. Hackers have gotten increasingly sophisticated at mimicking the look of real emails from businesses – say a bank or credit card company – you routinely interact with. But if an employee clicks on an email containing malware at their work desk, without the proper safety in place, a virus can be unleashed on their company’s entire network system.

Ransomware – in which the hacker encrypts all your computer files and only provides the decryption key at a set ransom price – is on the rise, say experts.

“We’ve seen people pay that ransom. It can be very devastating,” Danaher said. “And it’s not just a new threat every couple of months. We’re seeing new threats and new variations on these viruses every day.”

“Phishing and spear-phishing [an email spoofing attack that targets a specific individual] continue to be the biggest threat we’re seeing,” said Greg Garcia, executive vice president of the Washington, D.C.-based Signal Group, who served as the nation’s first assistant secretary for cybersecurity under President George W. Bush from 2006-08. 

Understand risks associated with IoT

At the invitation of the Technology Association of Louisville Kentucky (TALK), Garcia spoke in Kentucky this past summer on cybersecurity and the Internet of Things, a broad term for the rise of interconnected devices, from smart phones and home security systems to manufacturing stations and self-driving cars.

While increased device interconnectivity can lead to convenience and even better productivity in manufacturing, logistics and other sectors, it can also lead to increased cyber risk. The widespread Oct. 21 Mirai attack was just one example of what’s possible as hackers manipulate weak internal security in certain interconnected online devices – including webcams,  DVRs, routers and more – to turn them into “bots” in a targeted denial-of-service attack.

“Every device that has an IP address, an internet protocol address, is in fact visible on the internet and vulnerable,” Garcia said.

In some cases, the default password for these connected devices cannot be changed and is publicly available online. Hackers use this readily available information to control the devices to do their bidding, essentially. Key takeaway: If possible, always change from the default password on any device after installing it, experts urge.

Invest in employee training

“You can spend a large portion of your company’s budget on security technology, and it can be made instantly ineffective by someone getting access to the environment through social engineering,” said Patrick Zanella, security practice lead with Lexington, Mass.-based Integration Partners.

In “social engineering” breaches, attackers email or call an employee or call into a call center and name-drop to sound as if their request for sensitive company information is legitimate.

“The end user (employee) is consistently the weakest link in the security chain,” Logan agreed. “And it’s simply because of this: End users are inherently designed and conditioned to help. They’re in a workplace where they are questioned about information they may or may not know, and they try to provide an answer.”

In March, for example, personal information for 700 current and former Snapchat employees was stolen when hackers posed as Snapchat CEO Evan Spiegel and tricked an employee into emailing them employee payroll data.

As noted, other breaches can occur when employees fail to identify a phishing email; therefore constant employee training on identifying such scams is essential, said Danaher.

And, of course, employees should be trained on basic safety protocols including never using the same email and password for private social media accounts and work accounts, Cozzi said.

Have strong protocols in place

Experts admit it’s impossible to calculate how cyber threats will continue to evolve, since new iterations come along so fast. (On average, 300,000 to 400,000 new malware files are uploaded on a daily basis, Zanella said.) That’s why developing a sound, holistic cyber security strategy is key.

“It’s really hard to predict what’s going to come,” Cozzi said. “Regardless of what’s going to be the newest ransomware, or the newest threat, what’s most important is just that businesses follow sound principles. The goal is really to make it more difficult for the cyber criminals to get to you, so that they go knocking on the next door.”

Zanella agreed.

“Rather than going after the shiny new (cybersecurity) product, it’s best to have a security framework in mind with a three- to five-year roadmap,” he said. “The mindset should be, ‘Here’s where we are today, and here’s where we want to be in five years.’ ”


More funding for public oversight

With the influx of threats poised to continue, attention has turned toward the need for additional cybersecurity funding both at the federal and state level.

“It’s very ironic that cybersecurity breaches are at the top of the totem pole for concerns, but at the bottom when it comes to funding and for action, frankly,” said Brian Fox, senior account executive at Level 3 Communications in Lexington.

Lobbyists and cybersecurity advocates are hoping to change that divide. Fox points to ongoing conversations in Washington aimed at finding funding to “react to the cyberwarfare that is going on. There is even a consortium that is looking to appropriate a tax to handle cyber warfare at the state and local level,” he said.

Talks in Washington also center on how to best prevent cyber vulnerability within the nation’s most targeted sectors, from transportation and energy to commerce, banking and healthcare.

One complicating factor in developing federal regulations to lessen IoT device breach susceptibility, for example, is that cybersecurity is an issue that spans multiple sectors – and therefore, multiple government agencies, from the Department of Homeland Security to the National Telecommunications and Information Administration within the Department of Commerce. Increasingly, these agencies have begun dialogues with one another and with industry to work toward developing a system of cybersecurity principles, Garcia said. (On Nov. 15, DHS released a set of “Strategic Principles for Securing the Internet of Things (IoT), Version 1.0,” which can be found online at dhs.gov/securingtheIoT.)

“The government knows what it doesn’t know (when it comes to cybersecurity),” Garcia said. “And that’s a good thing. They understand that there are more complexities here than regulation would be able to anticipate and solve. So this is going to have to be an iteractive process between industry and government, and not just between one sector at a time.

“You can talk about self-driving automobiles, but when you’re doing that, you’re also dealing with other suppliers and service providers in the value-chain of self-driving automobiles. You’ve got the telecom carriers and the components manufacturers and so on,” Garcia said. “That’s the challenge: to develop a comprehensive approach to cybersecurity across the IoT ecosystem.”

Training the next generation

Another challenge facing cybersafety advisors is the scarcity of trained cybersecurity workers nationally. An online Cybersecurity Supply/Demand Heat Map (cyberseek.org/heatmap.html) illustrates this scarcity on a state-by-state basis. It reports that there are currently more than 348,000 cybersecurity job openings across the nation.

Addressing the cybersecurity workforce shortage in Kentucky has required a hands-on approach.

Dawn Yankeelov, president of ASPectx and executive director/CEO of Technology Association of Louisville Kentucky (TALK), is currently in talks with the Kentucky Department of Education to incorporate cybersecurity training as an optional career track within 9th- to 12th-grade curricula.

The ready-made curriculum, developed by NICERC (National Integrated Cyber Education Research Center), would be free for teachers to implement if it is approved, Yankeelov said.

“There is a huge gap in the ability to fill cybersecurity-related jobs,” Yankeelov said. “And there is more than a 50 percent increase every year in the number of jobs available. At TALK we’re trying to show companies that it’s not just your problem that you can’t find (cybersecurity) workers. It’s a nationwide problem, and it’s not going to go away.”

In Lexington, SDGblue hired Brad Yaun as a talent ambassador 18 months ago, and as such, it’s his job to promote the need for cybersecurity workers across the state. Yaun has worked closely with the University of Kentucky’s computer science and information communications technology programs as well as Eastern Kentucky University’s criminal justice and computer science departments, for example, to help develop relationships between students interested in cybersecurity and area firms – like SDGblue – who need them.

“For companies looking to hire talent, they have to move away from the mentality of the 2008 crisis, where there were a lot of people who needed jobs, and they didn’t have to try very hard. That’s not where we’re at in 2016. It’s the total opposite,” Yaun said. “You have to move to the realization that, today, there are not enough workers for everyone. So what are we going to do to attract the best?”

Students studying cybersecurity through Northern Kentucky University’s information technology degree track or its business informatics degree track have no trouble finding jobs upon graduation, said Dr. James Walden, director of NKU’s Center for Information Security, which launched in 2014.

In their cybersecurity coursework at NKU, students learn to set up firewalls, VPNs (virtual private networks) and intrusion detection systems, among other skills. In computer forensics courses, students must investigate the memory of a compromised network system in order to determine what went wrong, Walden said. During their capstone class, many students conduct security assessments for area businesses. Some have even reverse-engineered malware.

“The students get a ridiculous number of job interviews when they finish,” Walden said. “It’s a great time to get into the cybersecurity field.”


Robin Roenker is a correspondent for The Lane Report. She can be reached at [email protected]

Please wait...

Subscribe to the FASTER LANE business newsletter.

Subscribe and receive breaking Kentucky business news and updates daily.