3-steps to figuring out if your business is secure

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, Editor-In-Chief

Doing busi­ness in the Inter­net age requires under­stand­ing — and becom­ing per­son­al­ly account­able for — pro­found secu­ri­ty and pri­va­cy expo­sures few folks imag­ined a mere decade ago.

That les­son was dri­ven home once more when Com­mu­ni­ty Health Sys­tems (CHS), which oper­ates 206 hos­pi­tals in the Unit­ed States, divulged on Aug. 18 that hack­ers had invad­ed its net­work and stole the per­son­al data of 4.5 mil­lion patients.

When I first began to write about cyber­crime 10 years ago cyber attacks like Code Red and MS Blast grabbed main­stream media head­lines. Code Red was a self-spread­ing worm that sought out and infect­ed 225,000 Win­dows IIS Web servers in half a day and lin­gered on the Inter­net for years, break­ing into mil­lions of PCs. Anoth­er insid­i­ous worm, MSBlast,  launched a denial of ser­vice attack against windowsupdate.com, which includ­ed the mes­sage, “bil­ly gates why do you make this pos­si­ble? Stop mak­ing mon­ey and fix your software!!”

Over the past cou­ple of years breach­es have once again been in the spot­light. The per­pe­tra­tors are seri­ous-mind­ed crim­i­nals, expert at cov­er­ing their tracks. The pub­lic air­ings are being dri­ven by dis­clo­sure laws now in 46 states that require com­pa­nies to noti­fy indi­vid­u­als when their data gets lost or stolen.

In the case of CHS, we know about the data breach thanks to a fed­er­al law. The Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act (HIPAA) required CHS to file notice of the inci­dent with the U.S. Secu­ri­ties and Exchange Com­mis­sion. Accord­ing to a brief SEC fil­ing, the hos­pi­tal net­work was breached by an “Advanced Per­sis­tent Threat” group, believed to be based in Chi­na, using “high­ly sophis­ti­cat­ed mal­ware and tech­nol­o­gy to attack the company’s systems.”

Law enforce­ment offi­cials and foren­sics experts at Man­di­ant noti­fied CHS about the hack. Man­di­ant is the cyber inves­ti­ga­tions house acquired last fall by hack­ing detec­tion ven­dor Fire­Eye. Mandiant’s sleuths have flushed out Chi­nese-backed hack­ers, pil­fer­ing data from deep with­in net­works owned by dozens of mar­quee cor­po­ra­tions, includ­ing the The New York Times, The Wall Street Jour­nal, Google , Adobe, Northrup Grum­man, Mor­gan Stan­ley and Dow Chem­i­cal, as well as numer­ous small and medi­um sized com­pa­nies and agencies.

Relent­less advance

That’s just the tip of the ice­berg. Hack­ers and data thieves con­tin­ue to advance month after month, year after year. They are expe­ri­enced, effi­cient, well-fund­ed and adapt­able. They’ve per­fect­ed sim­ple, effec­tive social engi­neer­ing rus­es that gains them footholds deep inside com­pa­ny net­works. And they inten­sive­ly probe pub­lic-fac­ing web­sites for stealthy path­ways that lead them to valu­able data­bas­es. Glob­al cyber­crime activ­i­ty saps any­where from $300 bil­lion to $1 tril­lion, or 0.4% to 1.4% of glob­al GDP, accord­ing to var­i­ous esti­mates sum­ma­rized well in  McAfee’s 2013 report on the eco­nom­ic impact of cyber­crime and cyber espionage.

Hack­ers leave no stone unturned. They’ve begun sys­tem­at­i­cal­ly crack­ing into com­put­er net­works once thought innocu­ous, such as point-of-sale (POS) or check­out sys­tems. That’s how Tar­get, Neiman Mar­cus, and oth­er retail­ers have lost tens of mil­lions of cus­tomer trans­ac­tion records. Stolen data and hijacked pro­cess­ing pow­er fuel under­ground forums that run as effi­cient­ly as eBay and Ama­zon, where crim­i­nals buy and  sell tools and ser­vices that enable them to car­ry out lucra­tive cyber scams.

Data thieves have begun to accel­er­ate attacks against Web-host­ing data cen­ters, accord­ing to Cisco’s 2014 Annu­al Secu­ri­ty Report. Why Web-host­ing cen­ters? Because crack­ing into a host­ing cen­ter is like bust­ing into a can­dy store. The servers run­ning in such facil­i­ties are the hubs for the web­sites of thou­sands of small and medi­um sized com­pa­nies. Cis­co reports that hack­ers are able to pro­lif­er­ate such attacks “across legions of indi­vid­ual assets served by these resources.”

A three-step guide

So it comes down to this: The bur­den to assess risk and for­ti­fy secu­ri­ty falls on each individual—every work­er, own­er, man­ag­er, exec­u­tive — and, per­haps most impor­tant­ly, the chief exec­u­tive. Every­one needs to appre­ci­ate these new risks, which aren’t going to dis­si­pate any­time soon, espe­cial­ly CEOs respon­si­ble for set­ting pri­or­i­ties. Though the chal­lenge is daunt­ing, the solu­tion need not be. Here are three fun­da­men­tal ques­tions that can help you begin to become secu­ri­ty savvy.

  1. Do you know your data? Any intrud­er who cracks into your organization’s net­work will quick­ly assem­ble a detailed account­ing of where the valu­able data is stored and who has access to it. Stealth­ily exfil­trat­ing data over extend­ed peri­ods is a well-estab­lished, con­tin­u­al­ly-evolv­ing craft. It is vital to know what you’ve got and how it is being pro­tect­ed. That should lead to an ongo­ing dia­logue about keep­ing up with best secu­ri­ty and pri­va­cy practices.
  2. Do you under­stand your employ­ees? Humans are enter­pris­ing and col­lab­o­ra­tive, which makes them sus­cep­ti­ble to trick­ery. Get­ting smart, busy work­ers to click on a taint­ed web link or a cor­rupt­ed web page, or insert a cor­rupt­ed USB key or DVD into a machine inside your fire­wall, has become an art form. And humans can be greedy and vin­dic­tive, pos­ing a major insid­er threat. It is impor­tant for all employ­ees to ful­ly grasp what con­sti­tutes unac­cept­able behav­iors, and mon­i­tor­ing tools and poli­cies can both sup­port pro­duc­tiv­i­ty and cov­er the gaps. Com­pa­nies like Coca-Cola, Net­flix and Mat­tel have fig­ured out how to do this.
  3. Can you vouch for all of your part­ners? In the name of effi­cien­cy, smart sys­tems now rou­tine­ly inte­grate access and con­trol of fire and police alarm and envi­ron­men­tal mon­i­tor­ing sys­tems. As part of this shift, soft­ware mak­ers, con­trac­tors and oth­er third par­ties are rou­tine­ly giv­en high-lev­el access to com­pa­ny net­works. Hack­ers guys know this and are tak­ing advan­tage. Lim­it­ing and mon­i­tor­ing part­ner access can be done in smart ways.

A com­pre­hen­sive under­stand­ing of your company’s dig­i­tal assets, and every­one who can reach those assets, is the start­ing point for devel­op­ing effec­tive secu­ri­ty prac­tices and poli­cies and for mak­ing smarter secu­ri­ty invest­ments. The good news, if you run a com­pa­ny and are seri­ous­ly weigh­ing this ques­tions, is that there is a expan­sive com­mu­ni­ty of secu­ri­ty ven­dors and con­sul­tants avail­able to help.  Full dis­clo­sure: IDT 911, which spon­sors ThirdCertainty’s news and analy­sis, is one such source. For detailed guid­ance on approach­es and strate­gies to oper­at­ing more secure­ly and effi­cient­ly con­tact experts at IDT911 .