3-steps to figuring out if your business is secure
By Byron Acohido, Editor-In-Chief
Doing business in the Internet age requires understanding — and becoming personally accountable for — profound security and privacy exposures few folks imagined a mere decade ago.
That lesson was driven home once more when Community Health Systems (CHS), which operates 206 hospitals in the United States, divulged on Aug. 18 that hackers had invaded its network and stole the personal data of 4.5 million patients.
When I first began to write about cybercrime 10 years ago cyber attacks like Code Red and MS Blast grabbed mainstream media headlines. Code Red was a self-spreading worm that sought out and infected 225,000 Windows IIS Web servers in half a day and lingered on the Internet for years, breaking into millions of PCs. Another insidious worm, MSBlast, launched a denial of service attack against windowsupdate.com, which included the message, “billy gates why do you make this possible? Stop making money and fix your software!!”
Over the past couple of years breaches have once again been in the spotlight. The perpetrators are serious-minded criminals, expert at covering their tracks. The public airings are being driven by disclosure laws now in 46 states that require companies to notify individuals when their data gets lost or stolen.
In the case of CHS, we know about the data breach thanks to a federal law. The Health Insurance Portability and Accountability Act (HIPAA) required CHS to file notice of the incident with the U.S. Securities and Exchange Commission. According to a brief SEC filing, the hospital network was breached by an “Advanced Persistent Threat” group, believed to be based in China, using “highly sophisticated malware and technology to attack the company’s systems.”
Law enforcement officials and forensics experts at Mandiant notified CHS about the hack. Mandiant is the cyber investigations house acquired last fall by hacking detection vendor FireEye. Mandiant’s sleuths have flushed out Chinese-backed hackers, pilfering data from deep within networks owned by dozens of marquee corporations, including the The New York Times, The Wall Street Journal, Google , Adobe, Northrup Grumman, Morgan Stanley and Dow Chemical, as well as numerous small and medium sized companies and agencies.
That’s just the tip of the iceberg. Hackers and data thieves continue to advance month after month, year after year. They are experienced, efficient, well-funded and adaptable. They’ve perfected simple, effective social engineering ruses that gains them footholds deep inside company networks. And they intensively probe public-facing websites for stealthy pathways that lead them to valuable databases. Global cybercrime activity saps anywhere from $300 billion to $1 trillion, or 0.4% to 1.4% of global GDP, according to various estimates summarized well in McAfee’s 2013 report on the economic impact of cybercrime and cyber espionage.
Hackers leave no stone unturned. They’ve begun systematically cracking into computer networks once thought innocuous, such as point-of-sale (POS) or checkout systems. That’s how Target, Neiman Marcus, and other retailers have lost tens of millions of customer transaction records. Stolen data and hijacked processing power fuel underground forums that run as efficiently as eBay and Amazon, where criminals buy and sell tools and services that enable them to carry out lucrative cyber scams.
Data thieves have begun to accelerate attacks against Web-hosting data centers, according to Cisco’s 2014 Annual Security Report. Why Web-hosting centers? Because cracking into a hosting center is like busting into a candy store. The servers running in such facilities are the hubs for the websites of thousands of small and medium sized companies. Cisco reports that hackers are able to proliferate such attacks “across legions of individual assets served by these resources.”
A three-step guide
So it comes down to this: The burden to assess risk and fortify security falls on each individual—every worker, owner, manager, executive — and, perhaps most importantly, the chief executive. Everyone needs to appreciate these new risks, which aren’t going to dissipate anytime soon, especially CEOs responsible for setting priorities. Though the challenge is daunting, the solution need not be. Here are three fundamental questions that can help you begin to become security savvy.
- Do you know your data? Any intruder who cracks into your organization’s network will quickly assemble a detailed accounting of where the valuable data is stored and who has access to it. Stealthily exfiltrating data over extended periods is a well-established, continually-evolving craft. It is vital to know what you’ve got and how it is being protected. That should lead to an ongoing dialogue about keeping up with best security and privacy practices.
- Do you understand your employees? Humans are enterprising and collaborative, which makes them susceptible to trickery. Getting smart, busy workers to click on a tainted web link or a corrupted web page, or insert a corrupted USB key or DVD into a machine inside your firewall, has become an art form. And humans can be greedy and vindictive, posing a major insider threat. It is important for all employees to fully grasp what constitutes unacceptable behaviors, and monitoring tools and policies can both support productivity and cover the gaps. Companies like Coca-Cola, Netflix and Mattel have figured out how to do this.
- Can you vouch for all of your partners? In the name of efficiency, smart systems now routinely integrate access and control of fire and police alarm and environmental monitoring systems. As part of this shift, software makers, contractors and other third parties are routinely given high-level access to company networks. Hackers guys know this and are taking advantage. Limiting and monitoring partner access can be done in smart ways.
A comprehensive understanding of your company’s digital assets, and everyone who can reach those assets, is the starting point for developing effective security practices and policies and for making smarter security investments. The good news, if you run a company and are seriously weighing this questions, is that there is a expansive community of security vendors and consultants available to help. Full disclosure: IDT 911, which sponsors ThirdCertainty’s news and analysis, is one such source. For detailed guidance on approaches and strategies to operating more securely and efficiently contact experts at IDT911 .