Individuals are key in computer security
Computer security often is a social problem, not a technological problem, a noted hacking expert told listeners at a recent cybersecurity symposium on campus.
David Kennedy
“What we’re facing right now doesn’t touch our firewalls, doesn’t touch our intrusion protection systems, it doesn’t touch how hackers break in on a traditional basis,” David Kennedy, founder of Cleveland-based security firm TrustedSec, in his keynote address at an April 7 Computing Services and Systems Development conference in the William Pitt Union.
Instead, attacks focus on individuals, who often are duped by clicking nefarious links they receive in legitimate-looking emails.
“If you can detect a phishing scam you can save your company a ton of money,” said Kennedy, who offered several examples of how social engineering can trick users into opening cyberdoors for computer criminals.
*
Cyberattacks aren’t likely to end anytime soon because they’re lucrative, Kennedy said. Citing high-profile breaches at such firms as Kmart, Target, Jimmy John’s, Anthem and Sony, he noted that millions of people have been affected. “We’re all experiencing these threats based on how we use technology on a regular basis,” Kennedy said.
“You can pretty much break into anything you possibly can imagine,” he added, noting that even high-tech toilets are vulnerable to hacker attacks that can make them spray water at random and open and close on their own.
There’s tons of money to be made in cybercrime. “It’s better right now to be a hacker than it is to be a drug dealer,” Kennedy said, noting that cybercrime is estimated to bring in $400 billion-$575 billion annually, surpassing the estimated $400 billion-$500 billion in illegal drug sales.
The well-known Cryptolocker malware, which encrypts a victim’s files for ransom, has raised some $400 million.
Theft of personally identifiable information is a long-term threat that’s more insidious than a stolen credit card number. The inconvenience of getting a new credit card issued and having fraudulent charges reversed is a pain, he acknowledged. “But think about your identity. Your identity can be used right now fraudulently, or it can be used 10 years down the road fraudulently. You don’t know.”
When personally identifiable information such as a Social Security number, birthdate and salary information is taken, “it has a resonating impact for years and years and years to come. And it’s really hard to trace.”
The highly publicized attack on Sony represents a new wrinkle: hackers’ desire to destroy data. Hackers, reportedly backed by North Korea, used an email attack that targeted an individual to get past the company’s security, then proceeded to learn how Sony’s systems worked. “They went in to destroy this company,” Kennedy said.
“Once they got the information they needed, they took down about 80 percent of (Sony’s) entire IT infrastructure: They couldn’t even send emails out.”
Such attacks, launched by competitors, government organizations or organized crime are a growing threat, he said.
Among the biggest concerns are state-sponsored attacks, many of which are for military preparedness or to obtain intellectual property for the benefit of that government.
Top players include the United States, Russia and China, although Iran is improving quickly in its ability to target critical infrastructure, “entrenching themselves so if there was ever a military conflict, they could shut down key pieces of our infrastructure and our government,” Kennedy said.
*
While cybersecurity is constantly advancing, it’s still a new field. Corporate security breaches often go on for months or years before being detected, he said.
“We’re still trying to figure out what it takes to actually secure a lot of these companies,” Kennedy said. “Our mission in security is really to make it harder for hackers to break in. That’s our goal. It’s not to stop everything because it’s not possible.” Instead, he said, the aim is to help companies understand how attacks occur.
Often it’s through social engineering that targets individual users, particularly those in non-technical areas of a company, such as communications or sales, he said.
“You don’t have to be a sophisticated hacker to break into a corporation,” he said.
It could be as simple as sending emails that state “Your package has been returned.” It’s a common ploy to entice individuals to click a link that will launch malware, he said. Luring people with a phony giveaway is another scheme.
Other tactics use something familiar: a story that’s received media attention “or something they’ve researched off you as an individual,” Kennedy said. “I want you to believe whatever it is that I’m sending to you and not dismiss it” as a hacking attempt.
Protecting yourself, he said, involves understanding how hackers get into computer systems. Often it’s by getting you, the user, to go to a malicious website.
*
To aid in defending against hackers, Kennedy recommends:
- Windows users should install EMET, the enhanced mitigation experience toolkit, which stops patterns that look like hacker methods.
- Keep up to date with software patches.
- Be careful about what you download and install (this goes for mobile users, too — particularly Android phone users).
- Uninstall applications that you don’t need.
Hackers also can gain access through unsecured wireless connections, such as in coffee shops or hotel lobbies. Kennedy recommends deleting in your device’s wireless settings previous access points that are no longer used as a way of reducing this method of entry.
He urged extra vigilance when traveling internationally: There is no privacy and laws often differ from here in the U.S., he cautioned.
Kennedy said he has an old laptop and phone that he uses solely when traveling outside the country, knowing that they’ll be compromised.
—Kimberly K. Barlow
