What do Sony, Yahoo, Target, San Francisco's Muni, presidential elections in two different countries, Orange is the New Black, and Bangladesh Bank have in common? Hacked. Typically, by finding a weak human link on the corporate chain who will click a link in an infected email. Hackers have quickly moved beyond just catch and release of data. The more lucrative pattern is to lock the data up for ransom.
Historically, cybersecurity conversations were closed conversations for experts at gatherings like RSA or Defcon. But I’m seeing a move to educate a wider audience. Last week I attended a seminar to educate C-suite execs about making cybersecurity a corporate priority. Then I hopped a plane to New Orleans for the Collision Conference. Even though Collision is billed as a conference for the startup community, there was a clear focus on thinking about data safety. This megaphone effect sends a powerful message that wherever you sit in the Internet world, cybersecurity is everyone’s business. And the bottom line is you may want to learn to hack yourself before you get hacked.
Is It a Management Problem?
At Cyber Resolve, a cyber security training program designed for board directors and executives by CyberVista, the day opened with a role-playing exercise that involved a fictitious company’s ransomware attack. Participants each played a different role in the organization, making decisions as the attack escalated. The exercise illustrated how competing interests in the corporation (to go public about the breach or not, to pay or not) play out. CyberVista interactive, executive-focused cyber risk training programs operate on the premise that cyber hygiene starts at the top.
Crowdsourcing Hackers
Another popular counter to hackers is something called bug bounties. I spoke with Marten Mickos at the Collision Conference. Micko’s HackerOne has an army of over 100,000 hackers who will work to discover vulnerabilities in a website, app, system… whatever. Companies (and governments) will pay anywhere from $5k to $125K depending on the size of the task. When a hacker finds a vulnerability, they are compensated. Mickos says one of his top hackers made $600K last year and that company has helped players from Microsoft to the Pentagon. “Think of us like a hacker talent agency,” says Mikos. “We offer bug bounties to good hackers who solve companies’ problems.” Mickos powered a Hack the Pentagon program which discovered more than 130 bugs, the first one found in just 13 minutes. “To date, we’ve uncovered more than 43,000 bugs.”
Ransomware
Marcin Kleczynski, CEO of MalwareBytes thinks a lot about the dark web, a place where $39 will buy you a ransomware kit. Ransomware installs itself on its victim’s device and holds the data hostage. It’s an equal opportunity problem for individuals as well as business. Ransomware attacks are growing. A report from SonicWall, based on data from the SonicWall Capture Threat Network, reports 638 million attacks in 2016, more than 167x the number in 2015. “Facebook, Twitter, and even Barbie dolls point to the web with simple default credentials”, says Kleczyniski. “Never trust a pop up or phone call that tells you that you have a problem,” he says, though he fully expects that there will be variations on the ransomware theme as hackers continue to exploit.
Phishing: Humans Are the Weakest Link
“Phishing,” says Oren Falkowitz of Area 1 Security, “is the root cause in over 95% of all cybersecurity incidents. Most people click on links and respond to requests via email all day long. It’s their job. As long as we are letting these emails into employees’ inboxes, we are actually expecting every employee to be a part-time cybersecurity professional.” Falkowitz believes we should leave securing organizations to actual cybersecurity professionals, and better yet, to technology, though he’s the first to admit that right now it’s the larger companies with the budgets to do this. “Not only do employees have more important things to do than worry about clicking on rogue links, but they are also trusting humans— links will be clicked and attachments will be opened as long as links and attachments exist.”
The Internet of Insecure Things
Vince Steckler, the CEO of Avast loves to show audiences just how easy it is to hack your high-tech home. At Collision, in front of a live audience, Steckler used a router’s insecure password setup to hack into a Smart TV and take over its programming. “Anything accessible over the Internet is susceptible to being hacked,” stresses Steckler. Companies like Avast turn to data provided by their large client networks (60 million simultaneous connections) to process and identify anomalies. Steckler cautions manufacturers of everything from connected baby monitors to coffee pots to make their digital certificates more impervious to attacks. (Most IoT devices come with default passwords often as lame as Admin or 12345.) As Steckler says, “The maker of a coffee machine is an expert on making coffee, not fending off hackers.”
AI, Heuristic, and Behavioral Analysis
Two Collision attendees, Darktrace and Sift Science are putting a new emphasis on looking at behavioral patterns. Darktrace says it takes its cue from the human body’s immune system. AI algorithms are taught to build a pattern of normal life inside of a company. That includes a profile of every move of every employee when they’re on the company system. Any change from the normal pattern is detected and traced. Sift Science also relies on machine learning to help e-commerce websites detect fraud by leveraging the power of its global network.
Cybersecurity is now everyone’s problem. Corporate decisions like where to store and who gets access to your company’s data will become part of startup life. Technology tools will get smarter about isolating problem communications. And hopefully, humans will even get a little smarter about when and where we click. “Businesses have learned to take precautions in the real world,” says Jeff Welgan of CyberVista. “E-Commerce and the web have let us scale our businesses to grow, but with that growth comes the challenge of being cyber-resilient.”
We’ll be looking at these issues and the newest tools to help at our upcoming Cybersecurity Conference at CES in January 2018. Because it’s the largest gathering of manufacturers of IoT devices, it’s a great place to continue the discussion.
Robin Raskin is founder of Living in Digital Times (LIDT), a team of technophiles who bring together top experts and the latest innovations that intersect lifestyle and technology. LIDT produces conferences and expos at CES and throughout the year focusing on how technology enhances every aspect of our lives through the eyes of today’s digital consumer.