With 90 million-plus breaches per year, and close to 400 new threats every minute, cyber-security attacks are fast becoming one of the top threats to the security, well-being and livelihood of individuals and companies around the world.
Cyber-security expert Steve King, Chief Security and Operating Officer of Netswitch Technology Management, Inc., one of the top Internet security management companies in the world, says the threat is not only real, but it’s only getting worse and is here to stay.
“Cyber-attackers are leap-frogging corporate defenses, malware authors have figured out clever and sophisticated tricks to avoid detection, ransomware attacks have soared 113% since 2014, social networks and new mobile apps are enabling cybercriminals, who are moving faster as corporate defenses lag behind, and predicted future attacks on the Internet are more serious than ever,” says King, who has 30 years of experience in computer data security. “The facts are that as long as you’re connected to the Internet, you will likely become a victim of a cyber-attack.”
But King cautions that it’s not all doom-and-gloom or time to give up and get off the grid. Although not a guarantee, there are ways to protect yourself and your company from falling victim to cyber attacks, says King, but it takes diligence, awareness and adopting a multi-layered defense strategy.
In a wide-ranging question-and-answer session, King discusses these very-real threats, what you can do to make your personal online activity secure, how you can make your business secure, tips on minimizing you and your company’s exposure, and some of the new threats looming on the horizon for 2016.
King’s three-decade computer industry experience includes data security, software engineering, product development and professional services, as well as extensive market experience in Information and Cyber Security Management, Contextual Search, Digital Media, Business Intelligence, Content Management, eCommerce, and Data Science.
In addition, King has managed product development with UNIX, Windows and Java platforms, founded four software and services startups and raised $42 million in venture capital.
As a co-founder of the Cambridge Systems Group, Steve brought ACF2, a software security system, to market, which would become the leading Enterprise Data Security product for IBM mainframe computers. As a result, King is known as the “Godfather of Information Security.”
Netswitch is one of the world’s leading Managed Security Service Providers (MSSP) and the fourth fastest-growing Managed Services Providers in the world. It was ranked fifth in California and 61st globally from MSPmentor’s 2015 annual top global 501 MSP rankings.
Netswitch’s corporate and advisory boards features some of the industry’s leading security experts and technology leaders, who have created many of the most popular data security products on the market today.
Netswitch consults with and provides managed security services for some of the world’s leading banks, hospitality, healthcare, manufacturing and financial services companies.
In business since 2000, with offices in San Francisco, Chicago, Thailand, Beijing, Hong Kong and Shanghai, Netswitch has partnered with global clients such as Verizon Wireless, Wells Fargo Bank, Charles Schwab, eBay, Vodafone Americas, Inc., and the Hong Kong & Shanghai Hotels Limited.
Q&A with Steve King of Netswitch Technologies:
1. How real do you feel the cyber threat is in the marketplace?
Very real. The dark side of the cyber security landscape is growing rapidly. More hackers join the ranks and more attacks are being launched every day. The annual cost of losses from global cyber-crime has added more than $100 billion annually.
Cyber-attackers are leap-frogging corporate defenses, malware authors have figured out clever and sophisticated tricks to avoid detection, ransomware attacks have soared 113% since 2014, social networks and new mobile apps are enabling cybercriminals who are moving faster as corporate defenses lag behind and predicted future attacks on the Internet are more serious than ever. The facts are that as long as you’re connected to the Internet, you will likely become a victim of a cyber-attack.
2. Is it here to stay?
Absolutely. The rewards are bigger. The value of credit card and PayPal accounts are much larger than they were just two years ago. The hacking techniques are much more sophisticated and the cyber-criminals just keep getting better. The Dark Web, which is now hiding most cyber-attacks, is 400 times larger than the conventional web and it is completely anonymous. The cyber-security industry is way behind the curve and there are very few college curriculums focused on data- or cyber-security even today. No new graduates means increased upward pressure on employment and wages. The unemployment rate in cyber-security is negative zero and a trained and experienced security analyst salary averages $225,000.
3. How vulnerable am I to a personal attack?
Very. Let’s look at one attack target, social media. Currently, there are more than 3.5 billion social media customers worldwide with more than 70% of Internet users accessing social media services online. Social networking is one of the most popular ways for online users to spend their time, and to stay connected with friends and families. People that spend a lot of time on social networks usually click links posted by trusted friends. One popular technique hackers use to exploit this tendency is called Like-jacking. This is where hackers post fake Facebook “like” buttons to webpages. People click the “like” and inadvertently download malware into their computers.
Other techniques known as Link-jacking and Phishing result in more than 600,000 compromised Facebook accounts every day. In 2015, three in 10 Facebook users reported being compromised and the trend is increasing. Paying close attention to links that seem strange and avoiding the “like” button are two ways you can reduce your exposure. There are also lots of online “Dummies”-type books that will help you recognize spoofs and spams.
4. What can I do to make my personal online activity secure?
Monitoring and reviewing your credit and debit card activity is obvious and necessary, but in addition you should sign up with your bank for real-time notification services so that you get an email or text alert when your card is charged an amount above that which you specify or when it is used online. This is a simple way to discover any large charges or online charges at the moment they occur. Notifying your bank then immediately will not only relieve you of the liability but will also help the bank in tracking down the perpetrator.
Trust no one is a good guideline. When someone tries to trick you into disclosing passwords or personal information, you will naturally think twice and insist that they prove they are who they claim they are. Simply never give any information to an unsolicited caller, website or email.
With online purchases, you can look for indicators of authenticity like a closed lock symbol repeating the https URL address, but this like many other symbols these days is not foolproof. What is known in the industry as Safe Browsing Service or Short URL Checking are not hack-proof. Hackers are skilled and have figured out ways around all of these checkpoints.
The best advice is to minimize your exposure by using only a single online shopping service like Amazon or at least use different credit cards at different sites so you minimize your card replacement activity. The new credit card chip and pin technology has no impact on online or card-not-present purchases and there is no 100% secure defense against online fraud.
Never use your debit card for online shopping as you will be providing fraudsters a direct path into your savings account and you will have reduced limited liability compared to credit cards. If your debit card is used in a fraudulent transaction and you haven’t noticed it or reported it for a period of 2 days (which is not unusual in card fraud) you will be liable for $500 of the loss.
Password Tips:
We have seen data that says upwards of 90% of passwords are made up of initials and birthdates. These are all easily hackable. Here are three simple password tips:
-Don’t just use one password or a successful thief will immediately have access to all of your accounts.
-Make your passwords hard to decipher. Make them at least 8 characters long. Combine a personally memorable sentence with some personally memorable tricks and special characters to modify that sentence into a password to create a lengthy password. An example of this would be “This little piggy went to market” becomes the password, “!tlpWENT2m…?”. But don’t use that one. Today’s password crackers know all about the first letter of every word in a phrase. You have to be more creative now.
-Don’t post your passwords in plain sight, like on a Post-It stuck to your monitor. You would be amazed at how many people still do this. I am not a fan of password vaults because one of the top companies in that space was hacked a couple of months ago and all of the “vaulted” passwords were stolen along with the appropriate customer information to identify the password owners. I AM however a fan of identity theft protection companies who charge as little as $10/month and can save you several months of agonizing process trying to prove you are who you say you are following the theft of your identity.
5. What is number one tip to keep my personal accounts secure?
Don’t shop online and use cash only. If you can’t do that, use an unlinked reloadable debit card for all transactions. If you don’t want to do that, only shop at one on-line location like Amazon. If you don’t want to do that, use a different credit card at each online site.
OK — number one tip? Use a single credit card for online only and do all your shopping at amazon. Amazon is the most secure online site on the planet, but if they do get hacked, your damage control is limited to a single card.
6. How about my business? What are the top 5 tips to keep my business secure?
You have to adopt a multi-layered defense strategy. The 5 layers you must put in place are:
1. Policy and Enforcement. You will need to determine and decide an exact set of rules related to security that must be followed by everyone in the organization. This usually begins with defining who has what access and authority to get information and the process they must go through to gain access. Identity is an example of one of the most popular current attack vectors. One of the easiest ways for hackers to penetrate your defenses is to use authorized credentials. They bounce around your network until they find a set and then they’re in.
You need to protect these credentials with identity management software (available from multiple vendors and very affordable), process and policy, and then you need to enforce the policy even if it’s the CEO who is requesting privileged access.
2. Training and Awareness. The vast majority of advanced malware infections today are the result of phishing, spoofing and malvertisement. Phishing is where an attacker tries to learn login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels. That is one effective way hackers get authorized credentials which they later use to compromise your systems.
Spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. It is often used to get you to send important, sensitive and confidential documents by return email.
A malvertisement (malicious advertisement) is an advertisement on the Internet that carries malware and if clicked (an offer you can’t refuse) can infect an entire network.
There is software available for a few hundred dollars a month that not only trains your employees but conducts random tests throughout the year to keep them alert and on their ties. Training your employees to be able to identify these types of attacks and refreshing them on a regular basis will go a long way to prevent a devastating infection.
3. Software and Systems. There are numerous software packages available (over 435 of them actually) that purport to protect various attack surfaces against various attack vectors and styles. The five principal vulnerabilities are your website, your perimeter, your end-points, your network and your files/systems/programs. You will need software that guards against both internal as well as external threats.
You have to be able to control mobile devices logging on to your network remotely (phones, iPads, laptops, etc.), interactive applications that process data coming through your website (registrations, credit card, etc.), employees and contractors working with classified, sensitive or proprietary data (software, algorithms, designs, accounting, etc.), data that resides on servers connected to your network (ERP, CRM, HR, etc.), vendor and partner access points that connect to your network (billing, job accounting, maintenance, etc.), your own connections to partners in your supply chain, and all transaction activity running across your network.
You want to prevent and block access, detect anomalous behaviors and capture and contain malware infestations before they are able to breach your system, steal your data or otherwise compromise your protected assets.
With a subscription to only a couple of specialized and highly effective software products, you can provide all of this protection in a complete solution for less than the cost of an administrative hire.
4. Monitoring and Alerting. All the technology won’t help unless you are monitoring your network. You need to be able to monitor your infrastructure 24 hours a day, 7 days a week. It only takes an hour or so for an advanced threat to penetrate and begin exfiltrating data from your files. If you only monitor your network environment during working hours, you are leaving yourself open to an attack 76% of the time. This does not create great odds for your business. If you can’t build your own team and staff three shifts across a 7 day week, then you should outsource the monitoring to a managed security services company who has trained and certified security analysts watching client networks all the time. Because these companies can scale their operations, this service is a lot less expensive than you would think. Certainly less than the cost of a new headcount.
5. Remediate and Restore. Once you have been attacked, the key to recovery is a planned remediation and restoration process that has been communicated and rehearsed so that everyone understands their responsibilities and are ready to act in the event of a security breach. The planning for this is crucial. There are various planning templates around that can guide you through appropriate processes for your particular business or you can hire a consultant who specializes in this area.
You will need to have specified exact steps to take depending on various attack scenarios. The goal is to eradicate the malware and recover your systems to get everything in your infrastructure operating normally once again. You will need to know in advance exactly how you are going to communicate the event to your customers, shareholders and employees and when.
The average downtime following a breach last year was 12 hours. This means 12 hours without email, systems, desktops, networks or internet access. This does not include recovery time or cost. Target Stores had great technology that detected their breach, but they didn’t have a remediation or recovery plan and the result was horrific. You don’t want to be that guy.
7. Do you see any new threats on the horizon for 2016?
Yes. Security budgets are up only 2% in 2016, yet the growth rate for breaches and malware attacks was up 67% over 2014. You can do the math.
Here are some threats looming on the horizon:
-Hardware Attacks. While hardware-centric cyberattacks are not a new concept, the incidents are increasing and leveraging attack vectors like USB flash drive worms to conduct surveillance on targets is a new and effective penetration technique. The benefit to attackers is that without behavioral analytics monitoring a network, detection is very difficult. There is every indication that cyberattackers will continue to keep exploring how hardware can be infiltrated, and more ongoing attacks of this nature will be uncovered in 2016.
-Commercial Software Vulnerabilities. Adobe Flash, Java and Microsoft’s Internet Explorer are three of the most vulnerable and will continue to dominate the software threat landscape just because of their huge install base and the inability of IT support people to apply the patches in a timely fashion (if ever). Most people will not migrate away from Flash due to the enormous amount of legacy content remaining online and even with new attack mitigation features, it remains a major vulnerability target.
-Ransomware. This is turning out to be one of the most popular and virulent malware infections of the current year and arrives on your network compliments of a phishing attack or an accidental download. It locks your screen, encrypts your files and extorts a fee before giving you the cryptographic key required to get your files back. Since it has been so successful, it will continue to grow with new levels of sophistication and new stealth tactics. It may effectively encrypt your data on both systems and backups and even kernel components so that your own operating system will do its work on the fly. We will see an increase in ransomware incidents throughout 2016.
-Cloud Computing. There are so many low-priced variants of cloud models available now and few of these hybrids are hardened to the degree Amazon AWS is. The universal appeal in terms of cost and efficiencies will drive more businesses to these variants with a dramatic collateral increase in vulnerabilities. They will continue to become irresistible targets for cybercriminals in 2016.
-Wearables. The popularity of smartphones, watches, fitness bracelets and even smart clothing in the workplace creates an irresistible target-rich environment for hackers. All of these devices have communication capabilities and unprotected code that can be easily hacked and used as a backdoor to the corporate network. We will see a dramatic increase in cyber-attacks through compromised wearables throughout the new year. We will also see a related explosion in privacy legislation as a result.
-Employee Home Systems. As businesses continue to improve their security postures and implement the latest security technologies, attackers will shift some of their focus to attacking enterprises through employees’ home systems. These relatively insecure setups and primitive home routers will yield easy corporate network access for hackers in 2016.
-The Digital Dossier. Stolen personally identifiable information sets are being linked together, making the combined records more valuable for cyber attackers. Previously unexplained attacks against institutions like the UCLA medical center or Community Health Systems became obvious as these records were found combined with stolen credit card information and other personally identifiable information (PII) to create personal dossiers worth as much as $100 per data set on the dark web. 2016 will see even more robust black markets emerging for stolen PII along with usernames and passwords.
-Malware Franchises. The evolution of malware has developed into complete kits available on the Dark Web for everything from ransomware kits to Denial of Service to point-of-sale breach kits. These kits are now being bundled for re-sale through franchise operators. It is sort of like a one shop stop for attackers and hacktivists who want to be able to stand up a complete arsenal on the web and go after anyone they choose. The Dark Web also provides cover for hosted computer viruses, Trojan horses and spyware through anonymous networks like Tor and will continue to provide increasing protection for these attacks in 2016 and beyond.
It may seem like a daunting and near-impossible challenge to thwart all these ever-evolving hackers and sophisticated cyber-attacks, but King said with help and support from experts like himself and companies such as Netswitch, the threats can be minimized by being aware, minimizing your exposure and being prepared with a recovery plan if you are attacked.
About Netswitch:
Netswitch is one of the world’s leading Managed Security Service Providers (MSSP) and the fourth fastest growing MSSP in the world; ranked by MSPmentor’s 2015 annual top global 501 MSSP rankings.
Netswitch developed MADROC® as the foundation for changing the way that businesses achieve their IT security goals by providing the most advanced cloud-based solutions to monitor and protect critical information assets without adding headcount or expensive hardware and software licenses.
In business since 2000, with offices in San Francisco, Chicago, Thailand, Beijing, Hong Kong and Shanghai, Netswitch provides its customers with experience and expertise in managing their IT infrastructure and defending their networks and applications from cyber-attacks and data breaches.
Small, medium and large companies have all partnered with Netswitch including global clients such as Verizon Wireless, Wells Fargo Bank, Charles Schwab, eBay, Vodafone Americas, Inc., and the Hong Kong & Shanghai Hotels Limited.
At the end of the day, Netswitch customers enjoy the peace of mind they get through knowing we are looking out for them 24 x 7 x 365 days a year.
For more information, visit our website.
