Hacking: What Should You Really Know? (Part 3)
by Scott M. Lewis
The data black market: What is it, and how does it work? This is something I have written entire articles about, but basically the data black market is one of the very last truly free marketplaces where the value of something is based on the perception of the buyer-to-seller relationship. I think it is easy to imagine how the black market works from a perspective of “I have stolen credit card numbers – who wants to buy them?” One of the most common questions, though, is this: Why can’t we simply follow the money and arrest these people? In most cases the actual interaction between buyer and seller is done through either chat rooms or simple email once a connection is made, and then through the use of Bitcoin the actual financial transaction is completed.
Bitcoin is basically untraceable digital currency, so once a dollar has been changed into Bitcoin, the tracking of that Bitcoin transaction is virtually impossible. Setting up a Bitcoin account is relatively easy. There are basically clearinghouses or online banks such as Dwolla. Once you have an account at Dwolla, you have to set up an account at a Bitcoin exchanger, and there are many to choose from. Then you simply transfer funds into your Dwolla account and move those dollars through the exchanger, which transfers the dollars to Bitcoin, and then you can send digital funds to any other Bitcoin account. The transferring of these funds can be completely anonymous and untraceable, which is why authorities simply can’t follow the money.
Is the world coming to an end? Nope, there are steps you can take to protect yourself. Some of these steps will vary depending on whether you are protecting personal systems or corporate systems. Security audits on corporate networks are critical. Security is not something to do once and forget. It is an ongoing, never-ending process that has to be paid attention to and managed and invested in. Security is not something to save money on; it should be a layered approach that basically creates a maze of obstacles that have to be navigated through in order to gain access to your network.
Performing security audits is the first step to understanding where you are in the many areas of security – what is good, what is bad, what are the weaknesses and how do you put a strategy in place to correct them and harden your network? However, don’t forget about the biggest threat to your company’s actual data, which happens to be your employees, so as you harden your system from external threats, you have to harden your system from internal threats.
Part of having a solid security initiative is to train employees on their roles in managing and maintaining a solid security methodology. Corporations need to have strong policies and procedures in place to help protect the overall business; however, employees will do what employees do, which at times will put the business at risk. When one of these situations arises, how do you react? From a human resources perspective, how do you manage a security violation without solid training and policies about your ability to take corrective action?
Employee training should include instructions on password policies, the importance of changing passwords on a regular basis, using complex passwords, identifying a potential risk and what to do if a potential risk factor is identified. Employees do play a critical role in security, and their understanding of why certain things happen and why the company has to take the steps it does to protect itself is critical to the overall security initiative.
Corporations have a much higher burden and a lot more to think about to have a security methodology that is effectively protecting the business but not so tight it is preventing employees from doing their jobs and being productive. It is interesting to watch companies go through the evolution of developing a security protocol. On one hand, they want to kill the IT department if the company gets a virus or they think they have an intrusion or they face some kind of data loss or if the company is not practicing industry standard security protocols. On the other hand, they won’t enforce the policies they develop or they come up with other practices that circumvent the security protocols that are designed to protect them, such as allowing outside email addresses to be used for business purposes or online file-sharing systems.
I have the protocols and procedures so tight at some larger companies that they have a really hard time getting tools, software and other legitimate technology resources past the IT approval processes. However, employees and corporate executives have to understand that once you open that door, it can be a very slippery slope and repairing the system is much more complicated and costly than properly protecting it in the first place.
A solid security plan always starts with having a good backup. An electronic off-site backup is now considered the industry standard. However, other key components are solid complex passwords that are not similar and change on a regular basis. With the high adoption rate of mobile devices, using encryption software and locking these devices is increasingly becoming a necessity in the business world.
Have a layered approach to protecting your system and your data, with hardware-based web filters, spam and malware filters, and a good corporate anti-virus program running on all devices, such as laptops, desktops, mobile device and servers. Have good corporate-level firewalls with intrusion detection and web-filtering protection, along with a good corporate-level router. It is just as important to have good management of your network, eliminating old users from your domain and email systems, limiting attachments through your email systems and certainly having no executable files, eliminating network shares, limiting employees’ access to network resources, and having proper data retention and archiving practices. I would also recommend that you limit or eliminate the practice of BYOD, or Bring-Your-Own-Device-to-work plans. There are legal questions about the amount of security a company can push onto a device it doesn’t own, along with some questions around the ownership of intellectual property once it is downloaded to a personal device.
What does the future of security and the next generation of viruses, spyware and malware mean to corporations? Typically viruses used by hackers will fall into two categories: polymorphic and metamorphic. Polymorphic viruses have a consistent virus body, which makes them easier to detect and decrypt, which makes the design of countermeasures possible. Metamorphic viruses do not decrypt with a consistent virus body. They will change their shape but typically not their behavior, which makes them very difficult to detect until the virus has already been activated, which leaves you dealing with the behavior aspect of the virus. What we have seen over the last few years is that viruses have been more metamorphic and have reached a point where they are learning on their own and changing based on the in-place countermeasures you have running on your network, like anti-virus protection. Because of this intelligence, viruses now will probe for weaknesses and then change either their body or their behavior in order to execute and infect your network, which can provide hacking opportunities.
Factors to consider now that we have discussed how hacking works, what they are looking for and what the next evolution of viruses may look like: Always on connectivity. We all have them now – smartphones, tablets and other mobile devices – but you have to keep in mind that these are actually computers that will connect to networks that may or may not be protected. These mobile devices, because of the overall lack of security, have become prime targets. When you think about always connected, one question you may ask is: Do I always need to be connected? And keep in mind what you are connecting to. Don’t use public Wi-Fi, implement a two-factor authentication process and use HTTPS protocols as often as you can.
Along with mobile devices come the apps we love so much. They track everything from weight loss to passwords. Are you encrypting that data or just running the app? There are over 600,000 apps, and that number is growing daily. And apps have also become a favorite target for hackers because they know that sooner or later you will connect to a network for data or email or something else, and all they need is that connection using your user name and password.
Combine all these factors with the overall lack of security in place in corporations around the world and you can see that the future for computer hacking is very opportunistic and will become more sophisticated in the future.
I have always preached: Don’t overlook security because your data is worth something to someone and it is simply not as hard as people think to get information about you and to become you. We as a society have become more and more connected, and we see people sharing more and more information about themselves. We have seen a rise in hacking and identity theft, and the black market for stolen corporate data is in the billions of dollars. The real underlying problem is not that the security countermeasures we implement fail us; it is that the humans who use the technology fail us because as much as we want to be secure, we don’t want the inconvenience of security. I have been in the technology business for over 35 years, and there is no such thing as 100% secure because of the human factor involved within security and the lack of overall leadership within the corporate ladder to implement and stick with approved policies, procedures and enforcement of strong security cultures within organizations.
Scott Lewis is the President and CEO of Winning Technologies Group of Companies. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279