Cybersecurity Cybersecurity
Total Page:16
File Type:pdf, Size:1020Kb
Issue: Cybersecurity Cybersecurity By: Pat Wechsler Pub. Date: February 1, 2016 Access Date: September 27, 2021 DOI: 10.1177/237455680203.n1 Source URL: http://businessresearcher.sagepub.com/sbr-1775-98146-2715384/20160201/cybersecurity ©2021 SAGE Publishing, Inc. All Rights Reserved. ©2021 SAGE Publishing, Inc. All Rights Reserved. Can businesses protect themselves from computer crime? Executive Summary As fast as Internet use has grown over the past two decades, so too has the cybersecurity challenge for businesses and governments that are fighting to keep their data and networks safe from intruders. Today, they face an unprecedented assault from a powerful global army of sophisticated, well-organized and well-financed hackers who vigilantly seek vulnerabilities to exploit. In the past couple of years alone, these shadowy figures have stolen personal information on hundreds of millions of U.S. customers and employees and have cost enterprises close to $500 billion. With each new device or product connected to the Internet, the possibility of hackers wreaking economic chaos has grown. Despite the mounting threat, most enterprises have failed to implement the kind of rigorous security protocols necessary to keep out even low-tech efforts to penetrate networks. Among the questions being debated: Are companies responding adequately to cybercrime? Should the United States encourage American companies to “hack back” when they think they've been hacked? Can information sharing between businesses and government help fight cybercrime? Overview Larry Ponemon, who has counseled companies for years on how to protect their data and computer systems, remembers a cybersecurity presentation he made not long ago to a major technology company on areas of risk. “As I wrapped up, some smart aleck—the head of research and development, I think—told me that his company didn't have to worry because ‘our security is as tight as Fort Knox,’ ” the consultant now recalls. “He said, ‘No one—not the Chinese, not the Russians, not the Romanians, nobody—would be able to infiltrate the company's network through the Internet.’ ” A few months later, the company got in touch to let Ponemon know that the smart aleck turned out to be right—no hacker was able to penetrate the system through the Internet. Instead, cyberthieves disguised themselves as outside contractors, walked into the building and proceeded to steal valuable designs and other data off the network. “This wasn't unique,” Ponemon says. “Companies too often think they have it Hackers today are numerous, smart, more organized than ever covered or it will never happen to them.” and, above all else, persistent. (Bill Hinton/via Getty Images) Ponemon tells the story to reinforce one of the major reasons cybercrime is so difficult to combat: Hackers are numerous, smart, more organized than ever and, above all else, persistent. If they can't penetrate the system using one method on a certain day, they simply keep trying until they find a chink in the corporate armor or a time when a company's guard is down. For the past two decades, corporations and governments around the world have been fending off intrusions to their computer networks by shadowy figures that may be working in the office next door or thousands of miles away on another continent. The last 10 years, in particular, have been marked by increasingly large and dangerous data breaches—with cyberthieves making off with valuable proprietary information and data from hundreds of millions of personal accounts on corporate and government networks. While these hacks have caused considerable disruption for the corporate and human victims, cybersecurity experts warn that even more dire, even potentially deadly, consequences may lie ahead as almost every aspect of everyday life—from driving a car to operating the national electrical grid—becomes increasingly linked to the Internet or other large “hackable” systems. 1 The exact dimensions of the economic threat are difficult to quantify. In 2009, security-software seller McAfee warned that the global costs of cybercrime Larry Ponemon: “Companies too often think they have it already had topped $1 trillion a year—a figure used subsequently in speeches covered or it will never happen to them.” (Peter by President Obama and senators on both sides of the aisle. 2 A more Foley/Bloomberg via Getty Images) conservative 2014 estimate from the Center for Strategic and International Studies, a Washington think tank, placed the annual cost of cybercrime between $375 billion and $575 billion, making the economic impact comparable to global drug trafficking. 3 Page 2 of 25 Cybersecurity SAGE Business Researcher ©2021 SAGE Publishing, Inc. All Rights Reserved. Almost 800 U.S. Data Breaches Reported in 2015 Number of U.S. data breaches, 2005–15 Note: “Data breach” is defined as an incident in which an individual's name plus a Social Security number, driver's license number, medical record or financial record is potentially put at risk of exposure, either electronically or in paper format. Sources: Data for 2015 from “Data Breach Reports,” Identity Theft Resource Center, Dec. 31, 2015, p. 4, http://tinyurl.com/p8zuqtp; all other data from “ITRC Breach Statistics 2005-2014,” Identity Theft Resource Center, 2015, http://tinyurl.com/h4nlmqk U.S. businesses, government agencies, schools and other organizations recorded 781 data breaches in 2015, just short of a 10-year high in 2014. Before 2015, the number of breaches had risen for four consecutive years. Health and medical record incidents accounted for two-thirds of breaches in 2015. Still, most agree global cybercrime is escalating with the proliferation of both hackable targets and technically savvy and well-financed hackers. A report by Juniper Research contends costs could reach $2 trillion annually by 2019. 4 Given the increasing sophistication of malware—essentially software designed to disable computer systems—“one of the worries that many of us have in the security industry is the potential for attacks on industrial control systems,” says Ponemon, chairman and founder of the Michigan-based Ponemon Institute, who has served on numerous government and corporate Internet security commissions. “In an attack against a power utility, you could cause a brownout for a few minutes, or if it is done well, it could be for months. Those kinds of attacks used to be the stuff of science fiction movies, but they're real.” The escalation of the cyberwar is linked to the increased organization and cooperation among hackers, many of whom operate out of Russia, Eastern Europe and China. Whereas a couple of decades ago hackers tended to be young computer whizzes working alone in their basements, hackers now are part of well-defined, often global enterprises, similar to the syndicates that participate in drug or arms trafficking. Some have even replicated corporate structures, paying salaries to their army of hackers and creating marketing and customer support teams to sell their malware to other hackers. 5 “Hackers often report to an office every day like the rest of us,” says Alan Brill, a senior managing director at investigative risk-analysis firm Kroll. “And they spend their eight hours searching for vulnerabilities in corporate and governmental computer networks. It's organized and relentless.” Because of the global nature of the enterprise, the complicity of some governments and the sophisticated technology hackers use to cloak IP addresses, authorities in the United States and elsewhere have had only limited success identifying culprits, let alone prosecuting the worst malefactors. “Upwards of 80 per cent of cybercrime acts are estimated to originate in some form of organized activity, with cybercrime black markets established on a cycle of malware creation, computer infection, botnet [networks of infected computers that send out spam and viruses] Page 3 of 25 Cybersecurity SAGE Business Researcher ©2021 SAGE Publishing, Inc. All Rights Reserved. management, harvesting of personal and financial data, data sale, and ‘cashing out’ of financial information,” a United Nations report stated in 2013. 6 Increased organization also has changed the nature of hacks. 7 “Early threats were usually hit-and-run,” Brill says. “Someone broke in, stole something—perhaps a blueprint or a set of documents—and left, attempting to leave behind as little evidence as possible. Today the goal is to remain inside the network for as long as possible without being detected and do as much damage as possible—either stealing information or causing disruption.” This extended, under-the-radar presence is known within the cybersecurity industry as an Advanced Persistent Threat (APT). Originally a strategy of government-to-government cyberespionage, APT denotes both the attacker and technique. The hack follows a pattern: 8 The attackers first research the target organization. They then break into the network using social engineering techniques, such as spear phishing, which involves getting people in an organization to open emails and unknowingly infect the system with malicious software. Next, they attempt to remain undetected in the network while they gather information and assess where valuable data are stored. Finally, the attackers collect the data and extract as much information as possible. Some of the most infamous recent APTs and spear-phishing assaults included the 2014 attack on the computer networks of Sony Pictures Entertainment, which resulted in dozens of terabytes (each approximately a trillion bytes) of confidential information being stolen —including highly embarrassing emails from the division's top executives. 9 Another was the hack of Target Corp.'s computer network in 2013, when spear-phishing emails were sent to a vendor with access to portions of the retailer's network. 10 Attackers stole information from 70 million customer accounts and 40 million credit and debit card numbers. 11 A third APT attack, particularly humiliating for the United States, was against the federal Office of Personnel Management (OPM).