WASHINGTON — The attacker inevitably has the upper hand when trying to hack a company, cybersecurity experts say.
A company must install security that proactively protects itself from attempted breaches coming in from all sides. A hacker has to find a single weak spot to gain access to the information he or she wants, whether that’s Social Security numbers or data to start a cyberwar.
When companies are facing hundreds of thousands of attempted hacks a day, it’s common for a successful breach to occur, said Mark Rasch, a former federal prosecutor of cyber crimes. Big names such as Home Depot, Target and Anthem Health Insurance have all recently been subject to data breaches.
Cyber experts agreed that companies need to have a step-by-step process in place to use following a hack. A fixed system ensures the attack is fully understood and prevents it from happening again, they said.
An important part in a company’s immediate reaction to a breach is having a quick response team “in place and ready to go,” said Paul Tiao, a partner in law firm Hunton and Williams’ global privacy and cybersecurity practice. Fast mobilization allows the team to stabilize the security system and address legal issues. The company may also wish to contact law enforcement in connection with its internal investigation.
This phase, which Rasch identifies as a step to “stop the bleeding,” lets the company launch an investigation into the details of the hack: how it happened and what was compromised.
Attackers seek all kinds of information on varying levels of importance and secrecy. Some are looking for personal information, including Social Security numbers and bank account numbers. These details are often accessed through credit card numbers, such was the case of Target, or theft of identities, such as with Anthem, Rasch said.
Others attempt to take trade secrets, private corporate intelligence and copyright information — all which can be used by a competing entity to infiltrate the company network. Attackers could use the data to damage the company or for personal gain.
Although attacks involving credit card and personal identity thefts attract media attention, breaches involving corporate information are actually more common, Rasch said.
“The reason we hear about those attacks has nothing to do with the size of the organization,” he said. “It has to do with the fact that there are laws that require those kinds of data breaches to be disclosed.”
Forty-seven states, with the exceptions of Alabama, New Mexico and South Dakota, have some sort of law that requires entities to tell affected individuals when their personal information has been compromised. However, the statutes do not extend to private company information, which allows these groups to hide such breaches from the public eye, Rasch said.
Tiao attributed some recent breaches to security lapses associated with outside vendors used by companies, as well as to company employees victimized by social engineering schemes.
Tiao’s latter point is supported by a recent paper titled “Hacking the Human Operating System” from Raj Samani, vice president and chief technology for the computer security software company McAfee. Samani identifies humans as the “weakest link in system security,” through which attackers infiltrate companies’ networks. Hackers can manipulate company employees and users through various persuasion techniques, Samani says, including using peer pressure on social media and sending catchy emails as clickbait.
With attackers’ strategies and technologies becoming more advanced and complex, it’s difficult for companies to be a step ahead of evolving hackers.
“In the 70s and 80s, hackers were typically lone experimenters,” Rasch, the former prosecutor, said. “In the 90s and 2000s, you started seeing organized groups of people hacking for profit. The next thing you started seeing is state-sponsored hacking, electronic espionage and now hacking as a tool of warfare.”
Even individual hackers are now part of bigger groups and organizations, Rasch said. Communities existing in the dark web allow hackers to exchange advice and tools that allow them to better their strategy.
Formal bands of hackers rally around an “ill-defined common scheme,” whether it’s political or social, Rasch said. He named Anonymous, a “hacktivist” group, and the Syrian Electronic Army, which uses pop-up messages to notify users they’ve been hacked, as some prominent organized sects that have emerged recently.
But more recently, hacking is being used for cyberwar and cyberterrorism — as in the case of North Korea infiltrating Sony Pictures Entertainment in late 2014. Rasch anticipates that cyber attacks will soon trickle into war and be used successfully hand-in-hand with physical combat.
“It could be as simple as using viruses or worms or malware to jam or shut down a nation’s air defenses, so that you can launch an attack and not get your plane shot out of the air,” Rasch said. “All the things you can do with a bomb, you can do with a logic bomb.”
Similar cyber attacks could be used to disrupt nations’ communications, transportation systems and power grids, Rasch said.
So what happens when a company realizes it’s been attacked?
The company must start to repair the existing damaging and notify affected customers in compliance with federal and state data breach notification laws — a process that must be done carefully, yet quickly, Tiao said.
It’s common for companies to send mass letters to their users after a hack has occurred. Days after a major attack affected more than 40 million credit cards at Target, the company sent out a letter in December 2013, disclosing what information had been compromised and advising users to be “vigilant for incidents of fraud and identity theft.”
Target also included a list of Frequently Asked Questions for customers, one of the common communications measure that Tiao suggested in response to a breach of customer personal information. He also recommended consulting public relation experts to deal with the risks, as well as designing a plan for communicating with the media. Litigation and disputes with regulatory agencies and customers are possible, Tiao said, so companies must be prepared to address those.
Entities must also look internally to complete the process of recovering from a hack. Rasch said that companies will assess their vulnerabilities to ensure they won’t experience a similar hack again.
“Every company, no matter their size, has to go back and look at ‘what are our family jewels?’ in terms of information.” Rasch said. “What we’re seeing now is that information security is critical to the operations of businesses of all sizes. There has to be an appreciation for that and a commitment of resources to protect that theft and to recover from breaches.”
By conducting an extensive review of a company’s information assets, its staff can address the most important cybersecurity vulnerabilities, Tiao said. Companies can strengthen their network security policies and practices, and train employees to be more secure and aware in cyberspace, he said.
However, Tiao stressed the need to be prepared before the attack comes and not to be entirely reactive in their approach to cybersecurity for a company. By being ready before the hack, the damage will not be as bad after an attack, he said.
Rasch echoed Tiao, saying that it can only be more beneficial to entities to be more aware and knowledgeable in cybersecurity efforts.
“Every organization needs to be able to understand the benefits and the risks associated with electronic commerce,” Rasch said. “That goes to McDonalds’ Corporation and all the way down to [Chicago-based] Edzo’s Burger Shop.”
