SAN JOSE, Calif.—Three members of the intelligence community, speaking on the keynote panel at the NetEvents Global Press and Analyst Summit here, agree that the security landscape today is rapidly becoming a scarier than ever.
That’s because today's hackers have become more skilled and technologically reactive than what security professionals were used to dealing with in years past.
The most prevalent group of cyber-attackers are those motivated by financial gain, explained MK Palmore, supervisory Special Agent, and the Information Security Risk Management Executive for the Federal Bureau of Investigation's San Francisco field office.
“They’re mostly males, 14 to 32 years old, have access to the dark web, and are able to operate in nearly complete anonymity,” Palmore said. He said that a group that’s nearly as big are hackers working on behalf of a nation state. What’s most concerning is that they’re teaming up. “We’re seeing a combination of financial and nation state actors forming super teams.”
This is a change from days when hackers operated in isolation, explained Dr. Ronald Layton, Deputy Assistant Director, U.S. Secret Service. “Now, these guys all know each other, they all are collaborative, and they communicate in Russian. “
Layton said that by working together, the groups are able to combine the virtually unlimited assets of a nation state with the sophistication of the best financial hackers.
The problem then becomes what to do about these new hackers? The first step, according to retired Deputy Director of the Department of Homeland Security and the founder of the Center for Information Security Awareness Michael Levin, is to train and educate the potential victim’s workforce. “So many of the hacks we see are the result of simple human error,” Levin explained.
Levin said that the source of those errors is primarily due to organizations that don’t want to take the time to tell their employees what they should or should not do. “How do we get them to not be lazy?” he wondered. “It’s time that we educate people to stop doing bad practices.”
Layton agreed. “We pay a lot of attention to what the bad guys will do to further their illicit game,” he said. But there’s more to it than that. “The new caffeine is curiosity. That’s what makes you click on that post, or text and drive. That’s why spearphishing is so popular. “ Layton said that a major percentage of the malware he sees comes from clicking on links and attachments.
Layton acknowledged that most businesses know that their employees need to be trained not to engage in such risky behavior, but he said that getting them to implement change is very difficult.
Palmore agreed, pointing out that motivating business remains a problem, “This message while simplistic is not being followed by business,” he said. “When you go through information security training, there are basics you are taught about protecting systems. We always find that there’s some gap in coverage in security. Those gaps may be patch management, audit and log management or buy-in from leadership and management.”
In addition, “you need to empower folks to get the job done,” Palmore said and noted that awareness does not equal behavioral change.
Palmore also said that if there was one security change that organizations could implement that would significantly reduce the exposure to hacking, it’s two-factor authentication. “Two-factor authentication is an obstacle to threat actors,” he said. It won’t necessarily prevent them from accomplishing their mission, but it could discourage them enough that “they will move to a target that is easier to breach,” he said.
He also said that simply following good security practices will have a similar effect, which is to convince the hackers to try elsewhere.
Levin said that the hackers are going to attack the low-hanging fruit first. “They’re going to look for the open door first.” He said that the first thing to do is get organizations to lock their doors against cyber-threats. He said that this includes getting rid of easy to guess passwords, such as “Password1234,” which he said must be the most common password in use.
Unfortunately, threats are continuing to evolve. “The ability for threat actors to go into the dark web allows for a level of activity that we have not seen historically,” Palmore explained. “Now what we look at in terms of organized crime, anonymity, completely changes the landscape.”
Fortunately, there are things organizations can do to help protect themselves against today's more sophisticated hackers and first on the list is encryption, said Levin. It’s critical for organizations to encrypt their customers’ data, along with the data they use in their everyday communications, he said. The encryption of emails is also very important, since without encryption, you might as well put sensitive information on a post card when you mail it.
Fortunately, he said that it’s possible to find email systems that will automatically encrypt your email. But Layton cautioned against using encryption that’s too complex. “As complexity goes up, security goes down,” he said. The reason is that when security gets too hard to use, people will tend to stop using it.
So how to make sure your organization is taking all of the steps required to maintain security, including searching out security holes? “This is what the CISO is there for,” Layton said. “This is his job.” Unfortunately, as evidenced by recent breaches, including the one that resulted in 143 million records being stolen at Equifax, the CISO doesn’t always to the job they’re hired to do.