Safeguarding cyber-security is a bit like trying to keep an infectious disease at bay. Nasty software can spread swiftly to large populations, so it has to be identified quickly and information passed on immediately to ensure that others can protect themselves. Ideally, organizations should avoid catching an infection in the first place — but that requires them to get better at basic security hygiene.
The story of the hackers who hit the bull’s eye at Target is revealing. They are thought to have broken into the computers of a heating, ventilation and air-conditioning firm that was a supplier to Target and had access to login details for the retailer’s systems. Once inside, the hackers were able to install malware on Target’s point-of-sale system that captured credit- and debit-card details at tills before the data were encrypted. This scam affected some 40 million customers.
The debacle showed up several flaws in Target’s security that the company has since fixed. It has strengthened internal firewalls to make it harder for hackers to move across its network if they find a way in. It has also developed “whitelisting” rules for its point-of-sale system, which will flag up any attempt to install software that has not been pre-approved. And it has reinforced security around passwords used by its staff and contractors.
At eBay, cyber-attackers were able to get their hands on the login details of some employees and used these to gain access to a database containing encrypted customer passwords and other non-financial data. The firm asked all its 145 million users to change their passwords as a precaution, but says it has seen no evidence of any spike in fraudulent activity. It also reassured customers that their financial and credit-card data were held in encrypted form in databases not affected by the attack.
Both of these cases highlight the need to think carefully about how data are stored and who has access to them. They also demonstrate the importance of encryption. When Edward Snowden addresses conference audiences (which he does via video link from Russia), he often reminds them that strong encryption can frustrate even the NSA. That is why a number of technology companies, including Microsoft, Yahoo and Google, are now encrypting far more of the data that flow across their networks, and between themselves and their customers.
Educating employees about security risks is equally important. In particular, they need to be aware of the danger of spear-phishing attacks, which often use false e-mail addresses and websites. Kaspersky Lab, a cyber-security firm, found that globally an average of 102,000 people a day were hit by phishing attacks in the year to April 2013. Security software has got better at weeding out suspect mail, but hackers are constantly trying new tactics.
Their job would be made harder if people picked more robust passwords. Verizon, a telecoms company, studied 621 data breaches in 2012 in which 44 million records were lost and found that in four out of five cases where hackers had struck they had been able to guess passwords easily — or had stolen them. There has long been talk of using biometric identifiers such as fingerprints or face-recognition technology to add an extra layer of security, but these have yet to catch on widely.
And even if they were to become more widespread, they would not protect firms from rogue staff. As Snowden has shown, insiders bent on leaking sensitive data can cause huge damage. This can involve large sums of money. A study by researchers at Carnegie Mellon University of 103 cases of intellectual-property theft by corporate insiders in America between 2001 and 2013 found that almost half involved losses of more than $1 million. Many were in the IT and financial-services industries (see chart, above). Insiders sometimes turn to this kind of crime after becoming disgruntled with an employer. “An insider threat is a thousand times worse than a hacker threat because it is so hard to defend against,” says Chris Hadnagy, a security expert.
Technology can help. Darktrace, a British startup, is one of several firms touting continuous network monitoring software. This uses complex algorithms and mathematical models to map what normal daily behavior on a network looks like and then flags up anomalies, such as a computer that suddenly starts downloading unusually large data files. The technology can also help spot hackers at work inside a system. Andrew France, Darktrace’s boss, says firms need “immune systems” that can automatically react to any intrusion.
This is becoming even more important as skilled hackers are getting better at covering their tracks. In the APT cases Mandiant was asked to work on last year, the security firm found that the median time hackers were able to operate inside systems before being discovered was 229 days. The known record was held by a group of digital ninjas who dodged detection for over six years. And these numbers cover only cases in which intruders were eventually spotted, so the real damage done may be much worse than they suggest.
To catch hackers early and create defenses to keep them out, some companies are systematically studying the habits of highly organised groups. “You need to try and get ahead of threats, not just react to them,” says Phil Venables, the chief information-security officer of Goldman Sachs, the investment bank. Goldman has built a threat-management center staffed by ex-spooks who scan cyberspace for anything that could pose a risk to the bank and then tweak its defenses accordingly.
Facebook, a prime target for hackers and spammers, has built ThreatData, a computer system that sucks in vast amounts of information about threats from a wide range of sources, including lists of malicious websites. Details of these sites are automatically fed into a blacklist used to protect Facebook.com and the firm’s corporate network. Joe Sullivan, the social network’s CISO, says threats are now changing so fast that an instant response is essential.
If precautions have failed, it is still worth trying to zap a threat at an early stage. After the Target debacle a group of retailers including Nike, Gap and Target itself set up an Information Sharing and Analysis Center, or ISAC, with an operations centre that will share information about cyberthreats among its members.
Big banks in America have been doing this for some time; indeed, the retailers’ ISAC is modeled after the financial-services version, FS-ISAC, which was set up in 1999. The finance group now has 4,700 members and in recent years has helped co-ordinate banks’ defenses against massive DDoS attacks. Bill Nelson, who heads it, says it is spending $4.5 million on building a platform that will allow banks using it to adapt their defenses almost instantly to intelligence about new threats.
The British government has taken this idea even further. James Quinault, the head of the Office of Cyber Security and Information Assurance, which leads the government’s strategic thinking on cyber-security issues, says it has created an electronic platform, or “social network for defenders,” that lets its 450-plus members share threat information. The group includes companies from a wide range of industries including defense, financial services, energy and pharmaceuticals. The idea is to make it as diverse as possible so data about threats travel fast across the country’s industrial base. The network also has a group of spooks and industry experts who spot intelligence that could be useful to firms in other sectors and pass it on, having first obtained permission.
Sharing information is extremely helpful, but some large companies are now assuming that truly determined hackers cannot be kept out. So they are putting more emphasis on building resilience — the ability to bounce back fast in the event of a breach. It is essential to have a well-conceived recovery plan and to test it regularly, says Ed Powers of Deloitte, a consulting firm. In financial services, where a problem at one company could easily trigger a system-wide crisis, regulators are urging banks and other firms to consider resilience across markets.
A war game run last July by America’s securities industry, Quantum Dawn 2, simulated a widespread attack by hackers intent on stealing large amounts of money and disrupting the stock market. As part of the game, the assailants corrupted the source code of a popular equities software program, hacked a system that let them issue fraudulent press releases and mounted DDoS attacks on government networks. Among the lessons learnt from the exercise was that business and tech people need to work more closely together, and that they need to get better at judging whether an attack could spark a systemic crisis.
Such exercises are helpful to improve cyber-defenses, but not nearly as helpful as a much simpler remedy: to put in place a set of basic precautions. The Australian Signals Directorate, the equivalent of Britain’s Government Communications Headquarters (GCHQ), says that at least 85% of targeted breaches it sees could be prevented by just four measures: whitelisting software applications; regularly patching widely used software such as PDF viewers, web browsers and Microsoft Office; doing the same for operating systems; and restricting administrator privileges (granting control over a system) to those who really need them to do their job. So why do companies so often fail to adopt them? Economics provides some of the answers.
© The Economist Newspaper Limited, London (July 12, 2014)