Cybersecurity: Protecting the castle
Tips on coping in an era of vulnerability
Businesses might want to think twice if they think hackers wouldn’t be interested in targeting their business or they have little to lose.
Michael Scheidell, chief security officer for C3 Cloud Computing Concepts, gave an update on some of the latest dangers and how to avoid them at an event sponsored by the South Florida Manufacturers Association. It was held at JC White, a commercial interior design and products supplier in Miramar.
Think about the worst thing your competitors could get, Scheidell said. How about your customer lists, the discounts given to certain customers, a list of vendors and what you pay them for products? Then, there’s the danger of payroll and banking information getting exposed.
The ripple effect could be customers deciding they would rather do business with a more-secure company if a hacking event happens. Scheidell said he has closed accounts at a couple of banks in the past few years because their network security is lax.
In one instance, he was working with the Secret Service on a payroll issue and they watched as $48,000 disappeared from an account.
“Now, they call the bank and the bank should have been able to stop it and get it back immediately. But the bank screwed around and said, ‘Well, no, you did it. You did it. You did it.’ And it took three days for the bank to finally decide that there were 17 people throughout the United States, connected to that client’s account at the same time taking money out,” Scheidell said.
One stunning statistic is 76 percent of businesses that have been hacked don’t know that’s happened until law enforcement tells them.
In one high profile case, Citrix Systems, the biggest software company in South Florida, disclosed that hackers penetrated its networks for five months, making off with financial data on contractors, employees and job candidates.
The FBI told Citrix that the hackers apparently used a number of common passwords to penetrate the company.
Scheidell said he did an audit at one company and found 22 percent of the active passwords were “Password1,” including an administrative account.
“You don’t need a hacker. You just need employees that aren’t paying too much attention,” Scheidell said.
If a company gets hacked, he warned that the FBI can take all of its computers, especially if they were used to hack into other people’s computers.
Data networks can have vulnerability in ways many business people would overlook. For example, printers on a corporate network have a port that could be hacked. Someone could type in text and the next time checks are printed, an extra one is slipped in, ready to be mailed to the hackers.
Companies need to be careful about vendors who have access to their system. One of the most widely publicized incidents involved the hacking of Target, where the information of 110 million customers might have been compromised. One of its vendors, an air conditioning contractor, fell victim to a phishing attack and then malware was able to get the credentials to log into Target’s system. Ultimately, Target’s point of sale system was compromised.
“We just did a simulated phishing attack against a law firm—Harvard-educated lawyers, college degrees—you know, 24 percent of them either clicked on it or downloaded the attachment to see what was in it?” Scheidell said.
RSA, one of the biggest names in computer system, was hacked because a vendor was allowed to access the system without the usually required key fob.
“So, somebody came in, stole all the software for it, was able to break into Boeing, was able to break into the Department of Defense. And six years later, the Chinese had a stealth fighter that looked an awful lot like the one that we’re building,” Scheidell said.
To help avoid falling victim to the cryptovirus, which can encrypt and freeze system access, it’s important to make backups and then make sure they are not connected to the system, Scheidell said. Hackers look for the backups on networks to encrypt them.
Sometimes, hackers don’t or can’t unencrypt systems even if a ransom is paid.
It’s also important to think about what’s sent via email, which is typically unencrypted. Don’t email sensitive data, such as a financial spreadsheet, he said.
Beware of open Wi-Fi hot spots because they could be set up by a hacker posing as a business and collecting your data as it flows through.
Think of what might happen is someone’s phone is lost, stolen or duplicated.
There are too many instances of imposters posing as someone who has lost their phone and getting a SIM chip that let’s them take over somebody else’s phone service.
One strategy to combat hackers is multifactor verification, but Scheidell suggests avoiding text-based verification since someone who has stolen your phone identity will get the text. An alternative used by many companies is answers to pre-chosen questions.
Try not to use passwords or verification answers that would be easy for someone to guess, such as the name of pets posted on Facebook. Scheidell recommends using three to four random words.
When it comes to online sites, Scheidell said to look for online addresses that have “https,” which is the secure version of “http” addresses.
Try to use technology on your phone to make purchases, such as Apple Pay or Google Pay, which create a temporary virtual card, he said. Avoid swiping your card because the magnetic strip too often has all the information to duplicate your card. An unethical worker could be hiding a card skimmer in their pocket.
Similarly, don’t leave the flag up on your mailbox with bills that include checks, which have all your account information.
To secure their systems, companies should look at firewalls and web filters. The latter prevent employees from going to nonbusiness websites where hackers are more likely to lurk. “Some of these less secure websites are loaded with hacks, attacks and malware,” he said.
Realize the seriousness of getting hacked, he said. A credit card company could actually stop you from taking credit cards, Scheidell said. There’s even the risk of criminal liability and jailtime, especially if you are storing health care data.
Companies should carefully examine where their most important data is stored, which Scheidell calls “the crown jewels.” Get a machine that matches the machine that holds the data and test how long it takes to do a restore from a backup. Then, calculate the per-hour cost of being knocked off online, he said. In one case, C3 was doing testing for a pharmacy company that used a third-party service to look up domain names.
“We found problems with it and they called the manufacturer, who said, ‘Oh, no, it’s secure and we know more than these guys.’ They were a big Fortune 500 company,” Scheidell said. “Three months later, every one of these domain servers all throughout the country got hacked and knocked offline. And the pharmacy was not able to ship anything for three days, and it cost him a lot of money.” ♦