Cyber theft and online security made headlines again in 2014, which came as no surprise to Vantage Technology Consultant Jon Young, who is concerned that some system operators may not understand the evolving nature of the threat or the extent of their own potential vulnerability.
“When attackers are able to infiltrate corporations like Sony Pictures, steal credit card information from big online retailers like Wal-Mart and Amazon , and even download and distribute Madonna’s latest album, we’re reminded of how widespread the threat of information security breaches truly is,” Young declared. “The bad guys are very good at this, so we’ve got to be even better. That’s why I became involved with InfraGard.”
With the FBI serving as a central hub for compiling and distributing information, InfraGard is an association of security conscious members who contribute to – and draw from – a pool of information about the latest security threats. Members collaborate by discussing techniques that have proven effective in identifying and preventing them.
InfraGard was conceived nearly 20 years ago (1996) in the FBI’s Cleveland office, where agents responded to a rise in local online attacks by joining with victims, system operators and other IT experts to pool information, identify vulnerabilities and devise solutions to enhance security.
Every system operator must ask: am I doing all I can to protect myself and my organization?
The idea garnered a lot of attention, and proved so successful that it was soon replicated in all 56 FBI field offices. There are currently 85 InfraGard chapters in the US, with representatives from over 350 “Fortune 500” companies and a total membership of more than 35,000 participants.
“This is an information-sharing partnership coordinated by the FBI that pools the collective knowledge of thousands of technology professionals and private IT administrators.” Young said. “The networking aspect is even more valuable than the information we gain, and it’s a great example of the power of collaboration.”
Young describes InfraGard as a “two-way street” where information is both gathered from and disbursed to members. The most important bit of information that comes from this exchange is the one that never really changes: no one is immune from the threat of cyberattack, and organizations must remain vigilant and well-informed.
“The media often reports on breaches that occur at big-name companies like Sony, Target, Home Depot and eBay,” Young said. “Lost in the volume of news are the frequent similar reports about successful attacks on medical centers or institutions of higher learning. No one is immune.”
When you consider how some of the most high-profile breaches are reported, one might conclude that the bad guys are after credit card information or other data that can be easily monetized. And they are, of course. But the threat is more insidious than that, Young said.
Colleges, universities, medical centers, local government agencies and even small businesses might not see themselves as prime targets for hackers, but this isn’t just about credit cards and social security numbers. Attackers have found ways to profit from personal medical records, and the bad guys are happy to steal whatever data they can get their hands on; accordingly, every system should be thoroughly evaluated periodically, Young said.
“You may not think you have anything of particular value, but that’s simply not true. The bad guys are patient, and clever. They have found ways to combine seemingly innocuous information with other data in powerful ways. So every system operator must ask: do I have the right resources and approach to protect myself and my organization? Vantage can help answer that question. ”
Hackers are relentlessly testing for vulnerabilities, and attempts to breach online systems with Advanced and Persistent Threats (APTs), Young said. An APT is a cyberattack in which the attacker is both advanced and persistent – that is they have the skills, resources time and motivation to find a way in. APT threat actors are highly motivated and organized and are very difficult to defend against. That said, most breaches don’t require particularly strong skills or resources. Finding the balance of resources and defense posture that is right for your organization is key.
“Vantage excels in this area of technology consulting,” Young said. “We’re constantly expanding our knowledge base with information from an array of sources, including InfraGard. We’re adept at evaluating organizational needs and helping each institution find the strategic and tactical approaches that enable them succeed while protecting the data and reputation of the organization.
“What is the right investment in this area? What parts of our system might require enhanced security or special attention, and what governance protocols need to be put in place to administer this? We’ve become very good at helping our clients answer these questions,” Young said.
While some larger universities, medical centers and other institutions have taken steps to protect themselves against evolving security threats, others have not. Online security at some small and midsize organizations may not be as robust as it needs to be, often due to time or resource constraints.
“Even with the more forward-thinking institutions, we sometimes see conflicts between the head of IT and the Chief Information Security Officer (CISO), which is easy to understand,” Young said. “One is focused on keeping the IT systems running smoothly while the other is concerned primarily with maintaining security. It’s vitally important that they communicate openly and work together as everyone has the same overarching goals of enabling the institutional mission. We can help with that.”
Is Anyone Cyber-Safe?
This sampling of news reports from just the last few years suggests that even the biggest organizations can be vulnerable to attack, and may need to review their online security.
- EBay – In May of 2014, eBay announced that hackers had stolen the personal records of 233 million users. The hack harvested usernames, passwords, phone numbers and physical addresses.
- The recent attack on Sony Pictures made big news, but it wasn’t the first time the company has been targeted. In 2011, 77 million PlayStation Network and Sony Online Entertainment accounts were hacked. Credit and debit card information was stolen by an unknown group of cyber hackers who stole information worth an estimated $1 to $2 billion.
- Citigroup – one of world’s largest financial institutions – suffered an attack in 2012 where contact information and account numbers for more than 200,000 customers was compromised, resulting in a $2.7 million loss for the company.
- PayPal, Yahoo, Home Depot and many other household names have all suffered similar cyberattacks in recent years.
- The State of Montana’s health department suffered a data breach in 2012 that gave hackers access to the Social Security numbers, medical records, medical insurance records, names, addresses and birth certificates of more than a million people.
- Despite its reputation for being an IT and software powerhouse, the nation of India reported 13,301 cyber security breaches in 2011 alone. In 2012, hackers penetrated the email accounts of 12,000 people, including high officials from the Indian Defense Research and Development Organization (DRDO), the Indo-Tibetan Border Police (ITBP), Ministry of Home Affairs, and the Ministry of External Affairs.
- An ongoing series of cyberattacks that began in mid-2006 known as “Operation Shady Rat” have thus far hit at least 72 organizations worldwide including the International Olympic Committee. The operation’s name was derived from the common security industry acronym for Remote Access Tool (RAT) and was behind the cyberattack on the 2008 Summer Olympics.
- An incredible interactive map from antivirus software firm Kaspersky offers a sobering look at cyberattacks currently taking place around the world in real time.
- See a list of the Top 25 “Hacks of all Time” (so far).
- See ZDNet’s list of the biggest hacks, leaks and data breaches of 2014.
- And let’s not forget personal security. How safe are your passwords? Not very, if you’re still using any of the combos that made the list of the worst passwords of 2014.