Defense today requires an action plan centered on a strategic approach based on prevention, detection, and response
87% of U.S. business executives are worried that cyberthreats could have an impact on their company's growth prospects12
Bottom line: External attacks not only impact bottom lines and operations, but carry a personal impact for executives
In late January 2014, a large U.S. health insurance company discovered that cyberattackers had broken into the company's IT system. Foreign hackers were suspected of stealing personal information belonging to 80 million people in one of the largest heists of medical-related customer data in U.S. history.13
Unfortunately, that wasn't the end of the story. The insurer soon learned14 that the attackers had in infiltrated its network at least six weeks earlier, scooping up information useful for personal identity theft while monitoring the company's internal processes. What's more, investigators believe that the breach was part of a broader systemic campaign that included cyberattacks on several other major American companies.
Welcome to the new normal. Businesses now find themselves squaring off against cyberthreats from multiple elusive outsiders, ranging from cybercriminals to hacktivists to nation states. Experts describe this situation as a state of war.15
The U.S. Government16 now says cyberespionage is a significant and growing threat to the nation's security and prosperity. Groups behind these operations share one goal: steal intellectual property from businesses.
Consider, for example, these cases:
All information is valuable to somebody. Cyberspies usually seek a combination of intellectual property and general business information.
U.S. authorities have indicted five foreign agents for intellectual property thefts from companies including U.S. Steel, Allegheny Technologies, Westinghouse, and SolarWorld. This is the first time the United States has brought a case where it publicly charged state-sponsored cyberespionage as a motive. The charges highlighted the multi-pronged nature of many cyberespionage campaigns. Law enforcement groups find that cooperating with industry groups better addresses cyberspying. Sharing security expertise and information has proven to be the most effective prevention methods for this threat.
As U.S. House of Representatives sub-committee chairperson Dana Rohrbacher stated during a cybersecurity hearing, "the economics of cybertheft is simple: stealing technology is far easier and cheaper than doing original research and development."
Hackers are also eager to acquire sensitive internal communications that offer insight into their target's strategy and vulnerabilities. Adversaries then leverage the stolen information to alter negotiations.
"Every company in every conceivable industry with valuable intellectual property and trade secrets either has been compromised already or will be in the future,"22 said Senator Joseph Lieberman.
Some, but not all, of the most popular vertical industry targets include:
Retail and Hospitality. Cyberattacks against retailers (Target, Neiman Marcus, TJ Maxx, and many others) make big headlines because personal financial information of millions of customers is stolen. Business travelers have been the focus of attacks in the hospitality industry.23
Healthcare, Pharmaceuticals, and Related Technologies. Healthcare services and medical devices rate among the fastest-growing investment sectors.24 As such, the development of new drugs requires major investments in research and development. Any information that would provide rival firms with shortcuts would be coveted.
Military Technologies. U.S. military systems, aerospace and aeronautics technologies are of great interest to strategic rivals. Cyberspies are alleged to have stolen the designs for multiple U.S. advanced weapon systems, including the F-35 Joint Strike Fighter, F/A-18 Fighter Jet, and the Patriot Missile System.25
Clean Technologies. New energy-generating technologies and ways to reduce greenhouse gasses are targets for cyberespionage, including foreign hackers indicted by the U.S. government.
Advanced Materials and Manufacturing Techniques. Companies are working to develop new ways to create advanced manufacturing technologies that improve industrial competitiveness. Any intellectual property that provides a shortcut would be priceless to rivals eager to create and sell competing products without the expense of research and development.
U.S. House of Representatives
On November 24, 2014, the co-chairman of Sony Pictures Entertainment arrived at the of ce to discover a warning on the computer screen. Written over the image of a fanged skeleton, it said, "We've obtained all your internal data including your secrets and top secrets. If you don't obey us, we'll release data shown below to the world."26
It would go down as one of the most damaging corporate cyberattacks ever.
A shadowy group calling itself the Guardians of Peace27 had broken into the company's computer networks and gained access to more than 38 million files. Over the next several weeks, the Guardians of Peace began posting confidential — and sometimes gossipy — emails, password lists, and other information about Sony's business online.
The cyberattack was seen as retaliation for Sony's backing of the movie The Interview, a satirical comedy about a fictional plot to kill North Korean leader Kim Jong Un.
North Korea has steadfastly denied any involvement with the Guardians of Peace but publicly praised the attack as a "righteous deed."28 Although the identity of the creator of the Sony hack may remain in dispute, the episode shows the challenge to businesses finding themselves caught in a political or ideological cross fire.
Pilfering data. Stealing intellectual property. Establishing political dominance in a region. Harming a company's computer networks as a demonstration of force. These are among the goals of nation-state outsiders.
Security of officials fear the theft of security clearance records from the U.S. Office of Personnel Management will be used to blackmail individuals to turn over secrets and steal more information.29 Personal leverage of that type has been used for decades by spies, and digital record theft makes gathering information easier.
Don't forget about financial gain and theft of intellectual property. Some groups, such as the Guardians of Peace, are out for retribution.
For some, hacking amounts to cyberwarfare, "a political tool which, when employed, is extremely effective at helping a nation-state achieve a geopolitical goal."30 Turn that around, and you'll find nation-states using hackers to defend their homeland interests.
It's difficult to attach an exact dollar amount to cyberdamage, since the victims are often not even aware they've been attacked. The annual estimated average financial loss, per cybersecurity incident in 2014, was $2.7 million, up 34% from a year earlier.31 Victims of highly publicized breaches routinely spend hundreds of millions of dollars to repair the damage caused by cyberattacks.
The FBI offered some technical details about the unique capabilities of the software used in the Sony attack. According to media reports,32 the agency said that the malware overwrites all data on a computer's hard drive and prevents the system from booting up. This made it "extremely difficult and costly, if not impossible, to recover the data using standard forensic methods." This type of software can be used by any cyberattacker.
In a widely cited 2012 analysis, criminologist Mike McGuire concluded that organized activity could be responsible for as much as 80% of global cybercrime.33 The Mafia has gone digital, and other groups have joined them.
So why care about organized cybercrime? Because it can affect your business. First, organized cybercrime is about more than dollars. National security can be at risk because many international organized groups may work to harm companies for political and financial reasons. Second, as mentioned before, $445 billion in losses are amplified. For example, $1 million in stolen intellectual property can ripple into a multimillion-dollar advantage for the company that gets its hands on the stolen information.
A UN draft report found that digital criminals have established cybercrime black markets around the world. These are built on a "cycle of malware creation, computer infection, botnet management, harvesting of personal and financial data, data sale, and 'cashing out' of financial information."34
A generic term for several different types of malicious code.
It's almost always financial gain for organized cybercrime syndicates. But it can be complicated.
Let's look at the Russian Business Network as an example. The RBN, as it's known, is considered to be one of the biggest and most sophisticated cybercriminal organizations in the world. Its origins are still uncertain, but its impact in the cybercrime world has been profound.35
Stolen data not used directly by cyberthieves go to one of many black markets. Darkode, a criminal underground market shut down by the FBI in 2015, included databases filled with Social Security Numbers, access to computer attack software, and software to control and pilfer Android phones.36 Experts believe there are over 800 such marketplaces worldwide.
Security researchers also say RBN has profited by being a shelter for other illegal activities, including phishing scams. Its methods, motivations and supporters shift constantly. And it operates where law enforcement is weak or corrupt.36 The group also acts as an interesting proxy for certain Russian government agencies that offer support, out of patriotism or greed.
Cybercriminals hunt for soft and lucrative targets to attack. Many have shifted their focus in recent years from individuals to businesses.
In the healthcare industry, the street value of stolen medical information is $50 per record, compared to $1 for a stolen Social Security number.38 Breaches in the healthcare sector topped the Identity Theft Resource Center 2014 Breach List, with 43% of the incidents identified in 2014.39 The fresher the data, the higher the value on the black market.
The financial services sector is a frequent victim, with 39% of the financial companies surveyed40 reported being hit by cybercrime. That compares to 17% in other industries.
Other verticals targeted frequently by cybercriminals include education and government. Retailers also provide a perennial target41 for cybercrime groups. Several of the hacked large retailers have spent hundreds of millions of dollars replacing credit cards and paying for credit monitoring services for their customers.
Cybercriminals deploy a variety of methods to commit fraud or gain illegal entry into corporate networks. These include keystroke loggers, remote access Trojan viruses (software that hides inside innocent-looking apps then allows remote hackers to control a computer), phishing emails, and malware- infected websites. Software code inserted into a bank's ATM network spit out $2.9 million dollars in cash to criminals over eight hours in New York City in 2013.42
Cybercriminals are becoming increasingly sophisticated at social engineering. The wealth of information many people publish on their social media sites provides personal information that can be used by hackers to appear to be their friends. Repeated spear phishing attacks contain either an infected file or a link to an infected website. Unfortunately, humans continue to be weak points in company defenses.
Software that capture every key press, including usernames and passwords.
A targeted digital attack filled with personal information directed at a specific executive or company.
The World Cup. Islamic extremists. The Philadelphia police department.
What do they have in common? They've all been targeted by the infamous group of hacktivists known as Anonymous.43 Anonymous is a loosely connected group of unidentified hackers that first gained notoriety for a DDoS attack launched against the Church of Scientology in 2008.44
Hacktivists such as Anonymous are cyberintruders who use technology tools to promote social change or have an impact on public policy. They also tried to overload websites for PayPal, Visa and MasterCard after the companies refused to process donations to WikiLeaks.45
Moral issues now prompt attacks, such as the public hack and release of data from the Ashley Madison website.46 A group calling itself the Impact Team hacked the site and threatened to release their stolen data unless the site closed. Avid Life Media, the owners of the site, refused to shut down, and nearly 10 gigabytes of customer information and internal emails have been released.
Pranks and practical jokes marked the early era of hacktivism, when participants operated more like cyber-street-artists than activists. Now, a political statement or act of cyberprotest is often the goal.
Hacktivists have been known to locate and publish a target's personal or corporate information, an act known as "doxing." In late 2011, for example, Anonymous successfully brought down the website of the private intelligence company Stratfor.46 Stolen private data was then furnished to WikiLeaks.
The short-lived hacker group LulzSec said47 that its 2011 attack against InfraGard was a response to reports that the Pentagon was thinking about classifying some cyberattacks as tools of war.48
AVP of Security Consulting AT&T
A security process in which the user provides two means of identification: One is typically a physical token, such as a card. The other is typically something memorized, such as a security code.
Ralph de la Vega
President and Chief Executive Officer
AT&T Mobile and Business Solutions
Searching for and publishing private or identifying information about a particular individual or entity on the Internet, typically with malicious intent.
According to a research study in 2014, 87% of US business executives are worried that cyberthreats could have an impact on their company's growth prospects, up from 69% the year before.50
Yet companies can still take a series of preemptive steps to improve their ability to prevent, detect, and respond to cyberthreats.
Success hinges on heightened awareness and engagement. Know your data, know your applications, know your users, and know your traffic.
If your monitoring software finds something unusual, handle it appropriately. If you don't conduct any business in certain parts of the world, block traffic from those regions.
Companies can meet the threat challenge, but will need to shed outdated and reactive mind-sets. Defense today requires a strategic action plan centered on prevention, detection, and response.
Perform a Data Inventory, Data Valuation, and Data Risk Analysis. Request an inventory of the data your company protects. Once you know the value of that data, where it's located and the cost of loss to your organization, your cybersecurity defenses will become more focused.
Share Internal and External Security Intelligence. Demand more information sharing inside the company from the boardroom to every department and back. Participate in security working groups organized in your industry.
Authenticate and Authorize Users and Applications. Install two-factor authentication for important systems. Two-factor authentication creates another step of ID verification, an extra barrier between potential attackers and your data.
Analyze Both Inbound and Outbound Traffic. Verify what constitutes legitimate versus illegitimate traffic, and monitor the data flow in both directions. Monitor critical data closely to identify unauthorized access and removal.
Verify Data Encryption Usage. Ask your security team for an audit of current encryption practices. Data being transferred over the Internet outside the company, or stored outside the company, such as in cloud backup locations, should always be encrypted.
Prepare for Multiple Attack Types. The days when a single type of attack was the only threat factor are over. For example, a spear phishing campaign targets individuals but may leverage that point of entry to find other security gaps in your system.
Decide Who is Responsible for Data Security. Data security management tends to be split among multiple divisions. Some companies bundle data security under their IT or security teams. Others roll that oversight into the CSO or CIO role. Both approaches work, as long as security remains top-of-mind.
Look at Your Assets From the Outside. Appoint a group to evaluate what assets in your company most attract criminal scrutiny. Adjust your cybersecurity defenses accordingly.
Figure Out Where You Need Help. Figure out what expertise you need from external partners. Don't cling to the mistaken belief that you can do it all internally. There's no value in detecting a threat if you don't have the ability to respond properly.