Cyber security: The next war
Last month we discussed the biggest makers & shakers of 2016, but the biggest and it is not something that we can simply turn the calendar.
As we head into the new year, a group of U.S. intelligence officials were briefing Congressional intelligence committees and President Donald Trump on the depth of the Russian hacking of the Democratic National Committee as well as other efforts to effect this and past U.S. elections. This follows an October report by 17 U.S. intelligence agencies confirming that Russia was behind hacking of the DNC.
This is truly a remarkable statement regarding our world today. That such an event would be remotely possible would be unthinkable a few years ago. But hacking occurs on a daily basis. And if there is even a remote possibility a foreign government could have an impact on selecting the U.S. President, there is nothing in our world that is invulnerable.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) — a Belgium-based global consortium of banks and financial institutions that enables financial institutions to communicate information about financial transactions in a secure, standardized and reliable environment — recently warned banks of the escalating threat to their systems. It is perhaps the most powerful and important organization most people have never heard of. The letter noted that cyber attacks targeting the global bank transfer system have succeeded in stealing funds. This even after the February 2016 successful theft of $81 million from the Bangladesh central bank.
And on Dec. 14 Yahoo (YHOO) reported that the data from 1 billion users was compromised in 2013, the largest breach in history. This could kill the proposed Yahoo acquisition by Verizon (VZ), which was already under pressure due to a previously revealed data breach.
Eldon Sprickerhoff co-founder of cyber security firm eSentire Inc. says the cyber security spaced has changed in every possible way since he launched the firm in 2002. “If you went back 15 years, the idea behind cyber security was simply a firewall, anti-virus and maybe anti-spam, “Sprickerhoff says. “You didn’t see a huge criminal element, you didn’t have regulators, you didn’t have mainstream media front page news every couple of weeks about data loss.”
Things have obviously changed, and business is good for Sprickerhoff. “One of the things we do is look at full network traffic from the outside to the inside for all of our clients,” he says.
In the past, cyber security was one service of many tech firms might offer. Now there are regulatory mandates to meet along with simply staying secure. “We’ve talked to regulators as to what they are trying to do, we have more clients in this space than any other cyber security company—just doing security,” he says.
ESentire focuses on small to medium-sized financial firms. It has 280 employees and approximately 600 customers, ranging in size from 100 to 300 employees, $1.5 billion companies on up.
“Our client base typically cannot spin-up their own security operation center. If you have 100 people working in your firm, you can’t afford to have 10 of them working on security,” Sprickerhoff says. “Basically we outsourced the effort of dealing with cyber security for firms that can’t do it themselves.”
Sprickerhoff describes it as a survivor game regardless of the size of your company. That is why he created a Matrix to define the level of security all firms needs (see the chart below).
Petty cyber theft
Most cyber-crime incidents recorded by eSentire involve smaller attackes attempt to earn quick cash.
“These are the things you need to do right now. It is not all technology, it shouldn’t all cost [a lot, but it is what you need] if you want to survive against ransomware,” Sprickerhoff says. “They don’t care how big you are, if they can milk you for $500 or $1,000 or $2,500 each time, they will gladly do it.”
And the threats keep on coming.
“As soon as you put anything on the internet, it is at risk,” Sprickerhoff says.
There are many forms cyber-crime takes. “The biggest one is financial, I call it a smash and grab attacker; they are just trying to get assets or data that can be turned into cash quickly. The next layer is organized crime. If you tried to knock off an 18 wheeler full of TVs, that’s messy. There are people, you have to get rid of the products, maybe kill someone; it is easier just to send ransomware and collect that way.”
Sprickerhoff explains that there are hackers who simply break into to various firms and then auction off that access on the dark web. “You can go to sites and say you can access X site for very little money. For say €50 they will sell you access to a site of a multi-national company in a couple of ways,” he says.
Once a hacker establishes that beachhead at any company, whether through malware or direct access there is a lot of things they can do.
Hacking as a service
Like many industries, hacking has become more efficient and has been commoditized. “Going back 10 years if you wanted to write malware you would need a background in computer science, you had to know how to program, but now you can go back to the dark web and buy malware that is custom made for you as a service,” Sprickerhoff says.
Less industrious hackers can shop for products to use in their crimes. “They can give you custom ransomware, they can give you customer lists, they can handle payment options,” Sprickerhoff says. “You don’t need to know anything about programming; you just need to know who to pay.”
Who is doing this? “There are a couple of villages in Eastern Europe that has great education facilities, especially in science, tech and math and not much in the way of employment opportunities,” Sprickerhoff says. “And so they have this opportunity, you can drive a cab for $10 a day or you can do what you love, which is programming and make incredible amounts of money doing it. It is illegal, but you still have that opportunity.”
There is a concentration of this activity in Russia, Ukraine and Romania according to Sprickerhoff, who adds that Brazil is quickly becoming a center as well.