SECURITY EXPERTS ANSWER KEY QUESTIONS ABOUT THE HOTTEST “HACKING” TOPICS TO HIT THE NEWS
Everyone has heard about the Sony cyber hack by now. Although it occurred in November 2014, it is still “running” all over the news and most likely will continue to do so for a while. Now, another major hack has been added to the list with the breach at Anthem – the nation’s second largest health insurer, with more than 80 million customer records being hacked, makes it the biggest breach to date in the healthcare industry.
Pres. Obama proposed updating laws and introducing new ones, following the Sony attack, to allow federal and national law enforcement officials to better respond to similar cybercrimes and to be able to prosecute such crimes, while protecting the privacy of Americans. Also the FBI launched an investigation and sent their conclusions out to a limited number of organizations, warning them about a destructive piece of malware that seems to be similar to the one used in the Sony attack.
But is it enough or even effective? There is no doubt that these attacks are continued to raise important security questions.
We asked Dyadic’s security experts to answer 5 key questions about these attacks:
Question 1 – Could the Sony and Anthem attacks have been prevented?
Prof. Nigel Smart: VP International Association of Cryptologic Research & Dyadic Co-Founder:
With our current knowledge it is hard to know whether these two attacks were performed externally, or with the help of insiders. In any case the amount of information stolen in both cases means the data breach is similar in scope to the Snowden breach at the NSA. What is probably clear is that information on internal systems was not sufficiently protected; this allowed either the external or internal attacker to scoop up large amounts of information and leak it. The way to prevent this is to secure all data internally via encryption and allow decryption only by parties who need to know the information, with strong storage of the underlying decryption keys. This will not prevent an attack from a large group of insiders; but will mitigate against most attacks.
Prof. Yehuda Lindell, Cryptologist, Chief Scientist & Dyadic Co-Founder:
These attacks were carried out by serious professionals. It’s naïve to think that such attacks can be completely prevented. However, it could have been a lot harder for the attackers, with the result being that far less could have been compromised before they were detected, if thorough precautionary measures had been taken with internal security policy and stronger data protection solutions implemented.
Question 2 – What impact could this type of attacks have on the cybersecurity industry and technologies?
This high profile attack should act as a warning to companies to secure all of their data on their internal networks. Companies need to consider the internal network to be almost as insecure as the external internet. The loss of reputation amongst customers and suppliers can often be more costly than the cost of the data loss.
Organizations now understand that cybersecurity is crucial to their business. Unfortunately, the level of cybersecurity at many organizations is very low, even large technological organizations like Sony itself or big corporates like Anthem. Thus, every high profile breach raises awareness that no organization can afford to not have a security team and be continually on the search for new smarter solutions that increase their security immunity. Cyber-attacks are not going away, and new defense are continually needed. If you don’t go forward to keep improving the security technology for your company, then you will eventually be behind the pack, and will pay dearly for it. It’s a sad state of affairs, but it’s today’s reality.
Question 3 – What’s in common between the Sony hackers and those hacking into corporate data like in the Anthem hack?
The people who leaked the Sony data clearly had a political agenda; but these may not have been the same people who actually broke in. Thus the hackers in the Sony case may be exactly the same as those breaking into other corporate networks to perform industrial espionage. In effect the methods and techniques are very much the same; all that is different is what the stolen data is used for.
They are both highly professional, focused on their target, and willing to spend time and considerable effort at getting what they are looking for. One important observation is that there are really two categories of attacks: the first are general attacks to steal credit card numbers, passwords, social security numbers and so on; the second are specific targeted attacks on specific companies for their IP or other assets. It is much harder to defend against the latter type of attack, although fortunately they are the minority.
Question 4 – Are we putting our efforts in the right direction- fighting hacking and breaches once it happens instead of trying to protect the data?
It is clear that companies need to spend upfront on security so as to prevent losses downstream. The problem though is that this added extra security is often seen as a cost, against some mythical future loss. Thus there is no real market incentive for many companies to spend the sums needed to secure their data. However, it is only a matter of time before a company is forced out of business due to such a data breach.
The task we face in the current times is whether a market led solution will work (before a major corporate failure occurs) or do we need some form of government regulation in this space.
There is no perfect security solution, and defense in depth is an absolute necessity. Perimeter protection is essential, but we all understand now that it can be bypassed. It is therefore paramount to also deploy measures inside the network, both to provide additional protection and to detect the attack and block further damage to keep your data as safe as possible.
Question 5 – Can we block access to sensitive data completely? What organisations should be considered as a realistic goal in this respect?
A key problem with many of today’s internet companies (e.g. Facebook, Google, Amazon etc) is that their entire business model is based upon the processing and analysis of what could be classified as sensitive data. In addition the notion of what is sensitive data and what is not is defined by societal norms; for example there is a big difference in what is considered sensitive in the USA compared to say Germany
Nothing can be done “completely” or “perfectly”. It is only possible to make it much harder with an effective security solution. Most of the attacks are not targeted to the same extent as the Sony attack was. Criminals who are looking for credit card numbers don’t care if they steal them from Target, Macy’s or Home Center, so they will typically go after the easier prey. But most importantly, if it is much harder to breach an organization and get to its digital assets, then attackers will have to do more to reach their goal thereby raising the chances that they will be detected…
With most security solutions, the key is locked in one location, so it automatically becomes more vulnerable and easier to crack. The goal is to remove the inherent single-point-of-failure and make sure there will be no access to the key, where it can be stolen.
The Bottom Line
Can we actually draw any conclusions from these attacks?
For one thing, they sure have got the industry’s attention! No one wants to be in Sony’s or Anthem’s shoes…or in the position of any big corporate which has experienced a huge hacking attack and data breach. It plays havoc with business, creates alarm among customers and users, can affect earnings, planning, development and not to talk about the high financial losses as a result of each of these attack, causing altogether a whole range of domino-like effects which are horrific to contemplate.
However, breaches are inevitable and will keep happening. It is really a matter of keeping at the forefront of technology, and making sure to continually improve security solutions, upgrading to smarter, more effective technology, and making it as difficult as possible for hackers to get in.