The need for organizations to implement IT Security measures to protect sensitive data and to prevent cyber-attacks has never been greater. In this introduction to Cybersecurity we will review what it is, how it works, and why it is important.
What is Cybersecurity
Cybersecurity, also referred to as computer security or IT security, involves the methods of protecting computer systems, data, and networks from access to and attacks by unauthorized users. These attacks typically have a malicious intent, and frequently involve accessing and possibly stealing data or personal information, extorting money, or disrupting business operations.
Cybersecurity has become increasingly important as intrusion methods have become more sophisticated and the number of malevolent actors has grown. At the same time, effective cyber security has become more difficult to implement due to the rapid expansion of the Internet and adoption of cloud-based applications, reliance on wireless networks, and the proliferation of “smart” devices such as smartphones and televisions which comprise the Internet of Things (IoT). There are currently more devices online than there are living people, making it particularly challenging to protect against innovative attackers.
Evolution of Cybersecurity
The history of Cybersecurity goes back to academic beginnings, when the “Creeper” program was designed by Bob Thomas in 1971, to move across a network and print the message “I’M THE CREEPER: CATCH ME IF YOU CAN.” Subsequently, in 1972 the inventor of email, Ray Tomlinson, modified the Creeper program to make it self-replicating, essentially the first computer worm. He then wrote another program Reaper, which would chase Creeper and delete it. This experimental program led to the development of the first antivirus software.
In the late 1980s, Robert Morris created the Morris Worm, and released it on the Internet. The program was designed to propagate across networks and then copy itself. Morris’ intent was to gauge the size of the Internet, but the self-propagating virus spread so aggressively it successfully brought the early Internet to a crawl. The Morris Worm inadvertently became the first widespread Denial-of-Service (DoS) attack, which resulted in Morris becoming the first person to be successfully charged under the Computer Fraud and Abuse Act. It also prompted the creation of the Computer Emergency Response Team (CERT) at the direction of the Defense Advanced Research Projects Agency (DARPA). Morris was convicted under the Act for causing damage and gaining unauthorized access to “federal interest” computers, which was estimated that the cost of removing the virus from each installation would be between $200 and $53,000.
In the 1990s, viruses such as “Melissa” and “ILOVEYOU” were widespread, infecting millions of computers and bringing down email systems, but with no strategic objective or financial motive. Indeed, viruses were often created by a programmer to demonstrate his/her prowess as a coder, or were meant merely to be a prank. These threats did however lead to the development of antivirus technology designed to identify a virus signature and prevent it from executing. It also led to user awareness of the risks associated with opening e-mail attachments from untrusted/unknown senders.
By the 2000s, cyber-attacks became ever more sophisticated and targeted. Not only did attack methods and motives evolve, but new types of perpetrators began to merge: state sponsored hackers working to support political objectives of foreign governments and criminal gangs with significant technical and financial resources. The first major data breach occurred between 2005 and 2007 when credit card information for more than 45 million people was stolen from TJ Maxx. This was the point when cyber-attacks reached a new level of severity, involving regulated data and requiring companies to notify authorities as well as establish funds to compensate victims. In the case of TJ Maxx, the company’s handling and response to the data breach was sloppy at best. This was mainly due to the fact that they did not know the full extent of the breach and that it was the first large scale data compromise of its kind, therefore the company was in uncharted territory.
By the 2010s, cyber-attacks became significantly more sophisticated, notably in the Target breach which involved the theft of 40 million credit and debit cards. The level of technical sophistication in the Target breach was far more advanced than the TJ Maxx incident which involved a direct breach of the local wireless network. The perpetrators understood that in order to obtain the data they wanted, they had to take an indirect route, which involved a third-party heating and ventilation supplier to Target, by taking a series of sophisticated methodical steps.
- By conducting reconnaissance on the internet the attackers were able to identify that Target had a vendor portal. In addition, a published Microsoft case study about Target, provided detailed specifics about Target’s network configuration and technology.
- By sending an email containing malware to Target’s HVAC vendor, the attackers were able to install a password-stealing bot program on the vendor computers. This then gave them access to Target’s vendor portal.
- Once inside the portal the attackers did extensive monitoring and reconnaissance to identify back doors within the network.
- They then discovered a misconfigured server which could be used to access the Point of Sale (PoS) system.
- Once the PoS was accessed a custom software was installed on the system which grabbed credit card numbers at the exact moment when they were in the system’s memory and unencrypted.
- The data was then sent back to drop locations and retrieved by the attackers and sold on the black market.
The Target breach was so high profile that it led to the resignation of its CEO. Subsequent high profile attacks, including Sony, OPM and Home Depot, have gained the attention of boards and have forced companies to better understand risks of cyber-attacks. They began to commit additional resources to prevent breaches before they occur, detect them when they do occur, and respond to them appropriately after a breach. In the case of Target, the company should have been the first to inform the news about the breach to its customers. Instead, the breach was discovered by investigative journalist who noticed credit card numbers on sale on the darknet, all with one thing in common that they were used at Target.
Over the years, cybersecurity practices have also become more advanced in order to keep up with and defend against the latest threats. These days most services, systems, and applications uphold a high level of security, making it difficult for attackers to breach the perimeter network. However, defense effectiveness depends on the effectiveness of an organization’s IT security policies and on the rigor with which they are implemented. Cyber threats have also continued to evolve, from ransomware including CryptoLocker and WannaCry, to sophisticated social engineering attacks.
Social Engineering attacks are the most common type of cyber threat because they rely on human error rather than vulnerabilities in software and operating systems. Legitimate users can make mistakes, which can be particularly difficult to predict relative to traditional malware-based attacks. These techniques rely on human decision-making factors known as cognitive biases. The attacker exploits these biases or “bugs in the human brain” using various combinations of techniques in order to steal employees’ confidential information. Two of the most popular social engineering techniques are Phishing and Spear Phishing.
Phishing is a technique used to fraudulently obtain private information. Typically, a mass email is sent out from a sender who appears to be legitimate. For example, a common phishing email is an Office 365 password reset email prompting the user to reset their password. The user clicks on the password reset link and is then taken to a site which looks very much like Office 365. The user unknowingly enters their old password and then their “new password”. The attackers now have the user’s original password, while the user thinks they have reset their password. The attackers now gain access to the user’s email mailbox and can steal personal information, intellectual property, or simply download all of the user’s emails and contacts to be used against them in a second attack. In some cases, an attacker may even setup a forward of all future sent/received emails to another email address and therefore be able to continuously monitor the victim’s communications even after the password is subsequently changed
Spear Phishing is a different technique because it is much more highly targeted and customized than phishing emails. Spear Phishing consists of attackers doing research on targets in order to trick them to take a requested action. A common spear phishing attack is an impersonation email often being sent from the “CEO” to an employee and instructing them to take a specific action such as wire money to a specific vendor or provide some sort of personal information. Spear Phishing attacks have a significantly higher success rate than phishing attacks due to the volume of Open Source Intelligence the attacker can obtain from public sources of information, including social media and company websites.
Cybersecurity starts with implementing perimeter network security configurations including firewall access rules, encrypted wireless networks, antivirus/antimalware and other traditional IT security best practices. However, it also involves implementing an effective IT Security program consisting of security policies and procedures. In addition, following a structured approach to cybersecurity such as the NIST Cybersecurity Framework which provides leading industry standards, guidelines, and best practices for managing cybersecurity risks, ensures a holistic cybersecurity implementation. As noted above, the biggest cyber threats today are no longer through traditional methods, but rather through social engineering. State of the art defense practices focus on implementing security practices designed to prevent against social engineering attacks such as Phishing.
Since email is the most common method for social engineering attacks, preventing these threats from reaching users is the first and most important step. Advanced email security platforms, which filter and identify fraudulent emails, are designed to protect against phishing attacks by scanning inbound emails for fraudulent website URLs before a user clicks on the link and opens it in a browser. In addition, attachments are opened in a virtual environment prior to a user being able to access it. Finally, the email content is scanned for potential impersonation attempts, commonly known as “CEO Fraud”.
Even the most advanced email security platforms are not 100% successful, and as attackers become more sophisticated, some malicious emails will get through to users. For such situations, implementing ongoing organization wide Security Awareness Training is a critical part of cybersecurity. Security Awareness Training includes simulated phishing security tests to determine the percentage of end-users that are Phish-prone, so that additional user education can be provided to those individuals. These highly effective, frequent, and random Phishing Security Tests provide several remedial options in case a user falls for a simulated phishing attack, including training videos, quizzes, etc. Security Awareness Training specializes in making sure users become familiar with the mechanisms of spam, phishing, spear phishing, malware and general social engineering tactics, so that they are able to apply this knowledge in their day-to-day job.
While having complex password requirements is a good practice, it is not effective if a user unknowingly relinquishes their password to an attacker. In the event that a user does get compromised by a phishing attack, the last line of defense is Two Factor Authentication. This practice has become widespread amongst financial institutions and other online services. It is easy to use and ensures that an unauthorized person does not gain access to your account even if they know your password. Two Factor Authentication requires two methods to verify your identity. Typically, this consists of a username and password as the first method, and then a second authentication request to confirm your identify such as a code sent via text message, app notification, or email for approval. Two Factor Authentication adds a second layer of security to keep user accounts secure even if a password is compromised.
Given the significant increase in socially engineered cyber-attacks, email security, user education and password protection should now be a standard cybersecurity configuration in every organization. It is important to underscore that these three methods of prevention are most effective when implemented together to mitigate the risk of a successful cyber-attack.
Most people would agree that protecting an organization’s data, systems, and intellectual property is important. However, not everyone is always inclined to adhere to the practices and policies necessary for a cybersecurity program to be successful. Furthermore, there tends to be even more resistance to cybersecurity solutions that may pose an “inconvenience” to the user. This is especially true for executive leadership, specifically CEOs, who are unfortunately the most likely target of an attack. While conceptually these solutions intended to prevent and protect the user and the organization are a no-brainer, in reality, users may perceive them as a burden.
The challenge of implementing cybersecurity is the tradeoff between user convenience versus asset protection. While we certainly don’t want to go overboard by making day to day functions extremely difficult to perform in the name of security, there must also be an understanding amongst everyone within the organization that minor inconveniences are worthwhile given the risks of any security breach.