[BreachExchange] Where are the real cybersecurity threats?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 24 18:38:53 EDT 2016


http://www.usatoday.com/story/money/2016/10/24/where-real-
cybersecurity-threats/92666966/

October is National Cyber Security Awareness month and a good time to
consider what the threats to our cybersecurity are and what we can and
should be doing about them.  Sometimes it seems like the problems of
cybersecurity are overwhelming, but with concerted efforts by individuals,
businesses and governments we can dramatically reduce the level of this
threat to merely “whelming,” which isn’t a word, but should be.

Part of the problem is technology itself.  Computers and computer networks
are involved with nearly every aspect of our lives.   We have seen the
concern in recent days as to the potential vulnerability of our voting
system where already voters’ registration lists have been subject to
cyberattacks.

The plain, hard fact is that if something is connected to the Internet, it
is vulnerable to hacking and data breaches. The computers, smartphones and
other electronic devices used by everyone connected to the Internet are
vulnerable to hacking — by which data can be stolen and used for a variety
of criminal purposes such as identity theft, fraud, extortion, commercial
espionage,  insider trading and more. In addition, hackers can take over
computer operated systems and wreak havoc.

The Internet of Things by which devices that previously would not have been
connected to the Internet are going online by the billions provides
tremendous advantages, but also brings new vulnerabilities for determined
cybercriminals to either control these devices or use these devices as a
less protected point to gain access to data and information to be used for
criminal purposes.

The list of objects that make up the Internet of Things is huge and
increasing every day. By 2020 it is predicted that there will be 5.4
billion devices connected to the Internet.  Among the devices that make up
the Internet of Things are cars, refrigerators, coffee makers, televisions,
wearable technology, webcams, copy machines and medical devices.

In 2007, former Vice President Dick Cheney was so concerned about hackers
that he had the Internet connection on his pacemaker disabled.  Earlier
this month, Johnson & Johnson issued a warning that its OneTouch Ping
insulin pump could be hacked through the unencrypted radio signal used in
the device and last August, St. Jude Medical saw its stock value drop after
a cybersecurity firm announced that it had found security vulnerabilities
in the company’s pacemakers and implantable defibrillators.

In the United States and throughout the world, critical infrastructure
essential to our lives are connected to the Internet and vulnerable to
hackers be they cybercriminals, terrorists or foreign states.  The damage
that a successful attack on any of these areas of our infrastructure could
be extensive.

Among our critical infrastructure operated by computers and networks of
computers as noted by the Government Accountability Office (GAO) are
“financial institutions, telecommunications networks, and energy production
and transmission facilities.”  Our water supply and even nuclear power
plants are also part of our infrastructure controlled by computers.  As
noted by the GAO, “ as these critical infrastructures have become
increasingly dependent on computer systems and networks, the
interconnectivity between information systems, the Internet and other
infrastructures creates opportunities for attackers to disrupt critical
systems, with potentially harmful effects.”

In 2014, a German steel mill had the computers which operated its smelting
furnace hacked causing it to overheat and resulting in tremendous damage.

The Government Accountability Office issued a report in 2015 in which it
concluded that the computers that make up the National Air Traffic Control
System are vulnerable to hacking. The report issued 17 recommendations and
168 specific actions to address security weaknesses in security controls
including – what should have been obvious – the need to encrypt sensitive
data. That glaring flaw is one that is found throughout the Internet which
was never developed with security in mind. Too often security has been
built in as an afterthought rather than incorporated into the systems using
the Internet as a part of their initial development.

The banking industry has already suffered major attacks throughout the
world as evidenced by the Carbanak gang cyberattacks on banks in the United
States, Russia, Germany, China and Ukraine in which a billion dollars was
stolen.  As so often has been the case, the manner by which the malware
necessary to accomplish these attacks were downloaded was through phishing
emails that lured employees into clicking on links in tainted emails that
downloaded the malware.

Technology has created dangers unprecedented in human history. However,
just as technology may be part of the problem, it may be part of the
solution as well.  A common thread in so many major data breaches and
cybercrimes is the use of phishing and spear phishing emails to lure people
into downloading dangerous malware that enables the cybercriminal to gain
access to data or even control entire systems.  Computer programs called
analytics that can recognize and protect computer users from phishing
emails are available.  Better training of employees in safe computing,
increased use of encryption and enhanced security software are among the
tools that can help protect our security.  Fighting cybercrime is going to
be a never ending battle, but we have the tools to win this war.  We just
need to commit to using them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161024/779cc26f/attachment.html>


More information about the BreachExchange mailing list