An unmarked van with tinted windows pulls into a hospital parking lot. The driver opens his laptop and connects to the hospital’s Wi-Fi network. He waits while the screen blinks with a flurry of data. A few minutes later, the hospital’s CFO gets a phone call. If the hospital doesn’t send $1 million in the next 24 hours, the man says, he will change every patient’s blood type recorded in the system.
You may have heard of ransomware, the programs cyber criminals use to hold all your personal data or your company’s data captive. If you’re lucky, you get it back after you fork over the money.
But there are other cyber threats on the horizon now, including the fictional scenario above, which could easily become nonfiction soon. In these kinds of cybercrimes, called advanced persistent threats, hackers don’t steal the data, but they may change it. And if they aren’t after money, but are instead simply aiming to destabilize your operations, you might not ever know that someone gained access to your systems and corrupted your data.
“Our lives are inextricably linked with cyber now,” says Brian Gouker,* the National Security Agency’s visiting professor and the chair of Cyber Studies at the U.S. Army War College. At the May 24 kick-off event for Immaculata’s new Bachelor of Science in Cybersecurity, Gouker and a panel of other experts discussed how to protect yourself and your business from cybersecurity threats.
The internet is a double-edged sword, Gouker says. It allows us to bank, shop, communicate, and perform countless other tasks with speed and convenience, but it also makes us vulnerable to cyberattacks.
Useful technologies can be bent to unscrupulous ends. Gouker described The Onion Router, or Tor, a technology originally funded by the U.S. Navy, which allows people to hide their IP addresses so that their location can’t be tracked. On one hand, this could be helpful for potentially allowing Special Forces personnel to chat with their families from secret locations around the world. Tor could also allow dissidents in countries with oppressive regimes to voice their opinions freely and safely. But on the other hand, criminals can also use Tor to prevent law enforcement from tracking their online activity.
Last year, the U.S. Office of Personnel Management discovered that Chinese hackers had stolen enormous amounts of personal information about federal employees and military officers—information that hadn’t been properly protected. So now China has detailed intelligence on millions of people, many of whom will eventually rise in the ranks and become the nation’s next leaders and generals, Gouker pointed out.
Other countries may want to avoid combat with a world superpower like the U.S., so they choose soft targets, that is, cyberattacks, as an easier way to gain the upper hand. These realities are unnerving, but Gouker reassured his listeners that the National Security Agency (or “No Such Agency,” as it is jokingly called) has a highly technical workforce, including the largest number of Ph.D.-prepared mathematicians in the world, who work to protect U.S. systems from malicious hackers.
Still, he added, everyone needs to know the basics of computer security, whether as parents, online shoppers, social media users, or employees. Information security is only as strong as the weakest link, and often, the human factor is the weakest link. The best cybersecurity systems in the world can’t keep people from willingly handing over their bank account information to a scammer who sent them a phishing email, which is the most common—and most effective—form of hacking.
We might think we would never be fooled by phishing, but hackers may try to send an email impersonating a president or CFO, based on all the information about a company’s leadership that they can easily find online. Employees are more likely to trust messages coming from these people, Gouker said, and are more likely to open the email and click on untrustworthy links or provide sensitive personal data.
With so many opportunities for cybersecurity breaches, Gouker raised the question of whether the government should be responsible for securing private companies’ networks? Look at how Sony’s breach became a national security concern when North Korea threatened attacks in movie theaters that would be showing The Interview. About 85 percent of critical infrastructure is currently managed by private industry, Gouker said, so it’s still fundamentally their responsibility to secure their systems.
According to the National Cybersecurity Alliance (NCA), “every business faces a number of cybersecurity challenges, no matter the size or industry. All businesses need to proactively protect their employees, customers, and intellectual property.” Gouker quoted the NCA statistic saying that 71 percent of security breaches target small businesses, which are often least equipped to handle such threats.
Unfortunately, many small businesses don’t want to invest in cybersecurity, said panelist Patty Hyatt Pezely, vice president, COO, and co-founder of Allied InfoSecurity Inc. If employees aren’t trained properly, hackers can attack them both at home and at work, and IT departments can’t help.
Panelist Steven Fiergang, general counsel with Layer 8 Security/TRA (Technology Research Associates), agreed. Cybersecurity is not just an IT issue; it is a people issue, he said. Good technology is just one aspect of cybersecurity, and companies also need good business processes, good employee training, and even good physical barriers to networks that store sensitive information. When cyberattacks happen, the cause is often people’s mistakes, not technical failures. If people’s “cyber hygiene” isn’t good, Fiergang said, even the best systems and policies won’t be effective.
Fortunately, you don’t have to be a tech wizard to have good cyber hygiene, or even to become a good cybersecurity professional. Because technology is always changing, the most critical skills for anyone, including cybersecurity professionals, are problem-solving and critical thinking, said panelist John “Andy” Landmesser, Ph.D.,* Cybersecurity program director and deputy director of the Center for Advancement of Security Studies at Valley Forge Military College.
Cyber threats are enough to keep anyone up at night, but Landmesser cautioned against living in fear. Instead, he said, “be conservative and educate yourself.”
*Gouker’s and Landmesser’s views expressed in this article are solely their own and do not necessarily represent the views of the NSA, the U.S. Army War College, or Valley Forge Military College.
10 tips to keep you safe online
(from the May 24 presentation and from StopThinkConnect.org)
- Keep a clean machine: Keep all web-connected devices – including PCs, smartphones and tablets – free from malware and infections by running only the most current versions of software and apps. Turn on automatic software updates. Your best defense is to have the latest updates and patches for your security software, web browser and operating system. Know what apps you’re using and get rid of them if you’re not using and updating them. Use your security software to scan USB drives and other external devices.
- When in doubt, throw it out: Links in emails, tweets, posts and online ads are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
- Get two steps ahead: Turn on two-step authentication – also known as two-step verification or multi-factor authentication – on accounts where available. It adds a layer of protection beyond your username and password. For example, your bank might text you a code to put in along with your password before you can log into your account. Yes, it’s a little more of a hassle. But it means you’re not taking any chances.
- Make better passwords: Add capital letters, numbers and symbols to your passwords. Aim for a phrase or sentence rather than just one word. The longer, the better. Always use different passwords for every account. At a minimum, separate your work and personal accounts, and make sure your critical accounts have the strongest passwords.
- Shop secure: When shopping online, check to be sure the site is security enabled. Look for web addresses with https://, rather than http://, indicating extra measures to help secure your information.
- Get savvy about Wi-Fi hotspots: Limit the type of business you conduct on shared or public Wi-Fi networks, and adjust the security settings on your device to limit who can access your machine.
- Protect your personal information like money: Information about you, such as your purchase history or location, has value. Be thoughtful about who gets that information and how it’s collected through apps and websites. Learn how to turn off your cell phone’s or camera’s geo-tagging feature so you don’t unintentionally reveal your location every time you share a photo online.Think before posting about yourself and others. Consider what a post reveals, who might see it and how it could be perceived now and in the future.
- Watch what you save: Never save your credit card information on an online store’s website. Type it in yourself every time. Don’t let your internet browser save your passwords. Use an encrypted password manager such as KeyPass.
- Trust and verify: If you want to store your data “in the cloud” through an online backup service, don’t just read the company’s marketing materials and assume they’re trustworthy. Find a third party to confirm that they’ll protect your data well. Or just make backups yourself and store copied data in a safe.
- Sound the alarm: Report stolen finances or identities and other cybercrime to the Internet Crime Complaint Center (www.ic3.gov) and to your local law enforcement or state attorney general as appropriate.