NetEvents: Why the Hackers Are Winning


By: R. Scott Raynovich

SAN JOSE, Calif. -- NetEvents -- With major global hacks such as Equifax in the limelight, questions about information security have never been higher. Experts here from the U.S. Secret Service and FBI explained why businesses and individuals are failing at protecting their data and how the threat landscape is changing rapidly.

The cybersecurity experts on a panel called "The New Hacker -- Who Are they, What They Want, and How to Defeat Them" detailed some of the current challenges, which include growing sophistication of hackers and the proliferation of high-grade hacking tools, the inability of businesses and individuals to follow fundamental security practices, and the growth of the Dark Web and the spread of anonymous, encrypted communication.

'Exponential' Hacker Sophistication

"Sophistication had gone up exponentially," said Ronald Layton, Deputy Assistant Director of the US Secret Service. "The toolsets that are available today would have been highly classified 20 years ago."

Layton said that several factors have accelerated the advantages of the threat actors. The first is the growing availability of sophisticated hacking tools. The second is the proliferation of connectivity and anonymity, providing many opportunities for the bad guys.

"The ubiquitous connectivity and the simplicity with which we connect and exchange information is one factor," said Layton. Another is the availability of hacking tools and the ease with which cybercriminals can communicate and exchange information with anonymity."

Security Fundamentals

Despite these challenges, experts on the panel said that by following security fundamentals, individuals and organizations can go a long way to reducing risk and protecting themselves.

"You need commitment from leadership, you need to practice security fundamentals, and you need to share information," said MK Palmore, information security risk management executive with the FBI's San Francisco cyber branch. "This message sounds simplistic but it's not being followed."

Some of the basics that are not being followed, according to the panel of experts, include the following:

  • Training people on behaviors that increase risk, such as spear phishing
  • Being vigilant about security patches, and having a system to track and update them
  • Using security tools such as two-factor authentication that create barriers
  • Building a security apparatus at the organization to track and audit security policies

Human factors and training is a major trend -- having a systematic way to train and enforce human behaviors to reduce risk. The panelists mentioned spear phishing as one of the most common threats to organizations (spear phishing is the technique of using fake emails with attachments or links websites to draw users into giving hackers information or downloading malware).

"If your employees are clicking on every attachment they are getting, bad things are going to happen," said Michael Levin, former deputy director, U.S. Department of Homeland Security, and CEO and Founder of the Center for Information Security Awareness.

Two-factor was mentioned by several individuals as tool that is fairly easy to implement, but not used by everyone.

"Two-factor authentication is an obstacle [for the criminal]," said Palmore. "It's not insurmountable. It's not going to stop them, but for the cyber threat actor it represents an obstacle that's a waste of their time. They will move to a target that's easier to breach."

Layton referred to the battle against cyber criminals as "rock, paper, scissors," in which the hackers are constantly refining the tools they use to approach. He also said that the Dark Web, encryption, and anonymous payment methods such as cryptocurrency have enabled the hacker community to expand their ability to exchange information and tools.

Building a Security Plan

All of this paints a dark picture for cybersecurity. However, it's clear from recent hacks, such as the Equifax breach, that some of the exposed vulnerabilities are occurring not because it's impossible -- but because of basic failures in security policy. It's clear now that the Equifax hack derived from a failure to update a patch that was a known threat.

The experts said that individuals and organizations need to have systematic security practices that focus on fundamentals and basic protection behaviors -- and that many organizations aren't doing that at all.

"Companies might invest just enough to say they're solving the problem but not enough to have a vibrant security apparatus," said Levin. "You need a functioning security apparatus... You may have a company that has not made the proper amount of investment. It's just not enough."

As high-profile information hacks proliferate, you would think this message is clear, but apparently it's still not happening in a consistent way.

The Secret Service's Layton points out that cybercrime is still relatively new and that it's going to take time to protect against it. "Cyber is still new -- we'll get there," he said.