You Are Losing the Battle With Hackers. Yes, You.

“We’re not winning. … I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.”

That’s a quote from Shawn Henry, the FBI’s top cyber cop who has spent two decades with the bureau, from a recent interview with the Wall Street Journal. And he’s not alone in thinking that there needs to be fairly substantial changes to software and network security.

James A. Lewis, a senior fellow on cybersecurity at the Center for Strategic and International Studies, said that as gloomy as Mr. Henry’s assessment may sound, “I am actually
a little bit gloomier. I think we’ve lost the opening battle [with hackers].” Mr. Lewis said he didn’t believe there was a single secure, unclassified computer network in the U.S.

“There’s a kind of willful desire not to admit how bad things are, both in government and certainly in the private sector, so I could see how [Mr. Henry] would be frustrated,” he added.

Big companies, small start-ups, utility providers, government agencies, no one is safe from hackers and many networks are less secure than organizations think.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said. …

Mr. Henry said FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.

“We have found their data in the middle of other investigations,” he said. “They are shocked and, in many cases, they’ve been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.”

Mr. Henry said that while many company executives recognize the severity of the problem, many others do not, and that has frustrated him. But even when companies build up their defenses, their systems are still penetrated, he said. “We’ve been playing defense for a long time. …You can only build a fence so high, and what we’ve found is that the offense outpaces the defense, and the offense is better than the defense,” he said.

Read the full Wall Street Journal article >>>

To drive the point home, let’s take a look at some other recent articles. According to an article from PCWorld, close to half of the US’s federal agencies aren’t in compliance with a mandatory DNS Security Extension, intended to protect against cache poisoning attacks. Federal websites were supposed to implement the security extension by December 2009. From PCWorld:

Approximately 40% of federal government agencies are out of compliance with a regulation that requires them to deploy an extra layer of authentication on their Web sites to prevent hackers from hijacking Web traffic and redirecting it to bogus sites.

It’s been more than two years since federal agencies were required to support DNS Security Extensions (DNSSEC) on their Web sites. However, two recent studies indicate that around 40% of federal Web sites have not yet deployed this Internet security standard.

Laggards on adopting this Internet security standard include the Department of Defense and the Central Intelligence Agency, experts say.

Read the full PCWorld article >>>

The lack of security also effects small businesses, who have traditionally believed they would be overlooked by hackers in favor of a larger hauls. Even small companies have customer data – including personal information and card numbers. If that data is easily accessed by hackers it represents nothing more than low hanging fruit that hackers can easily pick then sell on the black market.  From PCWorld:

If you run a small business, and think that none of your data was of interest to a hacker, consider this: what if a hacker could take stolen bank account or credit card information from your computer and package it with the same information from a hundred or a thousand other small businesses? Would it be worth something then?

SMBs don’t know how defenseless they’ve become, especially to automated and industrialized attack methodologies by organized crime,” Christopher Porter tells PCWorld. Porter, a principal with the Verizon RISK Team, is the author of a new report from Verizon on security risk.

“[Hackers] scan the Internet, looking for remote access services, and then try the default credentials. Once they gain access, they automatically install keyloggers to collect password information [as it's typed in],” Porter says. “Then they send the information it out via e-mail or by uploading it to an FTP server or a web site. They aggregate the data and sell it on the black market.”

Read the full article at PCWorld >>>

Even if you don’t particularly have vulnerable customer data, the rising tend of “hacktivism” could effect your poorly protected site. These groups tend to target websites or organizations they feel slighted by or disagree with. But with more and more people jumping on the bandwagon of hacking just because they can some seemingly random sites have been attacked. And the hackers will likely post whatever information they collect (including user names and passwords) in a very public fashion. From TechCrunch:

Move over organized cybercriminals, the new gangs in town don’t want our money, but they want to make a point, and they’re going to do whatever it takes to make sure we listen. The annual Data Breach Investigations Report from Verizon and major security agencies has found that hacktivism from the likes of Anonymous accounted for 58 percent of all data stolen online in [2011] — a contrast with years past, when organized crime groups were the main culprits. …

In an investigation that also involved United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police, Verizon found that 2011 was the second-highest year for data loss that it has recorded, since it stated the annual investigation in 2004. In all, it analysed 855 data breaches covering 174 million stolen records and 100 million users.

One notable point is that while organized criminals will use the data for financial gain, hacktivists are wreaking havoc for political and social reasons. …

Another point is that hacktivists’ tactics are also being adopted by others: although hacktivists accounted for 58 percent of stolen data, hacking actually appeared in 81 percent of breaches (versus 50 percent in 2010). Malware also grew in usage: it appeared in 69 percent of breaches, compared with 49 percent in 2010.

Read the full TechCrunch Article >>>

Even if you think your security is top notch, it’s important to not get complacent. We’ll end with another quote fromThe Wall Street Journal:

Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn’t realize they had been breached until someone else told them. The median number of days between the start of an intrusion and its detection was 416, or more than a year, he added.