Cutting-Edge Cybersecurity 

NJBIA’s Cybersecurity Summit featured nonpareil experts who revealed what businesses must (but sometimes don’t) know about cybersecurity today.

By George N. Saliba, Managing Editor On Jul 18, 2016

Technology has evolved with such rapidity that businesses – both large and small alike – are sometimes unaware of the most up-to-date cybersecurity techniques that can help protect their businesses from bad actors operating anywhere in the world. Of note, it is not just large banks and Blue Chip corporations that are being attacked; smaller businesses are routinely in the crosshairs, and a single cyber attack can destroy a company’s reputation or even destroy it.

Moreover, cybercriminals are now so sophisticated that robust firewalls and antivirus software, are, in many ways, ineffective (the best antivirus software can only detect a small portion of malware that is constantly being created with unknown – and therefore undetectable – variants).

With enough time and persistence, criminals can “hack” any corporation, but Krista Mazzeo, cyber threat intelligence analyst at the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), said, “I always use the analogy of ‘don’t be the low-hanging fruit.’ Essentially, if you live in a neighborhood, and you are the only one who doesn’t lock the car at night, and everyone else does, whose car do you think is going to get stolen? You know: The one that is not going to make any noise.”

Mazzeo was one of 12 cyber experts who spoke at NJBIA’s Cybersecurity Summit, titled, “Cybersecurity Practices for a Business Like Yours,” recently held in Bridgewater.

In effect, the event’s mantra was that businesses must first become aware of the ways in which they can be attacked, and then take all appropriate preventative steps.

Website Threats

Even something as innocuous as visiting a popular website can infect a computer, because a website’s third-party advertisements may contain malware. The user need not do anything “wrong,” or even click on the banner, to be infected. Mazzeo said, “One of my favorite things is using an ad blocker, and I know there is a lot of controversy over that. [However], when you are browsing the Internet now, malicious ads are a big deal, and very big sites that should know better might be feeding your computer with malicious code, because they go through third-party ad vendors. [Therefore], I always advocate using an ad blocker extension on your browser.”

E-mail Threats

E-mail can potenially be read as it travels through the Internet, and, also, once a computer workstation is infected, e-mails – and even every keystroke made on that computer – can be communicated to a cyber criminal. Addressing an audience member’s question, Timothy P. Ryan, managing director of security and investigations at Kroll Cyber Security and Investigations (who formerly was a supervisory special agent for the FBI’s largest cyber security squad in the United States), said, “If by encryption, you mean Company A to Company B, that will not be effective. If you encrypt it with digital signatures and encryption, that’s great, because then even if the bad guy gets access to that desktop, they can’t decrypt it. The problem is going to be: How are you going to communicate the password? I know everybody says, ‘Oh, just encrypt things.’  Trust me. If you try to send me an encrypted file, today, you and I are going to have to have a 15-minute conversation regarding: ‘What format? How can I accept it? Do I need to download an executable to run it? You are encrypting it with ‘this’; what am I going to decrypt it with? Does it have to be the same thing?’ It is far more complex than what the government would have most people believe. But, that’s why the bad guys focus on e-mail so much, because almost everything in e-mail is not encrypted.”

What can a company do? First, among other security awareness techniques, it should train its employees not to open e-mails or attachments from unknown sources, and if there is any doubt regarding an incoming e-mail’s veracity (that it might not actually be from who it says it is), the recipient should use another form of communication such as dialing the sender’s confirmed telephone number (not the phone number in the e-mail).

Ryan said that hackers will monitor a company’s network for perhaps months, watching an exchange of e-mails related to a business deal, for example, and then, at the last minute, send a counterfeit e-mail (not really from the CEO) to the person with wire instructions, which very credibly states to wire the money to a “different” bank. That bank is actually for overseas criminals.

Ryan added, “We also see the shotgun approach, where [criminals] just send out a ton of these messages, out, into the environment, and they pretend to be somebody’s CEO. They say, ‘Look, there is a new transaction taking place. Please wire the money to this Chinese bank account, because we are about to acquire this firm.’ You would think that would not work, but that has cost companies millions and millions and millions of dollars.”

A Quick Overview

Cyberattacks can come from so many sources that a brief overview is in order. Among other precautions, Ryan recommended two-factor authentication (such as a six-digit code being sent to a cell phone, in addition to a password on a computer). Ryan quipped, “If every company used two-factor authentication, I would not be a cybersecurity expert. I don’t know what I would do; I would be back in the FBI, investigating bank robberies.”

He also recommended out-of-band communications for any wire transfer: “If you are wiring money, or there is a change of transfer instructions, you want to do what is called out-of-band communications. You should not be communicating both the change, and the new instructions, in the same band. So, what’s the band? One band is the e-mail communication that is used from a computer. Out-of-band would be taking it out of the computer context, and putting it in the cellular context. When I send somebody a report that is password protected and encrypted, I send them the report in an e-mail, but I send them the password by cell phone. I send them a text [message]. That’s an out-of-band communication. If somebody compromises your e-mail account, they still can’t get that second band.”

Additionally, Ryan suggested monitoring e-mail logs to discover if there are log-ins from unknown IP addresses. For example, if a company is in New Jersey, an e-mail log-in from overseas should raise suspicions. Among his many other tips and advice, Ryan recommended company users be trained to forward any suspicious behavior on their computers to their IT helpdesks.

Ransomware

Ransomware – when cybercriminals use malware to encrypt a company’s computers, and then demand payment via the cryptocurrency Bitcoin – is an extremely dangerous and common cyber threat. Criminals can encrypt computer networks, the network backups, and even the shadow volume copies – and therefore cripple a company. The ransomware will eventually alert users that there’s an issue as ransom is demanded.

Rashaad Bajwa, president and CEO of Domain Computer Services, said, “For the sake of your business, it’s knowledge. The knowledge is there, and you need to get the knowledge to make sure that this doesn’t happen in the first place.”

A Step Further

Meanwhile, Fernando A. Reiser, information security and IT risk management at NJM Insurance Group, said, “I am a big proponent of system isolation and network isolation. [You need to] understand that the Internet is a great enabler, but it is also the root of all evil, from a malware and cybercrime perspective. So, again, think about the concepts of data-centric and people-centric security. … Do you want to implement security all across [your entire company]? Or, can you isolate the very risky behaviors to certain end-users, or ‘knows,’ as opposed to trying to protect all things from all people, all the time?”

 

Related Articles: