Cybersecurity is among the greatest issues facing businesses today, and Morris Plains-based Link High Technologies recently held a seminar featuring renowned security expert Gideon Lenkey. Lenkey, the former president and Chairman of the Board of the New Jersey InfaGard Chapter, has written numerous cybersecurity publications, and was featured in the documentary film Code 2600.
Antivirus and Firewalls are Inadequate
Above all, Lenkey noted that firewalls and antivirus software are no longer sufficient because hackers can readily by-pass them with unique, undetectable malware – and assailants can do so without the targeted company ever becoming aware of the attack.
Lenkey stressed, “If there is one thing you take out of here today, it is: Yes, [firewalls and antivirus] are necessary, and, yes, they provide a protection value, but it’s not what you think it is. It is not what it was, 10 years ago. They are fully and thoroughly subverted at this point; it is easy to do.”
In fact, Lenkey and his team tested anti-malware products, and he reported: “It was like a hot knife through butter. It surprised even me. I was expecting that we would have [perhaps] an 80 percent fail rate, for the antivirus. I did not expect a 98 percent fail rate. Antivirus is almost useless at detecting a current threat; a current malware. Now, the longer the malware sits on the machine, the more the chance that the antivirus might catch it, if [the malware] is not being updated. You will find that antivirus software detects abandoned malware; malware that has been on your machine for a long time. It might be a worm or something out there, still spreading old stuff around. However, for the most part – the first wave threat is the one that is going to get you.”
“Surfing” the Internet is one way computers can become infected: A user can simply visit a reputable website, and an advertising banner might have malicious code in it, which is then downloaded to the user’s machine.
Lenkey recalled, “A sales guy [was doing] his normal day-to-day job. Then, a Java app gets loaded up from a rotating ad banner; the next thing you know, the thing is under the control of someone in Russia. It was very, very quick: It took seconds. The user noticed nothing; the user did nothing wrong. No anti-virus went off. Nothing. The only reason we saw it was because of unusual SSL traffic going off to an unusual place. We knew it was a pharmacy that serviced veterinarians, and we knew that they probably weren’t servicing veterinarians in Russia. The certificate we saw didn’t make any sense, we investigated, and, of course, that’s what it was.”
A simple way users can help protect themselves is by: disabling Java on their browsers, not opening PDF documents from unknown sources, and not using Flash. In addition, using OpenDNS can add a layer of security. To explain: While hackers can rapidly alter their malware to avoid detection, they are somewhat slower at changing their web addresses. In effect, OpenDNS keeps a log of “bad” web addresses, and when it is configured on users’ computers, it helps prevent users from connecting to these “bad” websites (and perhaps inadvertently downloading malware).
Stressing the insidious nature of malware, Lenkey said, “Malware communicates via SSL, so sometimes it blinds even the best sensors; you can’t see it. You can kind of ‘read the envelope,’ but you can’t look at it. It often leads no trace on the victim’s file system. Some of the malware is so fast and so efficient that when you come across the web page, it exploits the browser, or the underlying plugin. It takes what it wants; it looks for financial information, it looks for account information; it looks for all your contact information; it bundles it up, ships it off via SSL, and it evaporates: Nothing is left. It gets in, does its job, and gets out.
“And that’s just malware that is there to steal stuff; it is not there to set up shop and ‘use you.’ A lot of the malware stays resident [on your device]. Some of the malware we have seen or watched in the wild, will get onto the system, it will connect to a place, and it will just sit there with a ‘heartbeat.’ Then, all of a sudden, it will come alive, and someone will start exploring the network it is in. They are trying to figure out what kind of company they are in. Then, the hackers come up with the plan of attack: How are they going to make money off of this? What are they going to steal? What are they going to use?”
Lenkey also addressed spear phishing attacks. He said, “Everyone hears about phishing. I have handled quite a few phishing cases in the past few years. The attacker sends the target e-mails, called a spear phish – we all know that. In one case, recently – probably the best spear fish I ever saw – [was when] a superior was impersonated. The attackers knew the guy who was responsible for sending checks. They sent him an e-mail impersonating his superior, the CFO. The e-mail included a forwarded message from the CEO. And it just said, ‘Hey, can you take care of this for me. I need you to pay this bill. Send it to this bank. It is a wire transfer.’ And the employee was like, ‘Oh, yeah, I have to do that.’ In some cases, these range in price from like $20,000, to – in one case – $430,000. And the money is gone. Does anyone know why they use banks in Singapore? We suspect it is because of the International dateline. It accelerates the money transfer process. Once it hits the bank over there, it is gone. And there’s very little you can do.”
Separately, Lenkey addressed: the dangers of social engineering via the social media site LinkedIn; WiFi concerns; mobile phone communication intercepts; and the importance of not storing personal information on computers.
What Businesses Can Do
Lenkey said that businesses must understand what protections they have, and what purposes they serve. From a security standpoint, they must decide what they should do “in house,” and what they shouldn’t be doing in house. Moreover, businesses must improve their infrastructure for the “battle ahead,” and regularly review policies, procedures and practices.
Among other steps, Lenkey said: “A third-party penetration test is when we hack you like an attacker would. We are going to simulate things that you are going to experience operating your computer in a contemporary environment. When we do these, we advise people: ‘You don’t tell anyone you are doing this.’ Why don’t you tell? It changes their behavior; they are ultra-vigilant; they do things differently.”
Lenkey explored a range of other steps companies can take, including – among other things – using indirect Internet access via proxy. He also spoke of monitoring: “One of the biggest problems that I see in monitoring, is people don’t design their infrastructure with visibility in mind. They design it with convenience in mind. Really, when you monitor these networks, what you need to do is look at every packet in or out. Ideally, a single chokepoint is the best, because you can say, ‘OK. We monitor this one location. Anything in or out of this network, we’re going to see. And, we will be able to keep an eye on it.’”
Lenkey stressed that small companies should not burden their IT staff with security responsibilities, in part, because while the core skills sets for IT and cybersecurity are similar, the two are “very, very different disciplines.” In essence, IT professionals are trained to enable businesses, while security professionals are trained to add additional steps that may be inconvenient, for example.
Overall, for small companies, Lenkey said, “You actually have an advantage being small, because you have less of an attack surface. Everybody knows each other. Nobody is going to walk in the door. It is very hard to impersonate people in a small company; it is very hard to get an e-mail out of the blue that makes sense in the big corporate world, but doesn’t make sense in a small company, like a phishing e-mail. So, small companies do have a bit of an advantage, there. What I recommend for small companies is: Make sure you have protective controls; and you need to make sure you have detective controls – a third party watching over you.
“You are buying a share of a security team, because most companies your size – you can’t afford to have one full-time person doing this. It is a lot cheaper and a lot more effective to just have a managed service that does this. And there are no services that are perfect. No one can say, ‘I can detect everything.’ It’s not true. But, you have to look: You can’t just shut your eyes and run through the woods. You are going to hit a tree, and it is going to hurt.”