Keep employees off the Internet and have workers avoid clicking on any attachment or link in an email. Those are the only sure ways to avoid cyberattacks, according to three experts who spoke today at the North Bay Business Journal’s conference on cybersecurity in Rohnert Park.
Maybe it sounds severe to adopt such a defensive stance in business. But conference speakers said the Internet has become fraught with peril, rife with thieves who will steal identities and drain bank accounts, pretend to be vendors and present fraudulent bills or download ransomware that paralyzes a company’s network until the ransom is paid.
All it takes for a hacker to break into a business computer system is one inattentive employee, especially one who is great at customer service, one whose friendliness becomes the doorway through which a bad guy pounces. Company executives are favorite targets of hackers; they diligently respond to emails disguised to appear to come from within the company.
One speaker, Jim Stickley, owner, Stickley on Security, spoke with a rapid-fire delivery that he describes as a “monkey on crack.” He delivered hardnosed advice on protecting a bank or other business from hackers and cybercriminals. Since he was a kid, Stickley has been breaking into other people’s computer systems, first for fun then as a skilled white-hat professional hired to test business computer networks and discover vulnerabilities before criminals do.
By the time he was 16 years old, Stickley was developing code for corporations. “I didn’t realize they were making money off me,” he said about his parents, chuckling that his pastime had become his career. “I just thought it was fun.”
Stickley learned tone controls he gleaned from phone-company manuals swiped from service personnel in the field. “When kids were mean to me at school,” he said, “I would go and turn their parents’ phone off.”
He wasn’t malicious about hacking, Stickley said, but it was attractive and fun.
Part of his consulting is about physical security. That includes being hired by a company to get into company networks directly. He shows a video of his suit-and-tie employee piggybacking on the entry of a janitorial employee after hours, gaining physical access to the building. After that, malware can easily be installed directly onto company computers. “Just in financial institutions, I have physically gone into over 1,000 locations and stolen whatever I was supposed to steal without getting caught.”
He shows how the dark web is used by hackers to sell stolen data, including medical records that have social security numbers, account numbers, passwords and driver’s license numbers. “There is always some company somewhere that is losing your data,” he said. “You are now the victim.”
The hacker who steals data usually sells the information to thieves who buy the data on the dark web. “The dark web is the easiest and simplest way to bring these people together,” he said.
The dark web can be browsed anonymously through the Tor browser, which bounces packets of communications through millions of servers worldwide. “The dark web is not illegal,” Stickley said. “It is really interesting.” Such sites end in .onion instead of .com or .net. But the dark web contains realms drawn from sinister, creepy aspects of human misfits, he said, noting that some images cannot be unseen once glimpsed.
Another speaker, David Trepp, partner at BPM, technology entrepreneur, said hacking relies more on social engineering — human vulnerabilities — than on technical wizardry.
He describes how a modern phishing attack is launched through email to target, for example, a bank. The sender’s name is spoofed to appear to come from a co-worker. The subject matter is topical and the recipient is asked to do something that appears reasonable. A link in the email appears to have a valid bank URL. Often the recipient is tempted with a time-sensitive gift-card reward.
“It is acting like you belong there,” Trepp said. “The human condition is susceptible to deception. The easiest way to break in is to take advantage of people.” A small fraction of any employee population is likely to fall for social-engineering hacks, he said.
Defending against social engineering requires upping the awareness of cybersecurity especially among company executives. Receptionists must be trained to verify the identity of callers and never disclose sensitive information. Phishing attacks can be fended off if recipients confirm who the sender is by opening a reply window to see if it really goes to the apparent sender. Never open attachments, Trepp said, unless they are from co-workers with whom you have had recent communication about the attachment. Use the phone to check before opening the attachment, if there’s any doubt. Hover over email links to see if the destination URL is legitimate, Trepp said.
Never allow unlocked, unattended workstations in an office, he said. Use strong passwords, and turn off Wi-Fi when it’s not in use.
Businesses have lost more than $1.6 billion from hacking attacks since 2013, according to the FBI’s Elvis Chan, who works from a San Francisco office. In 2016, those losses amounted to nearly $360 million.
One of hackers’ favorite attacks is ransomware, where a hack will install malware that encrypts a company’s data or blocks access until a ransom is paid to the hacker, usually in bitcoins. In 2016, some $2.4 million was paid in ransom, Chan said.
Hacking attacks are organized by unfriendly countries including China, North Korea, Russian and Iran, said Chan, who recommended that companies establish strong security policies and provide training so employees know how to defend the company’s network.
“I put a name and a face on the bad guys,” Chan said, tracking them down across the globe and seeking arrests where possible. “Ninety-nine percent of breaches are from social engineering,” he said, where a hacker might impersonate a company’s CEO via email. Only 1 percent comes from government-versus-government cyberattacks such as the Stuxnet worm.