How concerned should we be about the sorry results that may befall us if we suffer a cybersecurity breach?
However bad you think things could be, they’re probably going to be worse.
That’s the challenging takeaway I got from a panel discussion on cyber due diligence. It was hosted at Fennemore Craig on May 14, and it included speakers from the firm, prosecutors’ offices, and security firm Kroll.
(The June issue of Arizona Attorney Magazine contains some practical takeaways on cybersecurity preparedness. Read the complete article by attorney Paul Stoller.)
At the Fennemore event, FBI Special Agent Martin Hellmer urged attendees to consider whether their computers housing sensitive data must even “touch the Internet.” Instead, he said, “air-gapped” computers may fill your needs.
“Threats are very real and everywhere,” he said. “Chances are, if your computers are regularly on the Net, and even if you’re regularly patched, you’ve probably been hacked.”
Generations of FBI-watchers hearken back to their work tracking down bank-robbers. But Hellmer said times have changed.
“It’s a great time to be a criminal in the cyberworld. Why someone would walk into a bank today with a note and a gun, I don’t know. Instead, you could sit in the comfort of your own home and steal millions of dollars from someone on the other side of the world.”
Jonathan Fairtlough of Kroll described the “common vulnerabilities and exploits”—“CVEs”—that are most often seen. They include ransomware, spearfish attacks, and “social engineering”—that is, calling customer service and claiming you “can’t find your password”; it works more often than companies like to admit.
Fairtlough added that last year’s large-scale data breaches involved ransom demands seeking bitcoin.
Kroll’s Melvin Glapion reitereated that “Every cyber problem is a human problem.” In fact, 80 percent of breaches include some form of insider (including vendors and consultants). Given that, companies must ask, “Who are we locking inside the gate?”
Another problem may arise via the BYOD movement—which urges companies to allow employees to bring their own device and to use those multiple devices to connect to company servers.
Glapion told the story of a director and screenwriter for Twilight series who refused to be on Sony Pictures’ computer system, opting instead to use their own device. That gap in security, plus a successful phishing expedition, was all that hackers needed to get access to daily updates of scenes during shooting, and even multiple versions of screenplays.
Fortunately, Glapion said, the hacking was done not by criminals with evil intent, but by fans who were obsessed with actor Robert Pattinson (and who hated his co-star Kristen Stewart).
“Those teen girls had the keys to the kingdom,” Glapion said. And your system may be just as exposed.
Also on the panel were Jim Knapp of the U.S. Attorney’s Office. He—like Kroll representatives—urged companies that had been hacked to contact the authorities.
Knapp said, “You do NOT lose control of your case if you call the feds.” Because the company is a victim, the prosecutors will keep you apprised of every step.
The prosecutor also suggested all of us to use “stock false answers” to those multiple password questions we all face. That way, “correct” and accurate answers cannot be ferreted out by hackers examining your life via social media.
Thanks and congratulations to Fennemore Director Sarah Strunk for gathering together such a helpful panel.
Here are a few images of slides from the presentation:Follow @azatty