Cyber Security: Keeping Up With the Threat

Presented by:

© National Security Institute -1- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

Cyber Security: Keeping Up

With the Threat

A side from nuclear war and weapons of

mass destruction, cyberattacks pose the
single greatest threat to U.S. security – and
to the Homeland Security Department’s office
that coordinates responses to cyberattacks.

they are growing more and more difficult to The agencies reported to Homeland Security’s
prevent. U.S. Computer Emergency Readiness Team
(US-CERT) a total of 18,050 incidents in
That’s the grim take presented recently by FBI 2008, compared with 12,986 in 2007 and
cybersecurity analysts and other experts, who 5,144 in 2006. The total number of incidents
are warning of a possible “cybergeddon” – a reported by commercial, foreign, private, and
scenario where the nation’s economy, in which government sectors rose from 24,097 in 2006
almost everything of importance is linked to to 72,065 in 2008.
or controlled by computers, is sabotaged by
hackers. The Federal Information Security Management
Act requires agencies to report cyber incidents,
Alarmist? Hardly. Shawn Henry, assistant which are defined as acts that violate computer
director of the FBI’s cyber division, says security or acceptable-use policies. The types
terrorist groups are working to create a virtual of incidents include unauthorized access;
9/11, “inflicting the same kind of damage on denial of service; malicious code; improper
our country, on all our countries, on all our usage; and scans, probes and attempted
networks, as they did in 2001 by flying planes access.
into buildings.”
Myriad threats
An online attack of that scale hasn’t happened There are, of course, several types of threats
in the U.S., but computer hacking – once that businesses and government agencies
something of a sport for brilliant delinquents alike must be on the lookout for including:
– is rapidly evolving around the world as a tool
of war. l Cyber espionage — occurs when a
government or business uses technology
Incidents skyrocketing to steal sensitive information. This may
One clear indicator of the growing threat is entail sophisticated hacking, but it may
the sheer volume of breaches. Federal civilian be much simpler – as when spies compile
agencies reported three times as many cyber- publicly available information from
related incidents in 2008 as they did in 2006 company websites, legal documents, etc.

© National Security Institute -2- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

l Cyber terrorism — the worst nightmare found that 88% of data breaches were caused
of U.S. security experts, entails seizing by simple negligence on the part of staff. This
control over a networked computer system negligence can take many forms:
to inflict damage. Imagine, for example,
terrorists hacking into the country’s air- u Using weak passwords.
traffic control system, or the electrical grid
of a major city. u Leaving sensitive information
unattended on a desk.
l Mobile computing— while a powerful
productivity tool when used securely, u Having a laptop or PDA lost or stolen.
offers serious breach potential. Lost or
stolen laptops, PDAs, and smart phones u Unknowingly allowing strangers
often carry sensitive data that could harm access to work facilities.
a business or even the government if it fell
into the wrong hands. Malicious insider attacks, while not as common
as innocent mistakes, have the potential to
l USB drives — they can be used by be more devastating because the employee
disgruntled employees to easily steal knows where the crown jewels are kept – the
sensitive company data, and they can also truly valuable company information coveted
be used to introduce crippling viruses to by competitors, hackers, or identity thieves.
corporate networks.

l Social engineering — occurs when

Innocent but careless
hackers or spies trick workers into divulging employee actions often
sensitive information, and remains perhaps set the table for attacks by
the biggest threat. Why? The weak link is
typically an employee who compromises
more malicious parties.
security by inadvertently giving up a
password or other vital bit of data. A “subway survey” of London commuters
conducted by InfoSecurity Europe Conference
In addition to these threats, experts are warning found that more than two-thirds of workers
companies to expect an increase in insider believe it’s easy to take information out of
security attacks by disgruntled or laid-off their organization. And a whopping 88%
employees. A study last year conducted by the believe the data they access at work, including
Identity Theft Resource Center found that insider business plans and customer databases, is
breaches accounted for 18% of attacks. And valuable.
workers needn’t even have malicious intent to
cause damage. Innocent but careless employee If you want to get worried, couple that with
actions often set the table for attacks by more more survey results that found a third of
malicious parties. employees would sell company secrets to a
stranger for $1.5 million – or even, in many
A recent report from the Ponemon Institute cases, far less.

© National Security Institute -3- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

Exploding risk
Having more sensitive information being Changing Face of
seen by more people and accessed on more Cybercrime
devices drives up risk significantly, analysts
point out.
How are cyber criminals working today?
And the slumping economy doesn’t help. Mass According to the security experts, three
layoffs have increased internal threat levels major changes stand out:
dramatically. There are a lot of ex-workers
with a grudge out there, and they need 1. Hackers are in it for profit. The web is
money. Not only that, but one traditionally now a vital tool for criminals looking
weak area for company security is removing to make money, not merely mischief.
a user’s network privileges as soon as he or Malware-infected systems are used
she leaves the company – so plenty of ex- as a network of bots (that is, remote-
employees with an ax to grind have ready control robots) for a wide variety of
access to sensitive data. inappropriate activities. Bots can
perform denial-of-service attacks,
Employees worried about job security face send out spam and phishing emails
rising temptations to seek out and hoard – they’re the Swiss Army knife of
proprietary data that could help boost their malware distribution, analysts say.
job performance, or at least make them more
marketable should they get laid off. 2. Cyber criminals are quieter and
sneakier. While early hackers wanted
Of the 400 information technology pros who to make a big splash by attacking
participated in a recent survey conducted by as many computers as possible in
security vendor Cyber-Ark, 74% said they knew a show of genius and savvy, today’s
how to circumvent security to access sensitive criminals don’t want to be detected.
data, and 35% admitted to doing so without So their takeovers are done in a slow,
permission. Among the most commonly methodical fashion. These crooks know
targeted items: customer databases, email that if they can operate as stealthily as
controls, and CEO passwords. possible and take over systems in a
selective manner, they stand a better
Digital spy threat chance of not getting caught.
As the world’s engine room of research and
3. End users are now the primary targets.
development,the U.S.is vulnerable to espionage,
Large organizations were the main
especially in the technology-rich aerospace
target of attacks less than a decade
and military industries, telecommunications,
ago; now end users are the primary
cars, and pharmaceuticals.
targets, experts say. One bit of fallout
from this shift is the massive growth of
Corporate espionage costs the world’s 1,000
phishing websites, which lie in wait for
largest companies more than $45 billion each
consumers seeking fantastic bargains.
year according to PriceWaterhouseCoopers.

© National Security Institute -4- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

While all industries are vulnerable, firms in that analysts expect cyberspace to be the
the defense and high-tech sectors need to be new battleground in espionage wars for the
especially watchful. All told, U.S. businesses foreseeable future.
lose up to $250 billion in revenue as well as
750,000 jobs annually. Savvy cyber criminals
Internet criminals are increasingly operating
Researchers at the University of Toronto have like successful businesses, borrowing the
uncovered a computer spying operation they best strategies from legitimate companies
called GhostNet that was based primarily and collaborating in partnerships with each
in China and had stolen documents from other to profit from their illegal activities says
governments and private businesses around networking giant Cisco.
the world.
According to security analysts,more companies
In another worrisome sign, there have also are coming under attack from business-aware
been recent credible reports that cyber spies criminals who are creating spam around major
from China, Russia, and other countries have news events, such as swine flu, to gain access
penetrated the U.S. electrical grid with the aim to company systems or persuade victims to
of disrupting the system. visit malware-laden websites.

Moreover, cyber perpetrators are known to

have sought access to information about the
Savvy cyber criminals are
Pentagon’s next-generation fighter aircraft, taking advantage of our
the $300 billion Joint Strike Fighter. increasing reliance on
In the case of the Joint Strike Fighter project, computers and the Internet.
attackers were able to copy and siphon off
multiple terabytes of data related to the Other threats wielded by the sophisticated
design and electronics systems, which could new generation of crooks include botnets,
make it easier for hostile nations to defend which are being rented out on a software-as-
against the aircraft. a-service basis, according to the report.

Analysts agree that evidence points to China Social nets targeted

as being the base for spies responsible for the Social networking sites are also coming
GhostNet attacks, and that they’ve hacked U.S. under fire. The problem with sites such as
servers too. Facebook and LinkedIn is that they create
an environment of trust among users, who
The U.S. has listed China as one of the key generally assume that links and downloadable
targets for cyber espionage in the next four content at the sites are always safe. Nothing
years, and views that nation as well as Russia could be further from the truth, of course.
as aggressive players in cyberspace. While
“aggressive players in cyberspace” may seem The recession and the threat of job losses,
a relatively innocent term, keep in mind meanwhile, has led to a rise in disaffected

© National Security Institute -5- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

workers who are much more likely to ever more advanced ways to fight cyber crime
compromise corporate data. and remain vigilant across all attack vectors.

Analysts point out that in addition to using Mobile insecurity

their technical skills to cast a wide net and Up to 12,000 laptops are lost in U.S. airports
avoid detection, the new-generation of each week, believe it or not. And even though
cyber criminals are also demonstrating some more than half are simply left behind at
strong business acumen. For example, they security checkpoints, a whopping 65% to 70%
are collaborating with each other, preying on are never returned.
individuals’ greatest fears and interests, and
increasingly making use of legitimate Internet The average value of a lost corporate laptop is
tools like search engines and the software-as- about $50,000, according to a Dell sponsored
a-service model. study of lost or stolen portable computers.

For businesses, experts say the defense The value of the laptop was arrived at by
strategy is clear: organizations need to adopt estimating the cost of the data, the loss of

Mobile Security: Rules of the Road

L aptops, PDAs, and smart phones are

easily lost or stolen – and as most people
realize, the information residing on them
u Charge your electronics before you
begin a trip so that you don’t have to
charge them in an airport lounge or
can cost a business millions. Here are some waiting area. Charging in a public place
expert tips to help safeguard mobile tools: increases your risk of forgetting an item,
or having it taken when you look away for
u Label electronic devices with your a moment.
name, address, and cell phone number. As
noted above, most laptops lost in airports u If you carry your cell phone, mp3
are left at security checkpoints, where player, electronic planner, or other small
they’re found by the Transportation item in your pocket, always check the area
Security Administration (TSA) or airport when you get up from a seat. Devices
staff. If there’s no identifying information can easily slip from a pocket when you’re
on the device, the authorities have no way sitting down.
to return your property.
u Take extra care at security checkpoints
u Always carry smaller electronics like to make sure you’ve retrieved all your
cell phones and iPods in the same place in important possessions. Don’t feel you
your handbag or carry-on. Knowing where have to rush to get out of someone else’s
to look for them will not only help you way, especially if rushing will increase
access and use them quickly, but will also your risk of forgetting something.
help you realize quickly if an item is lost.

© National Security Institute -6- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

productivity, costs associated with replacing Data breach costs

the notebook, and other factors. It costs $6.6 million on average when an
organization suffers a data breach and more
The maximum value reported was almost than $200 per compromised record, according
a million dollars. Analysts said this number to research from Ponemon Institute.
is hardly surprising, given the value of
proprietary information such as customer lists Researchers looked at 43 organizations that
and product plans. reported a data breach last year and found that
roughly $202 was spent on each consumer
According to another report from Verizon record compromised. The average number of
Business, the services industry (which includes consumer records exposed in each breach was
legal firms and consulting companies) about 33,000.
generated an estimated cost of $112,853 per
lost or stolen laptop, versus $71,820 for one More than 84% of the companies surveyed
owned by a financial services employee. had at least one data breach or loss prior to
2008. The cost of a breach in 2007 was $6.3
Healthcare, pharmaceutical companies, million, up from $4.7 million in 2006.
education, and technology firms also ranked
near the top of the list of industries that would The annual study measured the direct costs of
be most financially affected by a lost laptop. a data breach, including the following:

So, in dollars, who’s at the biggest risk of losing n Hiring forensic experts.
data in a corporation? Not the chief executive,
the study found. Mid-level managers n Notifying consumers.
responsible for keeping the company up,
running, and moving ahead, and their n Setting up telephone hotlines to field
directors, would cost their companies $60,000 queries from customers.
or so in lost data and hardware costs. A CEO’s
lost laptop would cost just $28,449, the study n Offering free credit monitoring
found. subscriptions.

n Discounts for future products and

For the first time, insiders services.
have overtaken computer
viruses as the most frequently The survey also sought to measure more
intangible costs of a breach, such as the loss
reported type of security of business from increased customer turnover
incident. and decreases in consumer trust. Following
a data breach disclosure, the percentage of
customers who leave one brand for another
was highest among health care and financial
services companies.

© National Security Institute -7- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

The experts who conducted the study said Other times, though, the breaches are
breaches truly do cost businesses customers; intentional, perpetrated by disgruntled
people really do care when organizations workers or contractors.
compromise their data.
Gaping security hole
The survey did not include the effect of a Every day, organizations deal with proprietary
breach on the company’s stock price, which in information containing everything from
some cases can be substantial. Recently when company trade secrets and marketing research
Heartland Payment Systems, the nation’s to Social Security numbers and addresses
sixth-largest credit and debit card processor, belonging to employees, customers, and
disclosed a breach that could affect millions of others.
customers, the company’s stock lost 42% of its
value. For the first time, insiders have overtaken
computer viruses as the most frequently
The study also didn’t measure the cost of reported type of security incident. The financial
intellectual property that is lost or stolen after implications stemming from the theft of
a data breach. At least 44 states have enacted proprietary information in the workplace are
laws that require companies that experience a startling, as the average hit to U.S. businesses
breach of personal information to notify those recently soared to about $350,000.
affected.
As long as security budgets
The accidental enemy
The potential for both accidental and focus on technology, the more
deliberate breaches of personal information worrisome threat – human
and intellectual property by workers is
a growing concern, security experts say.
beings – will continue to go
Sometimes, employees just get careless, or unaddressed.
perhaps they don’t know all they should about
their security-related responsibilities. What organizations need to understand
is that money spent on technology-based
Indeed, many experts say the top security security solutions has its limits; insiders,
challenge facing business is to plug these after all, by definition already have access
accidental breaches. The enemy, in such cases, to the network. As long as security budgets
is ignorance. For example, an employee in the focus on technology, the more worrisome
human resources department might email threat – human beings – will continue to go
a contractor a spreadsheet that appears to unaddressed.
contain only specific, unclassified material.
Analysts say they’ve seen hundreds of cases in
But if that employee is unfamiliar with the which a large organization devotes virtually its
spreadsheet program, he or she may miss the entire security budget to software and network
fact that the document includes another tab solutions – but doesn’t take such basic steps
that’s full of sensitive data on company workers. as issuing employee badges, training workers

© National Security Institute -8- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

about security responsibilities, or even locking

the back door! Data Security
And workers needn’t be tech-savvy to spill Checklist
company secrets; often, information about
processes, executive changes, and product
plans is what rival businesses truly want to
learn. Sometimes, the key to data security is …
well, an old-fashioned lock and key. Here
The number one root cause of security are some expert tips on securing sensitive
breaches continues to be the human factor: data, both physically and electronically.
an organization’s employees, customers, third
parties, and business partners. 4 Lock, stock — or peril. Computer
defenses can be critical, but when
There’s a famous saying that “amateurs hack it comes to protecting personal
systems, while professionals hack people.” The information, don’t forget old-school
point is that defense systems designed to stop physical security. Discourage light-
hackers, spies, phishers, and frauds are always fingered passersby by locking sensitive
compromised by timeless human weaknesses: information in a cabinet or drawer.
inattention, incompetence and complacency.
4 Barbarians at the gate. Viruses,
Numerous information security surveys and spyware, and other invaders will
reports indicate that awareness training attack an unprotected computer in
is falling short with many organizations just seconds. Remember, electronic
consigning it to a once a year activity or even security is everybody’s business. Be
ignoring it altogether. Experts warn that sure to use strong passwords, and
organizations that fail to train their workers change them regularly.
in security fundamentals do so at their
own peril. Interestingly, nearly 90 percent 4 We have met the enemy and he is
of organizations that have implemented us. Hackers certainly pose a threat,
awareness training believe that the number but sometimes the biggest risk to a
of security breaches they’ve encountered has company’s security is an otherwise
been reduced, according to a CompTIA study. conscientious employee who hasn’t
learned the basics about protecting
personal information.
The bottom line: Cyber security is a team
sport involving every employee in the
Trust, but verify. That Cold War phrase
organization. It’s not just about having the
should describe your approach to the
right technology and security policies in
security practices of your contractors and
place — it’s about teaching users how to act
service providers.
securely and responsibly whether they are at
their desks or on the road. q

© National Security Institute -9- http://nsi.org/SECURITYsense.html

 Cyber Security: Keeping Up With the Threat

NSI’s SECURITYsense Solution

Whether it’s protecting the nation’s most sensitive secrets or your company’s proprietary
information, the National Security Institute helps you – and your employees – defend
against a growing array of threats from inside and outside your organization.

Since 1985, NSI has been recognized as a leader in innovative and proven employee
security awareness training and awareness programs – providing an array of services for
both government and private sector. Our client list includes many of the top names in
corporate America as well as virtually every government agency involved in protecting
the nation’s secrets.

NSI’s SECURITYsense awareness program addresses the critical human dimension of

information security and gives employees the tools and information they need to make
security second nature. To learn more about how this valuable resource can help you turn
your weakest security link into your greatest security asset, contact NSI at 508-533-9099
or visit us on the Web at http://nsi.org/SECURITY-sense.html.

National Security Institute

165 Main St., Ste. 215
Medway, MA 02053
Tel. 508-533-9099
Email: InfoCtr@nsi.org
Internet: http://nsi.org

Copyright

This document is copyright © 2009 National Security Institute, all rights reserved.
This report may be freely distributed in Adobe PDF format PROVIDED that it remains intact
including this copyright notice. It must not be sold or incorporated into another product.

FREE! e-newsletter
exclusively for the corporate and government security professional.

Every week NSI’s Security NewsWatch brings news summaries and links to more
information on vital issues of concern to help security professionals stay one step ahead
of ever-changing threats. This weekly e-newsletter is provided to you free of charge
by the National Security Institute as a professional courtesy. To start your free service,
register at http://nsi.org/Newsletter.html.

© National Security Institute - 10 - http://nsi.org/SECURITYsense.html