The 20 | hacking Archives

Yep, sorry, everyone… this is a real problem. In fact, it’s a HUGE problem. Your company’s vulnerability, in large part, comes from your employees. And with a little know-how and finesse from the bad guy, here’s a few ways this happens AND a few ways your employees can be active participants in stopping them.

1. Carelessly opening email

Employees often spend the day checking their email — and hackers know it. This makes email a prime entry point for cyber criminals. Employees MUST approach their email with care so they can identify signs of an attack and mitigate the risk.

Common signs of an attack include fake/forged email addresses ([email protected]), unprofessional subject lines, bad grammar/typos, and creating a sense of urgency to respond with personal information.

Employees should be able to identify a potential threat, and report to IT. They shouldn’t click on links (including unsubscribe), submit information, open attachments, or respond to such an email.

2. Giving password over the phone/leaking passwords

How would your employees respond to this call? “Hi, this is Sam, from IT. We noticed your certificate is about to expire, so I need your password to reset.”

Well, hopefully they’d know that IT would never ask you for a password, or other sensitive information like a social security number, address, or common password reset questions/answers.

Another big one is writing passwords on a notepad, or taping it to the computer. I wrote about this a couple of weeks ago. Not a good idea.

3. Losing mobile phone

It’s easy to lose a device with sensitive information. it’s actually not a matter of if, it’s a matter of when.

So, the question then is, how do we mitigate the loss of information? The 2 most important steps for you to take are 1) requiring that phones automatically lock and require a password to access and 2) making sure you have the ability to remotely wipe a device.

The employee plays an important role here, too. Should this happen, they need to be aware of the risks involved, and report immediately, even late on a Friday night. This allows your IT team to quickly wipe the device and prevent information loss.

Pro tip: Make sure employees know who to contact (direct manager, IT, etc) and let them know they will never be punished for losing a device and reporting it immediately. They could, however, be at risk if they try to hide it.

4. Weak passwords

Employees (and well, everyone) typically use the same password for their social sites, bank login, and work password.

Is that bad? Yes!

If one is compromised, then the list of password possibilities for everything in your life significantly dwindles.

You should have a company policy that requires employees to use an unrelated password for all company logins and enforce that these passwords are updated regularly.

5. Improper disposal

Proper disposal of information is often overlooked.

Let’s say an employee is cleaning their desk, and the primary culprit appears to be the large stack of papers, mail, envelopes, sticky notes, and other junk that’s piled up since the last time they cleaned. Well, they haven’t needed anything in the stack for 6 months, so it’s safe to say they won’t need it in the next 6, right? Everything is pushed in the trash.

But wait — what all was in that stack? Maybe a flash drive? Maybe a flash drive with sensitive customer data, confidential company information, passwords…?

Work with your IT team to develop an information disposal policy. This should include wiping all read/writable media like hard drives and flash drives. CDs and DVDs should be shredded. Paper should be shredded or placed in a special bin in which your IT team can properly dispose of them.

So, who should be held responsible when a company’s data system gets breached? Historically, the CIO, the CISO, or both have shouldered the lion’s share of data breach responsibility; well over half of security decision-makers expect to lose their jobs if a hack happens at their organizations. However, breaches don’t happen in vacuums, and CIOs and CISOs don’t operate in them, either. Many CIOs report directly to the CEO, and some security experts feel that CISOs should be elevated to the same reporting level.

Whatever an organization’s reporting structure, the bottom line is the same: the responsibility for everything that happens within the organization, positive or negative, ultimately falls on the CEO and the board of directors. This includes data breach responsibility. This has been reflected in the numerous CEO firings (or resignations) that have followed bad breaches over the past few years, including those at Target, Sony Pictures, and the Democratic National Committee.

Apparently, Yahoo didn’t get the memo about this a couple of years ago. After years of poor cybersecurity practices caught up with them, resulting in multiple breaches affecting over a billion user accounts, putting its acquisition by Verizon into question, and making the Yahoo brand name synonymous with the phrase “data breach,” the company decided to fire its General Counsel, Ron Bell. Shockingly, CEO Marissa Mayer remained in place, albeit with a pay cut (she then went on to leave Yahoo after the Verizon acquisition, however, but it was of her own choosing).

In Yahoo’s case, the CISO and the rest of the security staff couldn’t be fired. Fearing that a major security incident would eventually happen, they’d already run for the hills. The New York Times reported that former CISO Alex Stamos and his team had spent years warning Mayer of potential security issues, but Mayer insisted on putting “the user experience” ahead of cybersecurity and even cut the team’s budget.

Preventing Breaches Is Everyone’s Responsibility

Cybersecurity isn’t just an IT issue. It impacts every individual and department in an organization — from the board of directors all the way down to minimum-wage clerical and retail employees. The overwhelming majority of data breaches originate inside an organization, either because a negligent or untrained employee makes a mistake or a malicious insider decides to strike back against the company. No cybersecurity policy is complete unless it addresses the human factor behind data breaches by promoting a culture of cybersecurity awareness. This culture must start at the top of the organization; if the board, the CEO, and the rest of the C-suite do not take security seriously, front-line employees certainly won’t.

Yahoo’s firing of Ron Bell certainly shook up the legal community and caused much debate over where data breach responsibility ultimately lies. While this may have served to light a fire under organizations with questionable cybersecurity practices, the focus should not have been on whose heads would roll if a breach happened; it should have been on implementing proactive cybersecurity and compliance measures to prevent hacks from happening in the first place.

As for Yahoo, they settled in September a worldwide class-action lawsuit that alleged security issues dating back as far as 2003. Yahoo’s attorney and lead plaintiffs’ counsel told the U.S. District Judge in federal court that both sides had reached an “agreement in principle” — $47 million to be exact.

Scenario: an email appears in your inbox where a complete stranger claims to have video footage of you watching porn and asks for $1,000. Your eyes widen. There’s outrage and embarrassment. You reach for your phone — but then you wonder, “Wait. Who do I even call?”

Unfortunately, the answer to that question is a little complicated.

As it turns out, even law enforcement officials can’t agree. The FBI and your local police both suggest that you should call them. But experts warn that in many cases, neither agency will be able to help, especially if the criminal is asking for so little money.

This dynamic really highlights why these kinds of hacks — and yes, the porn scam really happened — are starting to mushroom. And there’s no clear answer on who to call. It’s no surprise that cyberattacks have run rampant across the web, as thieves online find ways to steal credit card information from millions of people without leaving their homes.

“If the people doing it keep the dollar amounts small enough that no individual police department is going to be motivated enough to prosecute, you can collect a lot of money from a lot of people all around the world,” said Adam Bookbinder, the former chief of the US Attorney’s cybercrime unit in the district of Massachusetts.

Sometimes these crimes don’t even involve a hack. An email scheme in which scammers spammed inboxes threatening to blackmail victims, without any evidence, netted $28,000 over two months, researchers from cybersecurity company Digital Shadows found.

“But unless it’s a public concern, there’s a good chance no one will handle it,” said Bookbinder, who’s now a cybersecurity and privacy team member with the Holland & Knight law firm.

Local police

In an emergency, you’re supposed to call 911. If you are a victim of a crime, you should always contact the police.

But here, there’s not much your local police can do for you. For starters, you’d have to show that an actual crime happened, which is much more difficult when it’s digital.

“For example, if someone accesses your Facebook account without your permission, but only uses it to look around at your messages, it’s not enough to meet the threshold for a criminal investigation,” Bookbinder said.

“That’s a misdemeanor,” he said. “Could it be prosecuted? Yes. Is it likely that anyone is going to want to spend the resources on it? No.”

“But if someone used private photos from your Facebook account and threatened to blackmail you with it, then it would be something that police could investigate,” he said.

That’s assuming your local police have the resources to deal with investigating hacks. While more local and state police are improving their computer crime capabilities, it hasn’t happened across the board for every department.

It gets even more complicated if the hack crosses state or national lines. If your account is accessed by a Russian hacker, for example, your local police wouldn’t have the resources to investigate that.

“NYPD is probably an outlier in the resources they have available for investigation,” said Jake Williams, founder of Rendition Security. “But even then, it’s unlikely any law enforcement agency is interested in helping investigate who hacked your Facebook account.”

Homeland Security

If a threat came to your doorstep instead of your digital inbox, the answer would be much simpler: Call the police. But when it’s an online crime, some consider calling 911 a joke.

“I occasionally still hear of companies and locals that call 911 when they believe they’ve been under a cyberattack,” US Department of Homeland Security Secretary Kirstjen Nielsen said during the agency’s Cybersecurity Summit in July.

Nielsen, with a smile, let the remark hang in the air before she told the crowd who they should really call.

“The best thing to do would be to call this center,” she said, referring to the DHS’s National Risk Management Center, a dedicated hub for helping respond to cyberattacks with a focus on critical infrastructure.

But it’s not much help if you’re an average person and not a major company.

“When a person does call the DHS asking for help, the agency will refer them to the FBI,” a DHS spokesman said.

The FBI

The FBI recommends that cybercrime victims call them first — not your local police. The agency has an Internet Crime Complaint Center, where you can file details on what happened and analysts will review the case to determine what actions to take.

Often, though, nothing much is done. The FBI is the best-equipped agency to deal with cybercrime, with its vast resources and plentiful experts, Bookbinder said, but if the complaint isn’t a major case, it likely won’t be investigated.

“They won’t handle most cases of individual hacks unless they’re very high profile or a bunch of money was lost,” Williams said. “It varies from office to office, but most of them we’ve worked want to see $10K stolen before they’ll get involved.”

So is all hope lost? Not necessarily.

“The best way to get a response would be to report the incident to the FBI,” Bookbinder said. Even if your case doesn’t pop up on the agency’s radar, it’s logged into the FBI’s databases of cybercrime complaints. “If enough similar complaints come in, analysts can connect the dots and start building an investigation,” the former cybercrime unit chief said.

“They now have a good-sized crime, and all these people are victims in a case where they do prosecute someone,” he said.

Chances are, you weren’t the only one hit with an email threatening to blackmail you over porn, or whatever. The FBI — and security experts — encourage you to at least report potential cybercrimes in order to help build up a case.

But here’s the thing: The same spamming tactic that cybercriminals are using to cast a wide net may also be their downfall.

Want to learn how to protect yourself against cyberattacks? Download our Cybersecurity Guide!