It’s almost quaint to talk anymore about phishing as a cyber security threat—although it still is. Unfortunately, now you have to worry about so much more. The technology available is so much more powerful, and the criminals behind it are so much more sophisticated, it’s hard enough just to mount a defense, let alone try to be proactive against cyber attacks.
Steve Sanders, vice-president of internal audit, CSI, recently presented an eye-opening rundown of the latest cyber security trends—threats and deterrents.
1. Encryption—Encrypt everything, Sanders says, even though it generates more traffic, increases processing needs, and adds to overhead costs.
“If I’m a bad guy and I want to compromise your information I will start looking at your data. If I notice that some of your data is encrypted and some of your data is not encrypted, what does that tell me? It tells me that I’m interested in what’s encrypted and so I launch my attack against that,” he says.
Another factor arguing for encrypting everything, Sanders says, is: “We’re not real good as human beings at picking out what needs to be encrypted and what doesn’t need to be encrypted.”
On the issue of overhead, he notes that computers, servers, and software grow more and more powerful every day, while bandwidth capabilities are larger than they’ve ever been.
“We have an opportunity now to enable encryption by default,” he says.
2. Social engineering—Sanders calls this “the art of human hacking.”
“It’s where I as a person attempt to get something from you that you should not give to me—and it’s really easy to do,” he says.
It’s easy because human beings generally are hard-wired to want to help people, so if somebody simply asks for something sensitive, or gives even the feeblest of excuses for doing something outrageous, we are programmed to go along.
Plus, social engineering in the cyber world is getting much more sophisticated. Sanders cites a test that cyber security experts use as a demonstration. They mock up a LinkedIn email that looks exactly like the real thing. When the recipient clicks on it, that computer becomes completely compromised.
3. Internet of things—Imagine your refrigerator sending out spam.
Don’t laugh. It can happen, and has, with new appliances—or anything that’s equipped to connect to the internet, which many people want for legitimate reasons in order to control them remotely.
Another example, involving new televisions:
“There’s an internet-connected TV out there now. You can talk to the TV and say, ʻTurn to channel 12,’ and the TV will turn. But what you don’t realize is that the TV is listening to you all the time and it is sending that data up to a server at their location where it processes and then figures out what’s being said and sends it back to the TV.”
“Do you really want everything that that TV hears going up to somebody else’s server?” Sanders asks.
4. Mobile—The incorporation of biometrics for security has been a major step forward, while the old, four-digit password has become extremely vulnerable.
Sanders explains one reason why: “There’s this neat little tool out there that you can plug someone’s phone into and as it enters a password, as soon as it detects it’s bad, automatically shuts the phone down, so that never registers as a bad log-in attempt,” he says. Eventually, in as little as a day, the criminal will come upon the legitimate password.
“The interesting thing about mobile is we’ve not seen it take off as an attack vector yet, like I think it is going to,” Sanders says.
5. Skills gap—Many experts say that “we are many years behind the bad guys when it comes to [technical] skill,” he says. On top of that, many banks don’t have the budget to hire people specifically skilled in information security, and instead assign that job to the IT people on staff.
“Those are two different disciplines,” Sanders warns. “There are some IT people who understand information security, and there are some information security people who understand IT, but they are not the same. They are as different as accounting and IT are, but yet we’re expecting that those IT people get it.”
6. CCaaS—A term Sanders has coined, standing for “cyber crime as a service.”
It basically means the ability to contract for digital misdeeds. It’s a thriving business on what’s called the “dark web,” a sort of underground internet.
Think of the dark web at cyber thug central: “You can hire cybercriminals to hack a company. You can hire cyber criminals to conduct a distributed denial of service attack. You can hire cyber criminals to deface websites. You can hire them to embarrass someone by totally destroying their reputation.”
Sanders says community banks are less at risk for this than some larger companies, but that does not mean they are at no risk.
“We need to be educating our people about what’s out there so they are not as susceptible to these things,” Sanders says.