Anti-virus software doesn’t make company computer servers safe from invisible criminals who operate with no laws

NTDA 2016 Convention highlights

Many company executives have a false sense of security. They think that because they have anti-virus software, their servers are secure from hackers.

Wrong!

The computer world is the equivalent of the Wild West, with invisible criminals and no laws or consequences.

Our servers are no more secure with anti-virus software than our houses are with an alarm system.

“It is easy for someone to break in—they just need to break some glass,” said Peter Rowe, chief technology officer for Vigillo LLC. “Even if there is a security system, it is still easy to break in. People can even break into the White House. So security is a balance—effort and cost versus results. There is no such thing as perfect security at your house no matter what you do. Likewise, there is no such thing as perfect security of a computer that is connected to the Internet. The Wild West means there are no laws, and no law enforcement.”

Peter Rowe, Vigillo LLC

Rowe said cybersecurity is the key—and that is a vigilant effort to protect your computer assets and critical data against criminals.

“The point here is that hackers are really out to get you,” he said. “Viruses don’t simply appear from nowhere. They are created by malicious computer programmers.”

How serious is cyber hacking? There are three “actors”:

•  Hackers wishing to steal money or goods.

•  Hackers who may hack for the interest or to identify security vulnerabilities are “white hats,” and those who wish to maliciously impact computer systems are “black hats.” It’s a question of where hacking to release private documents like WikiLeaks comes in.

•  State agents (countries who have large hacking resources).

“Future wars will be predominantly cyber wars, not nuclear, not conventional warfare,” he said. “This has already happened via the Stuxnet virus. The Stuxnet virus appeared at the Natanz nuclear facility in Iran and is a blockbuster cyber weapon. Stuxnet was a US-Israel project designed to destroy nuclear centrifuges used to enrich uranium by causing them to spin out of control. Stuxnet went a year undetected and was introduced to the facility on a USB thumb drive. The general understanding in the cybersecurity community is that the US and Israel have a cyber-lock on the entire county of Iran and that Stuxnet is the tip of the iceberg.”

Rowe also pointed to a 2007 incident in which two men hacked the Federal Motor Carrier Safety Administration’s Safety and Fitness Electronic Records System (SAFER), registered their own trucking and brokerage companies, then changed registration information for other truck and brokerage companies who already were registered. Later, they posed as carriers on various Internet load boards, entered contracts with brokers to haul advertised loads, then double-brokered the loads to another carrier.

Rowe said that in 2015, the average cost incurred by a company due to a data breach was $188/record, with HIPAA violations seven times higher. He said 40% of all breaches occur in companies with less than 1000 employees.

“Eighty percent of the Internet is a dark alley of corrupt access via the Tor browser,” he said. “This is the ‘marketplace’ where hackers trade their wares and the things they steal from you. Then there’s Bitcoin, which allows for anonymous payment so that hackers can extort money but cannot be found by any law enforcement.”

Rowe said malware is all about getting malicious software into your computer by clicking a link in an email, visiting an infected website, downloading malicious attachments or software, or inserting an infected USB flash drive. Then the malware gathers confidential information like passwords, credit card numbers, and social security numbers, and infects other company computers from there.

“Consider the security a motor carrier might use to send cash to drivers, to pay bills, to receive payments from customers, and dispatch trucks with high-value loads,” he said. “What are the chances people at the office use the same credentials to access these websites that they use to access their own personal email accounts, Facebook, and Instagram?

“Ransomware is the biggest threat to you. It is so bad that police, hospitals, schools, and even the government are paying the ransom to hackers. The FBI recommends that you pay.”

“The Internet of Things (IoT) is coming and it is a huge cybersecurity risk. These devices have usernames and passwords embedded in firmware that cannot be changed, they are easily hacked, and there are millions and billions of them. The IoT devices can be used to instigate a monstrous DDoS attack. This is going to be a huge problem in the future. Your coffee maker steals your credit card or hacks the Pentagon.”

He provided these cybersecurity tools—things companies can do to protect themselves:

•  Updates. “Use Windows 10, make sure Flash and Adobe PDF etc. are updated.”

•  Backups (use SpiderOak and do it). “Low costs, set it and forget it and you are protected, even from Ransomware.”

•  Internet security. “You must have software that checks websites you visit, checks downloads to your computer, checks the USB driver you plug in. Any major brand will do.”

•  Password manager. “It can be centrally managed. RoboForm is a great solution.”

•  Two-step authentication. “Set this up on Google Mail, Dropbox, and many other services. This will protect you if credentials get stolen, like the recent 500 million credentials hacked from Yahoo and available on the Dark Web.”

•  Secure email. “You are sending all kind of sensitive material in emails (logins, contracts, financials). Encrypt your emails with ProtectedTrust.”

•  Encrypted USB flash drive. “Buy a USB thumbdrive that is FIP’s 140 compliant.”

Encrypted hard drive. “Use Veracrypt—it’s free—to create encrypted partitions on your hard drive. If your laptop is stolen, all of your sensitive information is safe.” ♦

Find the NTDA Show Report archive with articles from 2012 to present

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish