Chasing the ever-nimble hacker

After many hacker break-ins last year, there will be even more sophisticated capers in 2016, according to reports released by top cybersecurity firms. This article appears in the April issue of EPM.
By Joe Dysart | March 07, 2016

Security experts say the image of yesteryear's hacker—the pimply faced teen on a lark for grins and giggles—has given way to organized crime teams, hell-bent on stealing and monetizing stolen data.

“Organizations should expect to be hit,” says Tom Kellermann, chief cybersecurity officer, Trend Micro, a security software maker that released a cybersecurity report in November.  “Preparing to overcome this challenge will become the mantra in the winter of 2016.”

The impact of hackers’ antics has never been greater. “The evolution of breaches is beginning to take a turn toward real-world effects on enterprises’ bottom lines and people’s lives,” says Raimund Genes, chief technology officer, Trend Micro.

The ethanol industry would do well to pay attention to the latest hacker threats, given that their company's computer networks—and their process control systems—are vulnerable. “We have a healthy respect for what hackers can do,” says Lyle Schlyer, president, Calgren Renewable Fuels LLC.  “Our accounting and laboratory data servers have been subject to such attacks.”

All ethanol producers need to do what they can to protect against hackers, he adds. One way Calgren does that is by not allowing its distributed control system (DCS) system at the plants—the computers and software that controls the plant’s processing—to be connected to the internet in any way. And, control valves are hardwired to the DCS rather than being wireless.

“I doubt anyone is truly ‘ready’ for an attack,” Schlyer says. “But we do what we can to both protect against them and be able to recover should one occur.”

High on the list of hacks to watch out for in 2016 will be a spike in ransomware showing up on Apple computers, which previously had been bypassed by hackers in favor of more prevalent Windows machines, according to Kaspersky Lab, a security software maker.

More vulnerable, too, will be mobile devices, including those running the Android operating system, according to the Trend Micro Report. Plus, hackers are expected to spend more time plundering computers workers use at home.  Such personal computers and smartphones can often serve as easy knock-offs to what hackers are really looking for:  easy entry into the corporate networks they’re linked to, according to the “McAfee Labs Threats Predictions Report,” released in November by Intel Security.

The coming year is also expected to give rise to the hacker-as-information-broker, with hackers amalgamating data they’ve stolen from more than one database, repackaging it, and then selling the resulting much more dangerous and much more potent invasion of privacy at a higher price. For example, instead of simply selling stolen credit card info, an enterprising hacker could combine that data with other info stolen from an individual’s health insurance plans, tax returns and company records.

Intel researchers say hackers in 2016 will also be using personal data stolen from major security breaches during the past few years to steal even more data by phone or over the Internet—given that the same data is often used in challenge questions companies use for identification. Essentially, challenge questions like “What’s your social security number?” or “What street did you grow up on” will be child's play for hackers, who may already have this info from previous data breaches.

But even while increasingly sophisticated attacks appear inevitable in 2016, IT security experts don’t plan to take the onslaught lying down. Major hardware and software makers are hard at work developing new technologies companies can use to defend digital perimeters.

Google has announced that it will issue regular security updates for its Android software, after being repeatedly stung by a series of hacks in 2015. Plus, antivirus makers like Symantec—which has candidly admitted that  antivirus software is becoming increasingly ineffective against hackers—have added Behavioral Analytics to their arsenal. Essentially, Behavioral Analytics scouts personal computers for signs of unusual behavior or the installation of unknown programs and offers tools and, or advice for how to (hopefully) neutralize the problem. “Integrating breach detection systems with intrusion prevention systems is fundamental to decreasing the time hackers dwell on their networks,” says Trend Micro's Kellermann.

Cybersecurity experts also advise ongoing employee awareness training programs. Unfortunately, the human factor is often the weakest link in an otherwise well-secured company network, the experts say.

Even now, when headlines report of millions of IDs and passwords regularly stolen from major corporations, the most commonly used passwords are “123456” and “password,” according to Splash Data, a cybersecurity firm. If passwords were created using 32-characters and featured letters, numbers and special symbols, there would no need for technological alternatives. Such passwords, according to security pros, are virtually uncrackable.

Chipmaker Intel has a free, online password checker, which tells how many years it takes to crack any password. Type in a gobbledygook mishmash of 32 letters, numbers and special symbols and it takes stupid amounts of computer power—plus approximately 25 years—to crack it. Unfortunately, too few people are willing use 32-character passwords made from gobbledygook inputs. 

And, many cyber-techologists are busy creating alternatives. Apple Pay users, for example, can already rely on their thumbprint to make a purchase using their iPhones—not an ID and password.

Mastercard is currently pilot-testing Identity Check, an online ID verification system for shopping, that relies on a selfie taken by the shopper, or a fingerprint scan, to authenticate a purchase. And users of Microsoft’s Windows 10 can replace ID and password access to their computers with Windows Hello.  It's software that offers users the ability to sign-in using fingerprint readers or facial recognition, although the facial recognition option requires a high-end, depth-perception camera.

Meanwhile, Lawrence Livermore National Laboratory licensed an advanced anti-hacker software tool to Cambridge Global Advisors this past summer.  It’s designed to pinpoint suspicious behavior by hackers, once they’ve compromised a system’s ID and password, and are freely roaming a computer network.

“The future of authentication is free from traditional passwords,” says Geoff Sanders, CEO, LaunchKey, which sells ID authentication technology that includes fingerprint verification, geofencing, facial recognition and other verification alternatives.

Author: Joe Dysert
Internet speaker, business consultant
[email protected]