A recent article by Joshua Vaughn at The Sentinel, a Pennsylvania newspaper illustrates the inevitability of getting hacked and having your identity stolen, and why it is nearly impossible to stop cybercriminals from succeeding in in their nefarious schemes to rob you. The two reasons why: the toxic combination of malware and employees.
Malware has been around for a very long time, indeed even before the internet itself took off. However, neither the quality nor quantity of malware attacks have remained stationary since viruses were spread via floppy disk. Typically, says Vaughn, “malware is meant to track what the computer is doing to capture user names and passwords or other vital information to access deeper into a company’s systems.” Chuck Davis, professor of ethical hacking and computer forensics at Harrisburg University of Science and Technology, who Vaughn interviewed for his article, said that hackers have a few legs up on upright netizens. One Black Hat advantage is that the malware designers have access to all the counter-measures beforehand:
“The software developers pay the crypters to take their code and run it through every antivirus that’s known,” Davis said. “If any of them flag it malicious, they’ll encrypt that part of the code. They’ll go in and change, and they’ll rerun it. They keep doing this process until none of the antivirus programs pick it up.”
Black Hats have another nearly insurmountable advantage, however, when it comes to breaking open your internal network: your coworkers, employees, bosses, and even yourself and I. We are human beings that are easily and often fooled by the tricks cybercriminals use to rip apart our networks, businesses and lives. One of the most common, and ultimately successful ways that hackers hack your humanity is the “phishing” attack:
“Basically how that goes is the common phishing attack,” Davis said. “Somebody in the company or a bunch of people in the company will get an email that looks like something official and they’ll open an attachment. Maybe it looks like an email from Fed Ex or UPS, saying, ‘Hey, you have a package that was undeliverable. Click on this and we’ll get you the information’ … that gives the bad guys remote access in your system.”
Another successful strategy comes from another human foible: we get bored. And when that bored human happens to be an employee with a computer connected to your internal servers and with internet access, you can expect some web-surfing to happen. Even if the web surfing is for work related purposes, it still leaves you vulnerable:
“If you think about a company who has an internal network — any fortune 500 company — you’ve got an internal, you’ve got your servers and all and none of them are connected to the Internet, but your employees can get out to the Internet,” Davis said.
Some of the results? According to Vaughn: “Identity theft accounted for $24.7 billion in financial losses for 16.6 million people in 2012, according to the Bureau of Justice Statistics. That number is more than $10 billion, or nearly double the amount, of all other property crimes combined.”
And don’t think you or your employees will be spared from the identity theft onslaught. Even if you manage somehow to protect your own networks, what happens when your payroll company gets hacked? That’s what happened to companies using Pennsylvania based payroll and human resource company Paytime Inc., which “announced that its systems had been hacked and personal information for customers had been breached” according to Vaughn. Theft included “Social Security numbers, bank information, date of birth, wage information and home address(es).”
So what can you do to stave off the cyber-barbarian hordes at your gate? Nothing, according to cyber-security experts via Vaughn:
According to cyber-security experts, data breaches are inevitable.
To be more specific, as long as society continues to want the convenience of data, including personal and private information, being accessible from anywhere, people will find a way to steal and exploit that information.
“The paradigm now is if you have a network, you have to expect it’s going to be breached,” said Damon Petraglia, director of forensic and information security services at Chartstone Consulting.
Patraglia’s warning also best serves as the conclusion you should draw:
“It’s not if. It’s when.”
For Joshua Vaughn’s piece at the Sentinel’s website, click here.