So it happened again: another cyber attack, this time of the federal Office of Personnel…
Although people afraid of identity theft probably believe the Internet remains in its Wild West days, the web actually has entered its Cold War era.
Sure, it might not seem that way, considering the number of frightening stories that continue to stack up like credit card offers in the mailbox. Target. Home Depot. Jimmy John’s. Sony Pictures. Anthem.
Each new hack appears greater than the last, and the recent violation at Anthem not only proves that it’s gone beyond just swiping plastic money but that people who personally eschew technology are not immune.
Oh, and one more thing – it’s practically guaranteed that the list of hacks will grow.
Behind the scenes, though, law-abiding software developers and information security professionals are engaged in a furious game of cat-and-mouse with the hackers, who either exploit the “holes” they discover or trade, sell or auction them on the black market. Others on the underground battlefield are willing to warn companies of vulnerabilities – for a price, that is.
“What’s going on at the moment is like an arms race,” says Raimund Ege, an associate professor of computer science at NIU with more than 25 years of experience working with businesses and universities on information security solutions.
“There are the people who have value and want to protect it, and there are the people who want that value,” adds Ege, creator of NIU’s cyber security graduate certificate program. “As soon as a hacker can find a way in, then Microsoft, Google, Apple – whichever – will shore up the defenses. They will close that hole big-time and make a fence around that hole that is humongously high.”
Meanwhile, he says, the companies themselves also are working just as hard every day to locate and patch holes – especially each week on “Patch Tuesday.”
“Anything that’s built – anything that’s manmade, including applications and servers – you build it the best you can. You try to anticipate the typical scenarios you might encounter, but you don’t know what you don’t know,” Fatz adds.
“People spend a lot of time and money on this, and for the most part, they do a good job. But the bad guys just sit there 24/7 trying to find the one little thing that somebody missed, and then they exploit it.”
Considering how deeply some of the vulnerabilities exist within the code, hacks often go unnoticed until it’s too late and the damage is done. Like safecrackers who escape from the bank in the middle of the night, the hackers typically flee with the goods while the guards are home asleep.
And even the “banks” with the biggest and strongest locks on the doors are at risk when it comes to the cyber world. People who trust their virtual “deadbolts” are doomed to forget about others with expertise in how locks work, Ege says.
“You think something is secure, and maybe it is very secure – it’s been secure for years – but some person somewhere just happens to trip over it,” Fatz says, “and then they exploit it. Other people scramble and try to mitigate it.”
Lather. Rinse. Repeat. Sigh.
Part of the problem is trying to identify the hackers and their individual motivations.
Borrowing a page from organized crime, Fatz says, hackers at all levels “focus their efforts where they can put the least amount of effort and get the most amount of gain.”
“The range of the audience that’s trying to exploit systems and people is huge,” he says. “It could be a high school kid who’s downloading premade exploitation code at home at night when he’s bored and has nothing better to do, all the way up to North Korea, which has an Army unit assigned to it.”
Unfortunately, he adds, despite “the millions and millions of dollars” spent to protect information on the Internet from outside threats, sometimes the attacks are perpetrated by employees within the companies.
What can the average person do?
- Practice “password hygiene.” Computer users should make sure they set complex passwords with combinations of numbers and lowercase and uppercase letters. It’s also important to use several different passwords; hackers who collect passwords from one site will search the web for identical or similar passwords. Finally, Ege says, keep passwords in mind but not on sticky notes.
- Never click on an unfamiliar or suspicious email that promises something, no matter how legitimate it might look. Despite years of warnings about so-called “phishing” scams, “those things succeed,” Ege says. “Those things actually do succeed.”
- Download antivirus software that provides frequent updates. “Those patches coming out are because sites have been exploited,” Fatz says. “That’s part of the catch-up game.”
And so the coyote and the roadrunner will continue to “play” on – although, in the cybersecurity world, it’s often the coyote that wins.
“Being able to respond to these incidents means companies have to identify what occurred and take steps to stop the water from flowing through the crack in the dam,” Fatz says, “and they have to stop it from continuing – mitigation and remediation.”