This article, brought to you by Ultra Risk Advisors, first appeared in the Wall Street Journal April 20, 2015.
What Companies Should Be Doing To Protect Their Computer Systems — But Aren’t
By Danny Yadron
Maybe stopping hackers isn’t always that hard.
That may be difficult to imagine if you follow the headlines. In late 2013, America entered the age of the megabreach when Target Corp. lost 40 million credit-card numbers to Russian-speaking hackers. Since then there’s been Home Depot Inc.,Adobe Systems Inc.,J.P. Morgan Chase & Co., eBay Inc.,Anthem Inc., to name just a few.
The menace isn’t going away-it’s too profitable for those behind it. But there are a lot of smart people in computer security who think this barrage of headlines doesn’t have to be the new normal.
And a lot of their suggestions have nothing to do with spy-grade technology, unplugging everything from the Internet or turning cyberspace into a battlefield. (And there are credible executives, scholars and Army generals who propose all three.)
Rather, a lot of it has to do with hygiene. Or, cyberhygiene, as some call it. This includes boring things that companies ought to be doing anyway but often skip-things like regularly updating software, doing routine audits of their systems and ensuring vendors adhere to strict security standards.
So we talked to security companies, government officials and former spooks in an effort to identify the easy things that could make a difference but that many companies still haven’t tried, or are implementing very slowly.
Obviously, it’s possible the hackers are so determined and so skilled that nothing this simple will work. Some people who have spent time battling hackers up close think that’s the case. But until companies try these things, it’s premature to say this indeed is the new normal.
STEP ONE: Keep up with patches
In 2014, a third of the new hacking tools discovered by security researchers at Hewlett-Packard Co. relied on exploiting a flaw in Microsoft Corp.’s Windows that was discovered in 2010. Microsoft issued a patch long ago, which should have covered the chink in the digital armor.
That points to one of the main problems in computer security that won’t go away: Many people don’t update their software. This can leave them exposed to even the most rudimentary hackers who borrow tricks from last year’s breach. With patches, “you’d stop most of these attacks,” says Alan Paller, research director at the SANS Institute, a cybersecurity training center near Washington, D.C.
Here’s what happens: Computer code is complex and inevitably has flaws. When companies find one of these flaws, they release a patch and indicate how the flaw could be used for ill. It doesn’t take hackers long to figure out what the hole is that the patch seeks to cover, and they immediately write tools to take advantage of it. It then becomes a race between the hackers and consumers updating their software.
Of course, security experts have known this for years. The issue is that companies build networks these days that are so complex and rely on so many vendors that changing one piece can cause the whole thing to freeze up.
So a lot of companies take time to test patches, and this delay can drag on for months, if not years. That whole time, the company is exposed.
Orion Hindawi, co-founder and chief technology officer at Tanium Inc., a venture-backed security company in the San Francisco Bay Area, sells software that helps companies monitor software running on their computers. Customers include big banks like J.P. Morgan Chase.
He recently found that among Tanium’s 25 health-care customers, there is an average of 2.3 missing critical patches per computer.
Microsoft defines “critical” as a flaw that could allow a hacker to run his own software without the user knowing. It “recommends that customers apply Critical updates immediately.”
STEP TWO: Keep your online doors closed
Between laptops, smartphones, tablets and televisions, the average American home has more than five machines connected to the Internet, according to a 2014 study from Ericsson.
Coming up with a similar tally for the average bank or supermarket chain gets pretty tricky-even for the people who work there. Many businesses don’t know how many computers they have, and sometimes they don’t know which are online. So, computers end up online when they shouldn’t be, where they become a tempting target for hackers.
In this year’s Verizon Data Breach Investigations Report-considered the industry’s most comprehensive-just shy of a quarter of the breaches were the result of hackers getting in through a machine that didn’t need to be online.
When the government health-insurance exchange at HealthCare.gov was hacked last year, federal investigators learned the intruder got in through a Web-development server connected to more sensitive parts of the network. The server wasn’t supposed to be online, so it didn’t have the same protections as other HeathCare.gov machines, U.S. officials said at the time.
As one of them told The Wall Street Journal when it reported on the breach: “There was a door left open.”
Connectivity has also long been a particular sore spot for utility and energy companies. Last spring, the U.S. Department of Homeland Security put out a warning to utility and energy companies noting that industrial control systems, used to manage things like substations and pipelines from afar, often are misconfigured or insecure. In some cases, government officials questioned whether some sensitive systems are worth connecting online at all.
They “were not intended to be Internet facing,” the department said in its memo.
Issues like these are becoming even more pronounced as companies build larger networks and acquire more machines-printers, thermostats, lights-that now work with the Internet. The people who add the machines to the corporate network often don’t understand the security concerns. Many devices have default administrative passwords that can be found online. In other cases, companies have misconfigured antihacker technology to not watch traffic going in and out of such devices.
The solution is nothing more than basic “blocking and tackling” to ensure that only necessary machines are online and that they’re protected, says Mike Denning, vice president of global security at Verizon Enterprise Solutions. Not, ” ‘Oh, I wish I had that advanced, malware-blocking detection tool.’ ”
STEP THREE: Encrypt your data
Since Heartland Payment Systems Inc. lost 130 million payment-card numbers to a cybercrime gang in 2008, its chief executive, Robert Carr, has been telling people to encrypt more of their data. The idea: If card numbers are encrypted from the instant they enter retailer computers, there’s not a lot that hackers can do with it.
And as Avivah Litan, a senior security analyst at Gartner Inc., often tells clients, they can hire all the new computer-security talent they want, but “you can’t rely on people. You have to rely on technology.”
The problem: People aren’t listening. Companies reported 298 data breaches to the state of California during 2012 and 2013. In 83 cases, or more than a quarter, the data lost, stolen or misdirected was unencrypted, affecting 2.6 million state residents, according a report last year from the state attorney general.
Why aren’t companies listening? Encryption can slow things down, if slightly, by using computing power to scramble and unscramble data each time someone wants to read it. It also can cause compatibility issues if data travels from one company to another.
The process also isn’t cheap-but that said, it’s certainly not cost-prohibitive. Home Depot last year purchased encryption for all of its 2,200 U.S. and Canadian stores for about $7 million, people familiar with the matter say. Home Depot was working with Voltage Security Inc. to encrypt customer card numbers, making them useless to hackers, the instant they are swiped-and before they’re stored in point-of-sale terminal memory.
Unfortunately, Home Depot appears to have just started installing the new card readers as hackers breached its system and gained access to 56 million payment-card numbers. The company saw the data appear for sale on black-market forums.
STEP FOUR: Get rid of passwords
Users hate them. Security staff dread them. Hackers love them.
According to Verizon, a quarter of the data breaches analyzed in this year’s report could have been stopped if the victimized company had required more than a password to enter its network.
In the past two years, hackers increasingly appear to target large caches of passwords at technology companies. That’s because they figured out users often reuse the same password and email address for various accounts-from social media to banking, Ms. Litan says.
After Adobe lost some 33 million users’ login credentials in 2013, other websites, like Facebook and Diapers.com, noticed some of their users employed the same passwords and usernames as they did at Adobe and forced them to pick new ones. The Adobe passwords were encrypted, but security researchers were able to unscramble many of them and presumably hackers could do the same.
The problem, of course, is that passwords are easy and can be used with any computer. But in the past few years, Facebook Inc. and Google Inc. have taken a stab at killing the password. The weapon: a tiny USB token that when inserted into a computer is barely visible.
Rather than forcing users to remember passwords, the token made by Yubico acts to verify someone’s identity, sometimes in conjunction with passwords for an extra layer of security.
The experience has been positive, employees at both companies say.
STEP FIVE: Check out your vendors
These days, big companies with a lot of sensitive data have started to get wise on hacking threats. Corporate boards of consumer-focused public companies like Kellogg Co. and Tyson Foods Inc. are actually talking about computer security, a topic once relegated to the IT guy.
But the smaller companies that work for those companies-and often get the same access to their computers-may not treat the issues with the same severity. Anywhere from one-fifth to two-thirds of data breaches have been linked to hackers getting into a vendor or third party, according to various surveys.
Headlines back up those statistics. Target traced its breach back to a heating contractor. Home Depot and Goodwill Industries International Inc. linked their own hacking incidents to outsiders who had access to their corporate networks.
The solution is careful oversight. Larger firms sometimes have vendors sign declarations on their approach to computer security. But unless they want to spend heavily on auditing each vendor, it’s hard to check beyond that, executives say.
Two venture-backed companies, BitSight Technologies and SecurityScorecard Inc., have attempted to come up with ratings like credit scores for companies by looking at the amount of bad traffic linked to the businesses’ Internet addresses. That includes communications from servers or types of servers that are often linked to cybercrime or state-backed hackers.
“If we see these kinds of things, they’re not running a very clean shop,” says Stephen Boyer, BitSight’s co-founder and former government researcher at the Massachusetts Institute of Technology’s Lincoln Laboratory.
BitSight, founded in 2011, has won some high-profile customers, such as Goldman Sachs Group Inc., and newcomer SecurityScorecard recently took funds from Sequoia Capital, a Silicon Valley investment firm.
In some instances, BitSight customers have avoided contracts with vendors who have a low score, Mr. Boyer says.
Of course, it’s in a lot of people’s interests to argue the hacking scourge can be contained. There is a nearly $100 billion industry selling products and consulting services that companies will buy only if they think they can make things better.
One member of that industry, Richard Bejtlich, chief security strategist at FireEye Inc., a Silicon Valley security firm, says that technical fixes, such as encryption or patches, can solve only about 10% of the hacking problem. It’s easier to change criminal behavior through incentives, he says, rather than trying to make it impossible for criminals to do bad things.
Governments and organizations have to create social norms that make hacking too risky for the hackers, much like they have with attacks in the physical world.
“It’s legal, social, societal,” says Mr. Bejtlich, a former Air Force investigator.
Mr. Bejtlich and some other Washington types are pushing for more hacker prosecutions and more transparency about how the government will respond to attacks like the major breach at Sony. “Make their lives more difficult,” he says.
“That doesn’t mean we need to roll over and say, ‘Bad things are going to happen,’ ” he says. “We need to decrease the number of bad things happening.”
Sources: 2014: A Year of Mega Breaches, a Ponemon Institute survey of 735 IT and IT security practitioners in the U.S. conducted in November 2014 (data on causes and investigation of breaches); Global State of Information Security Survey: 2015, a survey of more than 9,700 executives conducted March through May 2014 by PricewaterhouseCoopers (data on preventive steps)
(FROM THE WALL STREET JOURNAL 4/20/15)
By Danny Yadron
Mr. Yadron is a staff reporter in The Wall Street Journal’s San Francisco bureau. He can be reached at firstname.lastname@example.org.