Brian McVicar reported that the cost for investigating and providing services to the individuals affected by the data security breach at Ferris State University (http://www.ferris.edu/) was approximately $380,000. It is believed that the personal information of 62,000 current, former, and prospective students as well as current and former employees was put at risk by this data security breach (http://hacksurfer.com/surfboard/ferris-universitys-costly-data-breach - October 22, 2013).
What are they after?
There can be an infinite number of things that these cyber attackers were looking for. According to Blake Carver, “(Cyber attackers) may want to host cracked software; they may want to send spam; they may be doing blackhat SEO in an attempt to game search engines; they may want personal information from you, your customers, or your employees; and / or they may want to use your website as a way to get elsewhere. Further, they may be after PINs, credit cards, bank account information, contact lists, emails, or even phone numbers.” “Personal information is the currency of the underground economy,” said Carver.
Who is a target?
Chances are that your organization is now a target of a coordinated cyber attack. Remember that when it comes to getting your organization’s website hacked in a cyber attack, the size of your organization does not really matter. According to the security firm Imperva (http://www.imperva.com/index.html), the average web-based application is subject to a cyber attack at least once every two minutes. With the expansion and variety of automated tools, it makes it fairly simple for potential intruders to target your website looking for a potential security hole.
Why do these attacks make news?
“Quite frankly there has not been an abundance of reporting on these cyber events despite the fact that they are clearly happening,” said Olcott, a specialist in online risks. According to Olcott, the best hope for obtaining information about these cyber events is that as (interested stakeholders) start paying more attention to the threats, they will demand that (organizations) disclose them. Yet, as Elefant states “there are an awful lot of lawyers trying to keep (organizations) from exposing that these breaches are happening. And they are happening.”
Why do cyber attackers do it?
Carver details several reasons for cyber attacks. Cyber attackers may be attacking your site for the pure thrill of vandalism; perhaps because they have a grudge against you or your organization; or simply because somebody was bored and your organizations security practices made it easy for them to hack your website.
How do cyber attackers do it?
According to the Verizon Data Breach Investigations Report, "very often, the (organizations) breached had no firewalls, had ports open to the internet or used default or easily guessable passwords.” The Data Breach Investigations report highlights that 83% were targets of opportunity; 92% of the attacks were easy; and that 85% of the attacks were ultimately found by a 3rd party. Trustwave’s Global Security Report highlights that only 16% of the (organizations) managed to detect the security breach on their own and that the cyber attackers had an average of 173.5 days within the victim's environment before the detection of the cyber attack occurred. Marc Spitler, a Verizon security analyst, states that victims were not chosen because they were large, important or had financial data. They were simply the easiest targets. In other words, the organizations were hacked by cyber attackers using easy-to-find, easy-to-learn and easy-to-exploit weak passwords.
How can I protect myself and my organization?
It is important to realize that there is no such thing as a totally secure computer – nothing is ever 100% safe. All that can be done is to make things safer than they were before. All of the security procedures and tool are about reducing risk. The goal is to reduce the possible frequency of data loss and also to reduce the potential magnitude of that loss. The key trick is to ensure the effort that the cyber attackers have to expend to hack into the organization's website exceeds the value that the cyber attackers perceived that they will gain by hacking into the website. None of this is about being unhackable; it is about making the difficulty of doing so not worth the required effort.
Studies have shown that for the threat actions leading to data breaches, the story is usually the same. Most victims are not overpowered by unknowable and unstoppable attacks. “They almost surely have more to do with not using, under using, or misusing some security tool (the organization) already (has).” “SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of the security breaches attributed to hacking or network intrusion. Therefore, it is no secret that cyber attackers are targeting this application layer. Web application scanning and testing would have found many of the problems that led to major breaches in the past year.” Basically, your organization already has the security tools and solutions that it needs.
The key point that you should take away from this post is that we are all targets of cyber attacks. So, we must be diligent in protecting the data assets.
This blog post is based upon Blake Carver’s (email@example.com - http://security4lib.org/) security presentation. In his presentation, Blake encourages you to understand security issues and conduct security training for your organization.
References: How can I stay current on security topics?
There are many good blogs to follow and websites to be examine. This list from Carver's presentation highlights just a few blogs and websites to help you get started on your security journey.
- Gibson Research Corporation – Security Now Podcast: http://grc.com/securitynow.htm
- Naked Security – Sophos: http://nakedsecurity.sophos.com/
- SANS Institute Reading Room: http://www.sans.org/reading_room/
- Schneier on Security: http://www.schneier.com/blog/
- Security-FAQs – For all your internet security news, answers and reviews: http://www.security-faqs.com/
- Trustwave’s 2013 Global Security Report: https://www2.trustwave.com/2013GSR.html?sl=gsr-2012
- Verizon’s 2013 Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/2013/