January 5, 2017
At a CES CyberSecurity Forum, journalist/author Wayne Rash led a discussion on the various ways that companies are failing to protect their intellectual property and remain vulnerable to malicious code and ransomware. According to Yubico chief executive Stina Ehrensvard, 70 percent of hacks are related to passwords. “The password is the weak link,” agrees Authentic8 chief executive Scott Petry. “Reusing passwords is a problem. If you use your Yahoo password for other sites, you’re in trouble.”
Moving away from re-using passwords, said Ehrensvard, is the single most important thing a company can do to improve its security. Petry notes that cybersecurity is a multi-billion dollar issue, so IT experts are pressured to spend money with traditional vendors. But, he adds, they’re just throwing their money away if the problem originates with end user behavior.
Petry reports that Verizon data suggests that at least 50 percent of data breaches can be attributed to end-user behavior, a number that Rash says is low. In addition to not re-using passwords, says Petry, two-factor authentication is key to slowing down potential hacks.
Rash brought up another entry point for hackers: the USB stick. “It’s pretty innocent looking,” he said. “But this is what brought down Iran’s entire nuclear program.” A worm jointly developed by the U.S. and Israel destroyed the nuclear program. But the worm made its way into the Iranian system via USB keys that an undercover agent sprinkled in the parking lot and men’s bathroom at the facility. All it took was one person to pick it up and use it.
“Are you training your employees not to do that?” asked Rash.
Ransomware has become another chronic problem for companies, and it enters the system via phishing attacks. “Virtualization is a big step to take, but it’s the best strategy,” said Petry. “But another important step is to prevent users from clicking on links in emails. There are a variety of solutions that can stop those employees from accessing links embedded in emails. This just makes you a harder target for hackers.”
Rash notes that a successful phishing attack often takes place when the hackers find the email and phone number for the company’s chief executive on the target company’s website. “The first point of attack is the secretary or assistant for one of those high level executives,” said Rash. “They send that person an email pretending to be his or her boss, and include an attachment, instructing that it be opened. If it is opened, it doesn’t make itself known as ransomware right away. So disabling the ability to click on links is very important.”
Ehrensvard suggests that security should be built into devices, so users don’t have to think too much. She uses the metaphor of the seatbelt. Cars didn’t initially have them. The car industry didn’t admit there was a problem but ultimately created a basic seatbelt. But the government needed to regulate it.
Petry agrees with the metaphor. “The regulatory framework needs to be there,” he said. “At the end of the day, the user makes a conscious choice to click the seatbelt, though, so training the end user will always be important.”