Data is the new currency.
Thousands of multinational companies generate revenue from the simple information you provide them through surveys or application forms. Your email address is worth more or less a single cent in USD and the basic information on your credit card plays between $20 to $50. Ever since crime syndicates realized how lucrative selling information was, companies now have to deal with an even greater horror—their data, their livelihood, being held for ransom through encryption.
“The most attacked entity in the world is The White House,” said Pierre Noel, Microsoft Chief Security Officer for Asia. “Can you guess who’s number two? It’s Microsoft, and that is why there is no other company in the world that’s more vigilant about security than we are.”
At a recently held Security Summit spearheaded by Microsoft Philippines for businesses and government agencies, Noel identified types of cyber culprits that may be lurking within or around unsecure networks and infrastructure.
The Hacktivists
Anonymous, one of the most infamous “hacktivists” in the world, has taken credit for the hacking of an estimated 38 government websites along with social media accounts of various celebrities. They’ve been observed to utilize different Denial-of-Service (DDoS) attacks—flooding their target’s network with traffic such as spam to incapacitate the target from utilizing any measures to arrest the attack.
“Usually, this group is harmless. They you because they simply don’t like you, and they try to make a point by defacing your website or instigating DDoS attacks,” Noel warned.
“However, when you see a DDoS attack, you have to be wary of one thing: you are being distracted from a real attack that is happening underneath it.”
Cyberwarfare
Despite the notion that countries engage in cyberwarfare to declare war, Noel contradicts this by saying, “Cyberwarfare is there to nudge you or steal information from you—a form of espionage.”
He addressed government organizations to acknowledge themselves as targets, focusing on building a cyber resilient system rather than a security-centered system: “You should know that you are subject to cyberwarfare. If these people will try to attack you, no matter how much money you spend or how many people you employ to try and stop these attacks, they will succeed. What you need to do is to make sure that these attacks will not impact your organization in a significant way through resiliency.”
Organized Crime
Noel identified organized crime associations that take a more terrorist approach to cybercrime, employing ransom and blackmail attacks to extort money in the form of Bitcoins and other currencies from their victims.
“The first thing to know about these cyber criminals is that they are very much like terrorists—they follow no rules. They will do everything in their power to extort from you,” he said. “They just want money.
“Instead of stealing your data, they encrypt your data demanding you to pay money to have it back.”
Company Personnel
Lastly, companies were reminded to be weary of their own employees, and emphasized the importance of setting clear policies, access restrictions, and clear accountability among any personnel who handle sensitive company data and information.
“All it takes is for one of them to wake up one day and decide that they don’t like you anymore,” he said. Citing the massive credit card data theft in South Korea, where a computer contractor stole credit card data from 20 million Koreans through his company’s system by simply using a thumb drive to collect the information he eventually sold off to marketing agents, Noel urged them to lessen human dependence in systems.
“You can do whatever background check you want, but know that you can only trust human beings at a certain point,” he advised, “Make sure that there is minimal human interaction with your administration accounts.”
Tips to keep security a top of mind practice
“First you must start with simple data classification,” Noel advises. “Identify which of your data is critical to your business and then identify your risks.”
Despite his earlier reminder that behind every security concern is a human being, he persists that companies still need one man to stay in charge of their security network. “Someone must be ultimately responsible but you need to keep that person under strict control. Like for example, forbidding them from using administrative accounts for email and browsing,” he said. “That’s the person who will work hard to keep your security practices up and keep the admin accounts right under strict control. He’s also the same person you fire when things go wrong,” he added jokingly.
Noel also urged business owners to have even the most basic of antiviruses on every machine and asked them to desist from using pirated software on any of the office machines. He ended by imploring them to religiously patch operating systems and applications when updates arise. “Always, always patch your software,” he said “Hackers are always multiple steps ahead of you in the security game and a sure way you can keep up with them is if you keep upgrading your systems with the latest versions of the applications.”
Businesses large or small are vulnerable to cyberterrorism, but solutions are always available to mitigate these risks. To know more about the best protection for your IT systems, log on to http://www.microsoft.com/security