March 29, 2018

This piece is presented by SDN Communications.

Twenty-five years ago, hackers needed advanced skills as well as motivation to successfully attack businesses on the internet. Online criminals almost needed the equivalent of a master’s degree or a doctorate to be successful.

Today, all they need is motivation. They can buy whatever tools they need to anonymously disrupt programs or possibly steal valuable information.

Consider the motivation behind the ransomware attack on the city of Atlanta. It has shut down the city’s online systems for six days and counting. Officials are struggling to keep the government running with pen and paper.

“You don’t need the skills. You don’t need anything else. You just need motivation,” said Jay Patel, a supervisory special agent with the FBI who advised about 225 businesspeople in Sioux Falls. “It’s a target-rich environment. The tools are out there. All they need is to want to achieve this purpose, and they can do it.”

Patel was one of the featured speakers at the Sioux Falls Cybersecurity Conference, which was March 27 at the Holiday Inn City Centre. The regional conference was hosted by the Sioux Falls Area Chamber of Commerce and the U.S. Chamber of Commerce.

SDN Communications, the premier, regional provider of broadband connectivity and cybersecurity services for businesses, was the lead sponsor of the event.

National and local cybersecurity experts provided representatives of small and midsized businesses with troubling examples of successful hacks and good advice to help protect networks.

Hackers often exploit known vulnerabilities in software as weaknesses are discovered and publicized. So Patel stressed the need for companies to apply software patches promptly and keep protective equipment up to date.

Airplane manufacturer Boeing announced that malware infected its systems last week, but it limited the number of systems impacted by quickly applying a patch. The Seattle Times is reporting the WannaCry virus as the culprit, which first hit systems across the globe and prompted system patches more than 10 months ago.

“You must have the most current version running on all your systems if you’re connecting them to the internet,” Patel said.

He also encouraged businesses to make use of tools such as the NIST Cybersecurity Framework. NIST, which is short for the National Institute of Standards and Technology, is a federal agency that worked with businesses to develop flexible guidelines to help companies improve cyber risk management and protect the nation’s critical infrastructure.

The ISO/IEC 27001 is a security standard that also can help businesses improve their security posture. It’s a certifiable standard published by the International Organization for Standardization and the International Electrotechnical Commission.

Patel also stressed the value of public-private cooperation. He urged regional businesses to participate in InfraGard, which is a collaborative partnership between the FBI and members of the private sector. Members are vetted. They benefit from information such as threat advisories from federal agencies, intelligence bulletins and vulnerability assessments.

Several speakers at the conference stressed the need to strengthen what is generally considered the most vulnerable point of any business network: the people who have access to it.

Security technology is a critical part of cybersecurity, and equipment can become outdated or fail. Even so, the easiest way for hackers to get into a protected network is to be ushered inside. That means employees at many businesses are under constant attack from criminals trying to trick them out of sensitive information or encouraging them to click on tainted links.

“We’re only one or two clicks away from being ‘pwned’ (hacked) on a daily basis,” said Chuck Cinco, chief information security officer at Premier Bankcard. Threats such as ransomware, distributed denial of service attacks and data theft are common threats.

Cinco stressed the need to engage employees in relevant, dynamic, ongoing training and to hold sessions much more than once a year.

Ryan Manship, vice president of RedTeam Security in St. Paul, said businesses need to pay attention to the physical security of their networks, as well as to the effectiveness of their equipment and the awareness of their people.

RedTeam Security’s flagship service is called “red teaming,” a practice in which ethical hackers secretly infiltrate and test a company’s physical, technological and human layers of protection. Often, the simulated attacks become a matter of figuring out employees and how to work around them, Manship said.

“People, statistically, are the weakest link,” he said.

Watch Manship’s interview with Angela Kennecke of KELO-TV from Tuesday’s event in the video below.

SDN Communications also offers a quarterly report on local cyber insights. Get the latest Cybersecurity Threat Landscape Report here.