On June 4, 2015, the Obama administration shared a story, with a twist—Chinese hackers had stolen the personal data of at least four million federal employees. The target appeared to be social security numbers and other personal identifying information. The story was familiar because it has happened before. The twist was that this was one of the largest breaches of a US government computer network. What is not clear is whether the attack was related to commercial gain or espionage.
And that’s the trouble with data—it can be misused in so many ways. From online fraud and deception, to identity theft and terrorism, stolen data can disrupt civilised life the world over. The scariest bit, however, is the ever-expanding scope of activities of data stealers. Data thieves and hackers have moved on from just stealing our credit card details and bank account numbers to more sinister things.
According to a report released by the RAND Corporation’s National Security and Research Division in 2014, the hacker market is highly sophisticated and organised, and has become more profitable than the drug trade. The data stolen by hackers ends up on a network of illegal trading sites where they buy and sell large amounts of personal data for profit.
But data theft is no longer limited to just financial gain. We live in the age of MaaS—malware as a service.
Sometimes, cyber security is breached for the sake of it—just because it can be done. While monetisation of data on the black market remains the primary motivation, hacktivists steal data for numerous reasons. And they continue to evolve their methods of attack and execution to stay ahead of most existing security measures.
So, why are they doing it?
Corporate rivalry: Companies can, and often do, hire hackers to infiltrate the competition, and steal trade secrets.
Cyber terrorism: Political and/or religious factors prompt people to steal data so as to propagate their own credo, disrupt civic infrastructure and create chaos.
Activism: Some hackers may actually be motivated by exposing what they perceive to be injustice and wrongdoing.
State-sponsored hacking: Governments round the globe want access to information about other nations, regardless of whether they are enemy nations or friendly countries. It serves their military objectives to be well positioned and well-informed online.
White hat hacking: And then there are the good guys! White hat hackers are the ethical hackers or computer security experts who specialise in penetration testing and other methodologies to enhance the security of information systems. White hat hackers are constantly evolving an arsenal of technology to battle black hat hackers—a term used for all non-ethical hackers.
But no matter how hard white hat hackers try, the attack ecosystem—along with actors, their motivations and techniques used—continues to grow in number, complexity and sophistication. The ever-evolving risk landscape is becoming more and more challenging to manage. Take the case of Zeus malware. Originally designed as a financial threat, it was re-purposed in 2013 for other vertical market objectives from widely distributed attack sources. As the attack ecosystem grows in scope, it gets increasingly difficult to attribute the source of an attack.
In fact, many security experts believe attribution is a waste of time. What is needed is prevention. Ernst & Young, in a report titled “Data Loss Prevention— Keeping your sensitive data out of the public domain”, lists
several steps to optimise data loss prevention. Here’s a look at some of them:
* Identify and classify your data
* Provide view-only access
* Implement a data management lifecycle
* Do not allow unauthorised devices on your network
* Do not permit the copying of sensitive data to removable media
* Improve authorisation and access control measures
* Understand data usage and flows and your data loss vectors
When it comes to data loss, prevention is always better than recovering after a breach. Data is one of the most valuable assets of your organisation—protecting it and keeping it out of the public domain is of paramount importance. If you have a good understanding of which data is most vital to your business operations, where that data resides and how it is sent beyond your walls, consider the battle not lost, if not won.
The writer is country director, Raytheon/Websense