By Noah Hill
Last week, one of your employees downloaded a program from a pop-up window that said his internet browser needed an update. Now, he’s getting threatening emails. They’re saying he needs to pay a fee to get an encryption key to reclaim information stored on the computer. This computer has been infected with ransomware, a type of software that encrypts sensitive or critical data and makes victims pay a ‘ransom’ to recover stolen information.
FBI Special Agent Shiloh Allen, a cyber security investigator based in Bozeman, shared this scenario with 20 Montana business leaders who gathered for the Montana High Tech Business Alliance CEO Roundtable in Billings in April hosted by Diamond B Technology Solutions at Parsec Data Management. Allen said ransomware first appeared in 2012, and now there are more than 360 varieties. In 2017 alone, the use of ransomware in hacking grew by 2,502 percent.
As the internet becomes an increasingly universal utility, many companies in high tech industries are grappling with the inevitable threat hackers pose to private, secure information. According to Allen, understanding the techniques hackers use to infiltrate systems can help businesses find relatively simple ways to protect their assets from external threats.
“Every hack requires reconnaissance and certain techniques, but the attack surface for almost every company in business has the same kernels,” he explained.
Three Ways Hackers Gain Access
Allen’s presentation outlined three key infection vectors, or routes that hackers use to gain access to protected information.
The most common malware infection vector is through email. Also known as phishing, these emails contain a link or attachment that is tempting to click but introduces malware, software designed to damage computers, into a secure system. The phishing emails appear to come from a trusted source, and the attachment or link is tailored to appeal to recipients’ likely interests. Lance Tinseth, former Alliance Board Chair and CIO of Murdoch’s Ranch and Home Supply in Bozeman, reported that nearly 40 percent of employees at his company opened emails designed to hack into secure data.
The simplest and most effective solution is to educate employees about the dangers of phishing, Allen said.
“There should be a healthy level of paranoia,” Allen said.
In addition to teaching employees how to spot malicious emails, there are automated services that can be deployed as well. Most malicious emails use a spoofing address with a forged email header so the message appears genuine. Automated programs can compare the email’s original IP address with the sender’s and flag any emails that originate from an illegitimate source.
Infected websites are the second most common intrusion method, and attacks can be divided into two categories. “Drive-by” attacks are indiscriminate attacks that exploit vulnerable browsers, and “watering-hole” attacks are more focused attacks that target legitimate websites frequented by the browser.
Unlike phishing emails, the user is not enticed into clicking on a fake link or attachment. Instead, the user exposes the vulnerabilities of the computer by simply visiting a malicious website. Websites that are most susceptible to these kind of attacks usually contain content not appropriate for the workplace. Nevertheless, they still pose a threat because even an accidental visit to such a website can expose system vulnerabilities.
The third infection vector that hackers can use to access protected information is through direct exploitation of a network component, like a server, a firewall, or a router. Although it is the most difficult hack to execute, they are the hardest hack to protect against. Often, these attacks require physical access to a device like a server or a router so that the perpetrator can misconfigure the device in order to expose it to the internet. The best way to protect against these attacks is to make sure that physical controls are in place and only trusted personnel have access to the devices.
How Businesses Can Protect Their Digital Assets
Several executives around the table pointed to a the lack of personnel whose job it is to specifically ensure the cyber security of the organization. While most businesses depend on general IT staff to handle systems security, according to Allen IT staff shouldn’t be expected to be cyber security experts.
“Cyber security personnel have an entirely different list of primary competencies,” Allen said.
It would save businesses time and money in the long run if companies invest in dedicated cyber security personnel by training and dedicating existing staff, hiring new staff, or contracting out cyber security work to a specialized firm, such as LMG Security based in Missoula.
Traditional IT staffs should also address a vulnerability introduced by remote desktop protocol (RDP), Allen said. RDP is a technology that allows employees to access their work computer from a remote location.
Nearly two thirds of hackers use RDP technology as an initial attack method. While there are relatively easy ways to set up secure RDP connections, until recently, an unsecure RDP technology used to be enabled by default on all Microsoft-based operating systems. To protect company information, business owners should ensure that company computers are never communicating with machines outside the company network.
Unfortunately, as the global economy becomes more dependent upon the internet, cyber attacks are bound to happen. Even after implementing nearly every reasonable cyber security protection measure at Murdoch’s, Tinseth said the company experienced about two successful cyber attacks per year during his tenure. He said the solution is simple.
“Shut it down quick,” Tinseth said. “Be able to isolate it and stop the information as quickly as possible.”
It is also important to have a good insurance policy. A lot of insurance providers, including PayneWest Insurance, now offer a cyber intrusion policy. A competent consultant can cost $20k to remediate threat, and insurance policies help offset a lot of the legal costs of a cyber attack.
There is no silver bullet solution to cyber security issues, Allen warned. As the cyber economy rapidly grows, companies must develop comprehensive cyber defense system tailored to the priorities of a business. In the event of an intrusion, businesses need to have a contingency plan in place. Most importantly, employees at all levels of the company should understand cyber security risks so they are equipped to protect their data and information.
In the event that your business is experiencing a cyber attack, Allen recommended reporting the incident to IC3.gov, a depository that analysts use to try and connect the dots between victims of cyber crime.
About the Author: Originally from Kalispell, Noah Hill will graduate from the University of Montana in May with a degree in microbiology and plans to attend law school. In his free time, Noah enjoys rafting, fishing, hiking, and reading a good book.
About the Publisher: Launched in 2014, the Montana High Tech Business Alliance is an association of 350 high tech and manufacturing companies and affiliates creating high-paying jobs in Montana. For more information visit MTHighTech.org.