Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

The Latest Cyber Threat to Your Business is Pure Gangster

0
0

In February there was acyber attack on Hollywood Presbyterian Hospital that commandeered access everynetworked computer at the facility.

The hack posed an immediate threat to human life, which is why Hollywood Presbyterian was the perfect target.

The attack was just one of many instances of what has become the newest trend in cyber shakedowns:ransomware.

Using malware, hackers take control of an institution's computers, making it impossible for them to communicate with their equipment. For a ransom, the hackers return control.

How It Works

The incapacitating of communications and data retrieval at Hollywood Presbyterian Hospital was accomplished using a game-changing innovation for bad purposes.

As with many innovations that contribute to a more stable and productive work environment, there can be associated dangers. Most tools have more than one use, not always the intended one.

The takedown of Hollywood Presbyterian was achieved using encryption, the same technology used at the enterprise level to protect the data flow between machines with encrypted email and chat apps and data storage.

Properly utilized, encryption renders an organization's stores of data--whether they are vast and sensitive or more modest--useless to hackers.

This is crucial.

The Ponemon Institute found that among 5,000 companies surveyed only 37 percent had an enterprise-wide encryption strategy. That was up from 15 percent in 2005.

Companies with zero encryption are dwindling, but 15 percent of those in the Ponemon study still didn't use it at all. Clearly, we've reached a point in the data crime epidemic where encryption should be a prerequisite to doing business.

The average cost of a data breach is skyrocketing, up to $4 million according to Ponemon and IBM data--that's a 29 percent increase over 2013. The average cost per record has also increased from $154 to $158. That's a global figure. The average cost in the United States is considerably higher at $223 per record.

While that might not seem too precipitous, consider the Anthem breach. 78.8 million members were affected. This year's increase would matter in a breach that size.

What Ransomware Will Cost You

The common wisdom for setting a price on a product or service is that it can be as high as you like so long as someone is willing to pay.

Banking on the hamster wheel effect of most workplaces, ransomware scams have an advantage.

In a world where time truly is money, and lost time can significantly harm the bottom line, the amount of money that an enterprise is willing to pay to regain control of their information, and to get paid employees back to work, is theoretically pretty astronomical.

Given the nature of the beast, there is a dearth of data here. Although there's no way to know, it seems pretty likely that organizations faced with the publicity nightmare associated with such a compromise would be willing to throw hush money at the problem and get back to business.

We have to assume many of these scams go unreported for that reason.

In the more public incidences of ransomware attacks, hackers haven't tried to go for very big paydays. The operative thinking seems to be that the more modest the price, the more likely a quick payout.

Hollywood Presbyterian paid $17,000 in Bitcoin to regain control of their systems. Several other medical facilities have been hit since then, but this is very important: if you're not in the medical care business, don't assume you're safe.

TrendMicro, a company that focuses on internet content security software and cloud computing security,predicts "2016 will be the year of online extortion."

The Solution

Back up your data often and automatically, encrypt it and store it in an air-gapped environment.

Hackers can only go as far as the network.

If your data is stored off-network, the problems associated with a ransomware attack can be minimized, although the equipment used to access that data can still be commandeered.

The single most important thing you can do is to train your staff to know the signs of an attack.

Make sure they know their trusted sources, and cultivate habits of caution.

Whether this takes the form of regular alerts and notices to recent scams sent out by HR, IT or your Information Security team, just make sure there is a culture of security and awareness at your organization because at the end of the day, as Peter Drucker famously posited, culture beats strategy every time.


Viewing all articles
Browse latest Browse all 12749