Another day, another data breach — with devastating consequences in terms of financial loss, damage to reputation, loss of client confidence, the possibility of expensive lawsuits and the investment of time and resources spent trying to contain the damage.
New York dam, the SWIFT $81M Bangladesh cyberheist, Time Warner Cable, Hello Kitty, US voter registration records, US presidential candidates – and the list is endless. Most importantly, the attacks are escalating, rather than abating. In most cases, the data ends up on that nebulous part of the Internet known as the Dark Web. So what is the Dark Web and what can organizations do to secure their data better?
Mary Beth Borgwing, cyber risk expert and President of LemonFish, a data behavior analytics company, with an external data exposure product for the open, deep and dark web which they deliver as a managed Software as a service (SaaS), spoke exclusively to ITWatchIT about the correlation between the Dark Web and the protection of sensitive data.
Dark Web vs. Deep Web
The Open Web is the indexed web, and that’s about ten percent of the web, which includes Bing, Google and all the search engines, said Borgwing. Then you have the Deep Web, which is the non-indexed web, where you can store data, for example, when using Slideshare for PowerPoints or other files that are too big to email. In comparison to the Deep Web, the Dark Web requires a bit of trade craft to maneuver the forums and sites due to the “black market business” that takes place there.
There is the Dark Web where you have different layers. First, you have to have a Tor Browser also known as an Onion Router. Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. There are approximately 60,000 or so sites within the Tor network. With some of those 60,000 sites, you have to go a second level to gain access, where you have to be socially invited by a member of those sites. In quite a number of those sites, there are a lot of fraudulent and nefarious activities going on.
There are sites in the Dark Web with people selling credit cards, personally identifiable information (PII) and very popular healthcare information. Also there are other things like drugs for example, that are available in the regular web, but are available cheaper on the Dark Web, mainly because they are stolen. Those are not the password-protected sites. The ones that are password-protected are where you have deep criminal activities like human trafficking, fraudulent transactions, sale of credit cards, bank information, mortgage information and all of those things.
Escalating Cyber Attacks Translates to a Greater Need for Data Monitoring
Probably, a year ago or more, data analytics wasn’t something people saw as a way to be preventive, or to protect their perimeter – people were being more defensive and not proactive. Using data analytics to understand where your vulnerabilities and your data exposure may be is something relatively new. People who demand for this service have digested the fact that they need a perimeter, and potentially have a data loss prevention program. There are those who have built protocols and processes so they know what to do when they find the data that’s been exposed.
When you think about it, if you were able to locate where your data was exposed and what portion of that data is sensitive or critical data, you would better understand your company’s cyber risk management profile. This way you can then monitor the data that sensitive, critical and important to your company, and run that data through the data loss prevention system. When you don’t understand your critical assets then running all of your data through your DLP system is like layers of Swiss Cheese across the whole enterprise and eventually data is going to be leaked.
Alternatively, if you knew what to protect — by finding what may have been exposed and know what critical asset you want to monitor, put better processes and procedures across those things that have been exposed, then run them through the data loss prevention system or the security event management system — then you have a higher preventative accuracy rate, and a better chance at really catching those people that are trying to penetrate your network since you know what data they are after.
What Could LinkedIn/SWIFT Have Done to Prevent Recent Thefts?
LinkedIn could have monitored their data better. They don’t seem to have enough proactiveness protocols in place about people changing their passwords. Also, they should be monitoring the dark web chatter about their company, in order to know what might be going on. Right now, they should be doing that, and I’m sure they have law enforcement doing that.
Some of that is the intent behind the attack. Do they want to steal data because they want it to be exposed? Do they do it because they want to do something malicious and it’s cool to do these things? Are they motivated by money? The motivations are quite different, but also, they might be using the data themselves, in order to resell it. Sometimes they like to resell it for a small amount of money so they can try to stay under the radar.
In some of these cases involving ransomware, they really don’t get much financially. It’s really young kids or people with other intents to get information and use it for something else, and make it look like a theft that was for monetary gain.
When it involves a very high-profile case as the LinkedIn data breach, with LinkedIn taking a very social media approach to it, then they have a harder time doing that [selling the data]. The LinkedIn case has a more social media approach to it because they want more notoriety. The SWIFT case is a little different because that is mainly about profitability and gaining access to the people of the financial industry. They want money, and they are really trying to cause a disruption in the financial services industry.
Are The Smaller Companies Paying Attention At All?
The smaller companies know they have to do something and so they are looking for solutions that are cost effective and easy to implement; that are next generation cyber risk management. That is what data analytics brings to the cyber security platform. It’s similar to using landlines versus cellphones in the telecommunications world, we are the cellphones and the companies are going for the cellphones. We are the new way to do things, so there are some mid-level companies and fortune 500 enterprise companies who know they need this, because things are not working for them now.
LinkedIn Said They Reset Passwords When The Hack Was Initially Discovered Four Years Ago
People often change back their passwords. You can force them to change their passwords, but often, they will try to change it back, people are not very savvy about that. When you think about all the people that are on LinkedIn, you will find that a lot of people are not very sophisticated at things of that nature.
Will The Two-Step Authentication Option Implemented by LinkedIn Solve The Problem?
I don’t think that will be very popular, this is social media, not something like banking. As such, if you have something in your social media profile that you don’t want anyone to know about, don’t put in on social media. Passwords are tough, it is hard to enforce protocols for password protection. The two-factor authentication is not going to work in a social media scenario, I really don’t think so.
SWIFT: Who’s To Blame?
The SWIFT system is supposed to be safe, so it goes back to the application that they are using, with everyone thinking the system is safe. What we are learning is that nobody is unhackable. Why are they targeting those banks in Bangladesh and other places? Maybe they are easier to penetrate than the banks in the UK and the US.
Right now, there is a discussion going on between SWIFT and those banks, and they are trying to sort out who is responsible. It is probably a little bit of both, even though it is really hard to say without being involved in the case. There are other transactions that are happening, even as we speak, with numbers that are way bigger than the Bangladesh case. The hackers typically test it on smaller amounts and build it up to the bigger amounts. Even with the two-factor authentication, they are still being hacked, so what is the answer?
The answer is to have different layers of security, and to follow the chatter. Most of the hackers build a profile of the people that have the ability to transfer the money in and out the banks, and then they assume that identity. How do you protect against that?
[SWIFT CEO Gottfried Leibbrandt said May 24 at the 14th annual European Financial Services Conference that even though their system is safe, the ultimate responsibility for ensuring security lay with the individual banks, not them. “SWIFT, our network, software and our core messaging services have not been compromised. In Bangladesh and the other cases, the thieves compromised the IT environment and worked their way to the bank systems where the SWIFT instructions are generated and the confirmations received,” said Leibbrandt.]
How Does The IoT Affect Data Monitoring?
There is no avoiding the Internet of Things, even though some companies have been trying to fight it. Trying to say no cellphones or iPads at work won’t stop much. They have chips and other things in this devices and it has gotten to the stage that there are many things talking to each other. How do you stop that connectivity? It’s more about the niche framework and why they have layers of protocols they can put in place, not just around your networks, but also teach people how to properly use these devices. For instance, When you go to the FBI, you leave your cellphone in a locker and you are not allowed to use it. You can’t bring any type of electronic or Bluetooth device in there. In some companies where you have a lot of intellectual properties and people can take pictures, there are no camera devices allowed. It’s really all about managing the human side of things. That is really the only way to manage it because the humans are the ones using it. IoT can be very, very fruitful for hacking.
Managing your data is at the root or everything because your data is what the hackers are after. Have that perimeter, have different layers of security, engage in active security monitoring – but you really need to know where your data is, and that is what we help you do.
Profile
Speaker: Mary Beth Borgwing
Position: President, LemonFish
Mary Beth is the President of LemonFish Technologies, a data behavior analytics company focused on data breach and data exposure on the open, deep and dark web. She has been in leadership positions in cyber security risk management companies for 15+ years. She has expertise in complex risk strategy and the development of new risk management tools and has worked with clients in Healthcare, Technology, Life Sciences, Higher Education, Construction, Manufacturing and Financial Services sectors.
LemonFish is a data behavior analytics company. Providing real-time visibility into data exposure helps data governance and compliance while reducing risk, improving security, increasing efficiency and reducing operational costs. LemonFish is headquartered in Reston, Va.