Making Hackers Work Harder for Their Success
Hacking Is Easy
Cybersecurity is a term that means many different things to many people. It has leapt into prominence as networks moved to the center of business operation, linking companies to what turns out to be a very risky environment. Cyberspace is the Wild West. Governments have not agreed on the “rules” that should apply to cyberspace, or how to apply existing “rules” for espionage, crime, and warfare. Just as Bonnie and Clyde would rob a bank in one state and drive across the border into another state, with the pursuing sheriff stopping at the border, smart hackers take advantage of borders and the Internet’s ability to cross them with ease and without fear of punishment. They live in countries that tolerate or encourage their activities; they are often outside the grasp of national law enforcement. There are efforts underway to change this, but it will take time to make cyberspace more secure.
When we look at successful attacks, it is embarrassing to note that these are not sophisticated exploits carried out by evil geniuses. Hacking is all too easy. The metrics for estimating the damage from a successful hack are not well established. Companies can suffer reduced valuation after they have been hacked, usually in the form of a drop in stock prices. These losses can be significant—ranging from 1 to 5 percent—but the decline is not permanent. Stock prices usually recover by the next quarter. In the future, the recovery of stock prices may not be so quick if it is known that there is significant damage to a company’s intellectual property portfolio.
It is harder to estimate the damage from the loss of intellectual property (IP). IP now makes up a major part of most companies value, but often the value of this IP is not known until it is put on the market. Counting how much was spent to create the IP is not a good measure of worth. It also takes time for an acquirer to turn stolen IP into a competitive product. In some cases, the damage may not be visible for years. In other cases—such as designs for high-speed trains, automobiles, or wind turbines—the competing product may reach market before the victim company’s own design.
The scale of loss and its effect, however, remains a subject of dispute. Anecdotal evidence suggests that cybercrime against banks and other financial institutions probably cost the United States hundreds of millions of dollars every year. Estimates of the dollar value of annual losses to businesses from cyber espionage show a tremendous range, from a few billion dollars to hundreds of billions, but it is safe to say that this is large and growing.
Most people are now aware of the problems with cybersecurity. What many do not know, however, is how simple it is to hack. Currently, the question for hackers, highly skilled or not, is why bother with a high-end attack when something simple will probably work as well. A reasonable goal for policy would be to make hackers work harder for their success. This will reduce both the number of successes and the number of hackers capable of achieving success. Improving the primary level of security will not solve the cybersecurity problem, but it will make it more manageable and, ultimately, easier to “solve.” Numerous studies confirm that hacking is not that hard. Surveys show that more than 90 percent of successful penetrations of company networks required only the most basic techniques. Outsiders were responsible for most breaches, and most went undetected for weeks. Usually it was a third party that discovered them. One survey found that 92 percent of attacks were not highly difficult and that only 3 percent of breaches were unavoidable without difficult or expensive corrective action. Most victims fall prey because they were found to possess an (often easily) exploitable weakness. Ninety-six percent of successful breaches could have been avoided if the victim had put in place simple or intermediate controls. Eighty-five percent of penetrations took months to be discovered—the average time is five months—and the discovery in most cases was usually made by a third party (such as a credit card company) rather than the victim.
There is a growing cadre of highly skilled hackers, often the proxies of a state that gives them sanctuary. These hackers use programs that continuously scan their target for vulnerable systems, even test systems that are only temporarily online. They have advanced programming skills to identify new vulnerabilities and to create the malicious software (malware) needed to exploit them. With their ability to target specific high-value networks, these high-end hackers can challenge all but the most sophisticated defenders. Equally important, they build and sell the tools and techniques that let less experienced hackers perform successful attacks. Eventually, the work of the advanced hackers in both vulnerability identification and malware writing appears on the cyber black market, becoming globally available.
But successful hacking does not require this level of skill. Relatively simple “hacks” work all too well, and even high-end opponents use them—why use a sophisticated assault when the target can be overcome with a simple one. Most companies that were hacked fall victim because hackers found an easily exploitable weakness. It is so easy that hackers don’t have to try very hard because most networks are poorly defended. Eliminating the vulnerabilities exploited by these “easy” hacks will shrink the pool of successful hackers as the less skilled drop out. It will increase the cost for attackers, as they have to put more work into penetrating a target network. Vulnerability mitigation strategies reduce the avenues for potential attack and force attackers to develop more sophisticated (and expensive) techniques or give up on the target. The effect will be to reduce risk and allow companies to focus resources on high-end threats.
Cybersecurity Is Feeble
The ability to download hacking tools means that a determined 12-year old with some basic computer skills, if he or she has an Internet connection, can become a successful hacker. For the more advanced, there are cyber-crime black markets that sell personal data, credit card information, tools, passwords, and successful exploits. Criminals can rent “bot-nets” from the cyber-criminal underworld or even purchase complete online stores to collect personal information or to sell bogus products. This is a competitive market, with price wars, guarantees, and special offers. Hacking has become a big business, not only because the Internet is now “where the money is,” but because most networks, despite claims to the contrary, are inadequately defended.
One study found that 75 percent of attacks used publicly known vulnerabilities in commercial software that could be prevented by regular patching—in patching, the software company that made the product sends over the Internet a small fix to an existing program to improve performance or eliminate a specific vulnerability. A failure to patch leaves the vulnerability unfixed, something hackers are quick to exploit.
While patching is essential, it is not enough. When software vendors announce and ship patches, hackers analyze the patches and can often develop exploits for the problem faster than companies can install the patch. Twenty-five percent of attacks reviewed were new, unknown to defenders, and could not have been stopped. Many security controls—firewalls, intrusion prevention, and antivirus—fail to prevent these attacks from succeeding. Often, malware will delete itself after running, and attackers have improved their ability to clean up and hide evidence of what they have done. This complicates the defenders task if their approach is reactive, requiring an analysis of the malware to determine how it functioned and what had been infected.
One way to assess the ease of hacking is to look at the ease of breaking into a network using illicitly obtained passwords. Essentially, the password as we know it is completely useless as a defense. Any password based on a name or word can be rapidly “cracked” with widely available online tools. Passwords based on personal information, such as birthdays, are also easy to guess. Information on social networks can be harvested by hackers to get the personal data that will let them guess passwords. Searching Google on the keywords “password cracker” gets 21 million results, offering free password crackers and advice on how to use them. The hacker’s task is made easier by the reuse of passwords, where people use the same password for multiple systems and websites. This reuse is a very common avenue for attack vector, and some data suggests that password reuse is actually a bigger problem than a weak password. Passwords no longer provide any more than the most basic security.
Default settings on computing and network devices are another easy path for attack. Anyone who has bought a computer or other network device knows that the manufacturer sets the password and user name to “admin” and “password.” Criminals know this, too. People forget to change these default settings or, for large networks, change most but not all of the settings. A U.S. Air Force study found that in large organizations with thousands of machines, perhaps 5 percent were configured to use the default password and user name. Hacking tools can search automatically for these misconfigured devices.
The most popular technique for hacking currently is phishing, which combines fraud and malicious software to bypass many traditional security measures. Individuals in a company are sent a message that appears to be from a legitimate e-mail address (these addresses are easily spoofed). It has an attachment with a tempting subject, like “Next Year’s Bonuses.” Sent to a hundred people, hackers can count on a few of them to open the document or click on the link, which immediately installs the malicious software. Advanced hackers may use personal data culled from social network sites to “personalize” the e-mail and make it look more convincing.
How immediate and how visible the damage will be depends on what is taken. Confidential business information, such as sales and marketing plans, plans for new products, or financial data, is immediately profitable for the acquirer. One major oil company lost exploration data that cost it billions of dollars. A major bank saw $10 million extracted in two days; it avoided the damaging publicity by reclassifying the loss as an “operating expense.” Companies lose merger and acquisitions strategies and information to hacking, a loss that has an immediate effect—think of the other side of the table having a copy of your briefing book and knowing your bottom line.
In a recent attack, 30,000 company computers had their data erased permanently, along with credible reports of the huge losses of military and commercial technology intellectual property and business confidential information, demonstrate that what governments and companies are doing now in cybersecurity is not working effectively—despite spending as much 7 percent of their information technology (IT) budgets on it. One conservative estimate puts annual spending globally on cybersecurity software at almost $18 billion. However, there is evidence to suggest that the traditional methods are not working. One study found that initial detection rates for antivirus software—there are now almost 75 million different viruses on the Internet—were less than 5 percent when the malware was introduced and that, on average, it took almost a month to update detection mechanisms and spot the new viruses. Another study found that detection rates averaged about 20 percent. Hackers can avoid detection by making minor changes to their malware to evade detection, and some use the updates from security companies to see if their exploits can be detected by the latest updates.
Due Diligence and Risk Management
The cybersecurity problem is often presented as the result of a lack of resources. Yet every year, increasing amounts of money are devoted to cybersecurity. The research for this report suggests that the real problem is that cybersecurity resources, adequate or not, are often spent on ineffective activities. Another major problem in cybersecurity is the tendency of corporate leadership to treat it as an “IT problem” best left to chief information officers and technicians. This may have been the right course of action a decade ago, but it is now badly outdated. A better way for a C-suite to think about cybersecurity is that it is the source of a damaging “material effect,” hurting a company’s profits, value, and financial future, that will be increasingly difficult to ignore.
There will always be risk in cyberspace, just as there is risk in driving a car, mailing a letter, or flying in an airplane. The goal is to make online activities no riskier than offline activities—to “normalize” cyberspace. Right now, that is not the case and the risks will grow as we become more dependent on software and computers. But this risk can be reduced and managed and brought to levels where cyberspace is no less secure than any other environment we operate in. We can now describe a minimum standard of due care when it comes to cybersecurity.
Fiduciary responsibility and due diligence on the part of corporate leadership require effective cybersecurity. When people hear that statement, however, it is often the moment when eyes tend to glaze over. Cybersecurity is a business decision about profit and risk. Many companies underestimate the risk and overestimate the cost. Cybersecurity is a decision on business, balancing cost and risk. As with other business decisions, companies with models that generate higher returns or lower costs will outperform their competitors. After a decade or more of experience, we can now begin to put together numbers—data collected from actual attacks—to determine what kinds of cybersecurity activities can best reduce risk.
The older compliance and audit-based approach found in legislative mandates like the Health Information Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), and the Financial Services Modernization Act (also known as Graham-Leach-Bliley, GLBA) is resource intensive and ineffective. Compliance is usually a good thing, but in cybersecurity it came to stand for a static, paper-driven method that was expensive without providing equivalent benefits.
A Proactive Approach to Cybersecurity
This combination of easy hacking and weak defenses has been the situation for many years. The experience of weak cybersecurity has, however, had one advantage—in simple terms, there have been so many attacks that defenders have a very full data set on what kind of attacks have worked.
Based on the analysis of incidents it was determined that more than 85 percent of cyber intrusions could have been prevented by following these four mitigation strategies:
- Use application “whitelisting” to help prevent malicious software and other unapproved programs from running. Rather than trying to identify and block malicious software, which creates the possibility that previously unknown attacks will not be stopped, using a “whitelist” means that only approved programs can run on a machine. This step eliminates much of the risk from malware.
- Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, and web browsers. These applications are in daily use in most companies. Patching closes off avenues that hackers will otherwise exploit. Software companies send patches to rectify or eliminate exploitable flaws or weaknesses in a system’s design or operation found after it was sold (similar to a recall notice for an automobile). Often, patches are developed in response to the discovery of a flaw by independent researchers or, in some instances, the discovery of a successful hack. A failure to install the patches leaves systems vulnerable. Most companies already have some kind of patching system in place, but research suggests that even with these systems, 5 to 10 percent of computers will “miss” a patch. This means that mitigation works if it is paired with automatic monitoring, which we will discuss later.
- Patch operating system vulnerabilities, for the same reasons discussed above. All operating systems have potential vulnerabilities; when software companies find and offer a fix, not using that fix leaves the users susceptible to criminals and foreign intelligence agencies, who expend considerable effort to find these “holes” and exploit them.
- Minimize the number of users with administrative privileges, the highest level of authority to make changes or undertake actions on a network. Easy access to administrative privileges lets criminals who obtain them (and this is a frequent initial goal for most hackers) to install malicious software and change settings to make it easier to exfiltrate data and to hide their criminal activities.
One frequently heard complaint is that cyber threats change too rapidly for the mitigation strategies to have any lasting effect. The evidence, however, completely contradicts this point.While the specific instances of new attacks changes quickly, the mechanisms to manage them have some permanence. While no single strategy can prevent every type of malicious activity, the effectiveness of implementing the top four strategies above remains unchanged. The vulnerabilities that attackers exploit remain unchanged. The key strength of the controls is in measuring outcomes and in correlating defensive measures with effectiveness in reducing attacker success