Hackers are often portrayed in the media as pale skinned, basement dwelling lone wolves, creating nuisance viruses that disrupt networks. But Darren Hayes, Computer Information Systems program chair at Pace University, says times are changing. “These people are rapidly being replaced by sophisticated government-backed infiltrators and criminal cyber-spy rings that can inflict far more damage than a Distributed Denial of Service that takes a network offline.”
He’ll discuss this new breed of hacker in his UBTech session “Cyber attacks on the rise and how to stop them.”
Hayes says there are two classes of hacker. One is the organized cyber criminal gangs from countries like China and the former Soviet Union states, that look to get into a system and steal money quickly. The other is a more sophisticated, persistent attack, sometimes involving months of reconnaissance to learn about the architecture of a corporate network, and the systems that are running on it.
“Traditional methods of security—antivirus filters, firewalls, and intrusion detection systems—are rendered useless,” Hayes says. “In many of these sophisticated attacks, the organization has already been compromised, so there has to be a shift away from the idea of perimeter security. These people are already in your network—what do you do now?” Hayes will discuss how both these groups operate in his session. He’ll cite real examples such as the breach at Target last year that resulted in the theft of personal information from hundreds of thousands of customers, as well as the case of American cyber criminal Albert Gonzalez, “who was able to come into control of most of the payment cards that exist on this planet.”
Phishing attacks are familiar to anyone who has ever gotten an email from a Nigerian prince begging for help to move enormous sums of money out of his country to the U.S. for a sizeable reward. All he needs is your personal information. “The attacker will send out a million emails and hope there will be a few hits by the end of the day,” says Hayes.
But there are other, more sophisticated phishing attacks. “Spear phishing” is a very targeted attack. “If I want to get into an organization, I’ll find out about an individual that works there. Then I’ll find out about people who are friends of that individual,” Hayes says. “I’ll send a digital birthday card to that individual, purportedly from their friend. They click on the link and suddenly I have access to their host computer on their network.”
Hackers can also use social media and school websites to help find an entry point to a system. “Without knowing it, organizations give away a lot of information about how they run their business, the structure of the organization,” Hayes says. Universities websites that offer job descriptions can be particularly revealing. “If they advertise for a specific position with IT and they list the skills they are looking for, that gives adversaries an idea of the networks and systems they are running,” Hayes says. “Everybody knows, for example, the default password on an Oracle database, and many system administrators don’t change that default password.”
Universities and law firms are especially soft targets for cyber attack, Hayes says, and he wants UBTech attendees to learn about different types of encryption, and how organizations can avoid costly mistakes that expose themselves to attack.
“The point I want to drive home is that many of these things are not off-the-shelf solutions,” he says. “It comes down to strong security protocols and enforcing policies.”