Lock the Virtual Front Door Series Article 1, Principle 4:
Weak security boosts high costs
The media has confused hackers and crackers. Not all hackers are crackers, but all crackers are hackers.
A hacker (also called a White Hat hacker) is someone who is able to analyze, take apart, and then re-assemble a device or code to make it do something it was never intended to do.
A cracker (also known as a Black Hat hacker) is an individual with the same skills as a hacker, but they use their knowledge to do harm for personal or financial gain. The harm or devastation they do to businesses, governments, and individuals is of no concern to them. In these articles, when I use the word “hacker,” I am referring to that person’s ability to break a system. However, when the break is used for illegal or malicious purposes, I use the term “cracker.”
Identity Theft
The theft of an individual’s computer credentials is fast outpacing the theft of credit card data. Credentials allow unfettered access to accounts and services. With the identity theft epidemic, how can one really be sure that a person is who they say they are?
Driver’s licenses can easily be forged, Social Security numbers stolen, and fake passports printed, resulting in trusted documents being brought into question. Legitimate and honest registration authorities and certificate authorities are having a difficult task trusting the documentation and identity of individuals requesting certificates. Fraudulent documents lead to fraudulent certificates, which lead to serious cyber-attacks and data breaches.
Identity theft is much more than a stolen credit card. Many laws require companies to report breaches, and the penalties are far more severe for the business than they are for the criminals utilizing the false identity. Additionally, there are very few laws to help victims and make the recovery process manageable. The number one way individuals are exposed to identity theft is through corporate data breaches, making this a massive problem.
Companies need to understand both the direct and indirect costs of a data breach. While different organizations calculate the costs in different ways, the Ponemon Institute is the most widely quoted research firm that analyses the costs of a data breach to companies. According to Ponemon’s 2019 Cost of a Data Breach Report report, the average global costs to companies per sensitive record lost or stolen over the last few years is:
- 2017: $141 per record for a combined average total cost of $3.62M per company
- 2018: $148 per record for a combined average total cost of $3.86M per company
- 2019: $150 per record for a combined average total cost of $3.92M per company
- 2019: United States, $242 per record for a combined average total cost of $8.19M per company
Building a Chain of Trust
A chain of trust is built on the premise that within a computer network, all hardware and software is authorized and disperses information only to authorized users or places. Systems today are complex. They are constantly changing with new apps, BYOD, and IoT devices connecting and disconnecting from the network. It only takes one flawed link within this chain of trust to create an insecure portal for hackers to exploit. Once the hacker is in, they then start worming through the networks to gain access to other parts until they eventually achieve full system administrative rights. Then, all confidential data and private information become available for the hacker to use as they wish.
When using a security strategy that starts by protecting the data behind the firewall and not in front of it, the best IT can do is to protect against known attacks, which is an almost futile endeavor. Trying to protect against every known attack is not only cost-prohibitive, hackers regularly make minor modifications to their attacks in their efforts to get past known defenses. This fact alone gives hackers a considerable advantage over IT. It also creates the greatest fear for the Chief Information Officer (CIO) and Chief Information Security Officer (CISO): the unknown attack.
Something to Think About
I recently heard a White Hat hacker tell a shocking story. A bank hired him to test their network. In a matter of minutes, he was in their system, snooping around. That was his first task. While there, he came across some IP addresses that he didn’t recognize. After a quick investigation, he discovered they were the IP addresses to the bank’s ATM network. Wanting to test the security of the ATMs, he copied a program he found on the internet (dark web) and uploaded it into the bank’s server to make a specific ATM spit out a twenty-dollar bill the next day at 12:02 a.m. At the appointed hour, he hopped into his car and drove to the remote location. Just before midnight, he set up a video camera and pointed it at the dark ATM. He waved at the camera and waited. At 12:02 a.m., right on schedule, the ATM magically came to life. The screen lit up, the cash door opened, and the machine spits out a twenty-dollar bill.
It doesn’t matter how or where a breach occurs; once the hacker has broken in, the entire network loses the chain of trust.
I now would like to invite you to the next Principle, “Why security can’t kill passwords, dead”
I’m Dovell Bonnett, Author, CEO of Access Smart, and Password Security Evangelist. These articles are written to help business owners and executives understand an essential aspect of cybersecurity: Authentication. Authentication may seem like a small part of the overall network security; however, it’s your first line of defense. Passwords are a secure means of authentication. The main problem with passwords is how they are managed.
If you missed any of the previous Principle, I want to give you easy access to “Lock the Virtual Front Door” Principles:
- Article 1, Principle 1: Authentication: cybersecurity’s first line of defense
- Article 1, Principle 2: How hackers unlock your “secure” front door
- Article 1, Principle 3: Killing passwords won’t help or secure networks
I give a lot more details on password security in my book: Making Passwords Secure: Fixing the Weakest Link in Cybersecurity. Available on Amazon as a book or on Kindle.
This and other stories originally published on my website at Access-Smart.com
