Not to alarm you, but that smartwatch on your wrist could be used to hack into your bank account using your ATM PIN. You are, however, just small fry. Data thieves typically go after a much larger haul. Using sniffers, malware and a whole panoply of software, they can infiltrate an organisation’s operating system and lurk undetected, waiting for the right moment. Nation states, too, have got into this game, and have developed military cyber capabilities to conduct acts of war.
That’s why data security and cybersecurity are so much in the news. But what exactly are we talking about when we refer to cybersecurity? Think of it as putting up fences or firewalls around places that store and transact information. However, like all barriers, they have soft spots. Data that resides behind these walls can be as simple as someone’s credit card number, or as sensitive as a stash of diplomatic emails. The former may seem insignificant, but it can be used to pry open a retirement savings account, or access medical records. The hacker can then collect enough information to use it as a back door to more valuable information. The latter, as Hillary Clinton discovered, is enough to derail a political career. And that is not even touching on data pertaining to critical infrastructure that hackers constantly go after. Think power grids and nuclear reactors.
Security Breaches In Plain Sight
Roar Media spoke to Romeish de Mel, CEO of Sri Lanka-based cyber security company, Flix 11, on what kinds of threats cybersecurity companies deal with in Sri Lanka. To clarify this murky business, de Mel used an example: “A few years ago, we were demonstrating how our data operations centres use surveillance software to scan a network for vulnerabilities. The client was a very large financial institution servicing thousands of customers. While we were doing this, in real time in their conference room, we spotted a stream of data moving out of one of the company laptops to a foreign country.” And the laptop in question? It happened to be in the room — it belonged to the head of systems security!
If such a breach could happen to the very people tasked with safeguarding our networks, imagine what might happen to the computer used by, say, the accounting clerk. While no one is watching. At 3:00 in the morning on a Sunday. Have they plugged in these holes? “I hope so,” said de Mel.
Corporate data security is essentially a cat-and-mouse game, as industry experts lament. Cracking ATM pins and laptop passwords is becoming child’s play for hackers. Even the most complex-looking passwords, such as “p@$$word” or “qeadzcwrsfxv1331” are hopelessly weak, according to WIRED magazine. That smartwatch hack? Data thieves can tap into sensor data from the object on your wrist and fire up an algorithm that could predict your PIN by tracking your wrist movement. So will we ever be safe? More pertinently, how seriously do companies take the threats to their enterprise? Banks, hotels, and supermarkets store data that may be attractive to not just the common-or-garden hacker after a dozen credit card numbers, but to competitors and hackers in another part of the world. A large company’s supply chain data has several vulnerable entry points, which if breached, could disrupt contracts worth millions of rupees.
This is the kind of world we who purchase shiny objects on eBay take for granted. On a global scale, cyber operations could be employed during armed conflicts, anticipates the ICRC. Cyber attacks can impact essential services to civilians, including the healthcare sector. Ever heard of Phosphorus, Holmium and Strontium? These are cybercriminals monitored by Microsoft’s Digital Crimes Unit. (Yes, there is such a division!) They see ‘threat actors’ emerging in places like China, Japan and Russia.
To find out how they do it, Roar Media spoke to Spencer Luke, a security compliance expert at Microsoft based in Dallas, Texas. We first asked him what keeps him awake at night. “We see hackers and bad actors often using the same technology we use for detection for obfuscation,” he said. “We monitor threats using several indicators — including eight trillion security signals a day,” he explained. Luke spoke of phishing attacks that have become so sophisticated that average people aren’t always able to recognise them. How about Artificial Intelligence (AI), we asked — does that change the game? “I think AI can be a critical difference in the balance of power,” Luke said. “It is much easier for an AI or ML (machine learning) model to recognise an anomaly, when something is happening out of the ordinary. For this reason, organisations of all sizes have begun to have a cybersecurity division to maintain constant surveillance of their digital assets. This includes those at the point-of-sale or on workers’ desks. This also involves offensive measures such as forensic analysis and threat intelligence assessments, and sometimes even running counterintelligence operations. There is even a term for going on the offence: threat hunting. It speaks to the old notion that eternal vigilance is the price of safety.
So, what could someone do in the face of such threats? Sri Lankans, and certainly companies, should be more proactive, recognising that being plugged into a global economy means being vulnerable to drive-by data thieves and state actors with long-term motives.