You Will Be Hacked
It could have already happened and you just don’t know it.
Either way, it will happen to you, no matter how big or small your organization is. Here are five ways the cyber war is being fought in Hawaii, and what’s being done to reduce the risk and recover more quickly after a breach.
1. TURN YOUR WEAKEST LINK INTO AN ASSET
The biggest vulnerability in cyber-security systems is not old computers or outdated software – it’s people like you and me, it’s our bosses and our colleagues. The most important way for Hawaii organizations to fight back is by coaching people, including the CEO, say experts in cyber security.
“One hundred percent of you are the objects of a targeted attack that will get into your networks,” says retired U.S. Air Force Maj. Gen. Brett Williams, former director of operations for U.S. Cyber Command and now a top executive at IronNet CyberSecurity, based in Fulton, Maryland.
“If you’re trying to solve cyber security, it’s not solvable,” he says. “You’re approaching it the wrong way. We’ll get better on defense; they’ll get better on offense. It’s not a problem we’ll solve anytime soon. It’s a people issue, not a technical issue.”
So while strengthening your organization’s cyber-security system, focus immediately on strengthening your organization’s culture and leadership principles, Williams says. That includes ensuring the CEO is a model user of the system, adheres to the rules, is extremely knowledgeable about the system’s operation and capabilities, and values the growth and support of cyber-savvy leaders. And all employees must know and adhere to the rules of the system – and be held accountable.
“It’s a risk-management issue. You can operate with a known and acceptable level of risk. As long as you allow humans to use it (and there are disgruntled humans), it’s a human problem.”
Williams was a speaker this past fall at the Hilton Hawaiian Village, where about 300 military and business leaders and others gathered to learn about cyber security.
One common way for hackers to enter a company’s data networks is by using basic human psychology to lure employees to click on subversive links.
“FOMO, people’s Fear-Of-Missing-Out, is an effective way of leveraging human emotion to gain access to information,” says
Scott Spiker, the former cloud security director at Unisys, and now a cyber-security sales consultant with ADP, the global HR firm.
Spiker explained later: “At the most basic level, the cyber-security challenges we face are really human problems. It’s not that hackers can all of a sudden get into a network. The most effective way is to use a human to essentially open a door into the network by clicking on a link, going to a website. What hackers have realized is that there are several emotional factors that make people click on a link. That could be by using a hierarchy,” says Spiker, meaning making an email look like it’s coming from your boss or your boss’s boss. “The thought is, ‘My boss needs something right away. I should respond right away,’ rather than thinking, ‘Why would this come in?’
“There’s also the use of vanity and pride (by attackers), like, ‘Hey, check out this picture of you at that conference.’ It’s pride that makes me click on the link,” Spiker says.
A recent Verizon study of data breaches found recipients opened 30 percent of suspect emails and 12 percent of people went on to click suspicious links in those emails. “When that door gets opened, that’s the way they get in,” Spiker says.
To prevent those breaches, Williams recommends constant training plus “very strict controls using what we call IAM – Identity Access Management. What that has is very strict rules on what you’re allowed to access in the system. For instance, if you work in the administration department in a large hospital, you shouldn’t be able to log on and see someone’s medical records. You want to have a set of controls in place so that every individual, when they log on, it’s very clear what they’re allowed to access and to know what things they need for their job. If those controls are in place, if someone in administration clicks on a (malware) link, then the hacker won’t be able to get in further.
“There have to be security controls in place so that if someone is legitimately in the pharmacy department, they can’t easily move to health care or finance (within the system). You have to make sure you can’t move laterally without the proper controls.”
There’s another concern that retail chain Target is now very familiar with: vendor-risk management. “Some big medical institutions have over 3,000 vendors with access to their networks,” says Williams. “What’s the security being maintained with all those vendors? That’s what happened to Target. Someone hacked a vendor, stole his password, and got into Target and Target didn’t have (lateral) controls in place.”
2. HAWAII IS A PRIME TARGET
You are wrong if you think Hawaii is a small fish, too distant from the rest of the world to be a target for hackers trying to infiltrate our infrastructure, including the electricity grid.
In September, Hawaiian Electric Industries operations were “probed” 60,000 times by potential internet attackers. “That’s 2,000 times a day,” says HEI CEO Connie Lau, speaking at a recent cyber-security conference in Waikiki. “In October, that number more than doubled to just under 140,000.
“You never know when you have different actors out there, whether it’s nation-states or criminal factions. You just have to be prepared.”
Despite the state’s small size and relative isolation, Hawaii is a target because of the strong military presence here.
“It really jumps Hawaii right up to the top of the target list,” Lau says. “We have a lot of federal facilities on the Island; the head of Pacific Command and the four military services are all in Hawaii. Plus, we’ve got other intelligence units; so that’s one of the reasons we have to be so careful in protecting the grid.”
Retired Maj. Gen. Brett Williams, former director of operations for U.S. Cyber Command, says five infrastructure systems nationwide are key targets for hackers: energy, water, telecommunications, finance and transportation, and each is vulnerable.
“There’s a lot of debate about how real the threat is to the grid,” Williams says. “On the one hand, much of the infrastructure is old and built well before we connected everything. But our power systems are rapidly moving to the smart grid. And, as you have smart meters and this web of electrical power managed through sophisticated computer systems, you increase the vulnerability. I know there are nation-states physically targeting the power grid. Russia and China are those with the most capability. And states like Iran and North Korea have no chance competing on a battlefield, but they could attack us in cyber space. That starts to have a strategic impact on the U.S. because a large part of our power is the economic system,” Williams says.
“And if you could take down one of the seven or eight Wall Street banks and one of the processing institutions like the clearinghouse central to processing of electronic payments, a coordinated attack like that would have significant implications on our financial system. An attack on the power grid and financial system, with cascading effects like creating a loss of confidence, that’s what we worry about.”
Admiral Mike Rogers, director of the National Security Agency, and Mike Morell, former deputy director of the CIA, have called these key pieces of the infrastructure “juicy targets,” warning that cyber attacks pose significant dangers to daily life. Specific targets include power stations, airports, military operations, and medical and bank records.
The danger to infrastructure was made clear on a cold December evening in Ukraine a little over a year ago. Two days before Christmas 2015, a worker responsible for distributing power lost control of his computer mouse.
Dumbfounded, he watched it move on its own and shut down power stations. The hacker took down 30 stations, leaving more than 230,000 people without heat or lights.
An analysis of the attack afterward by U.S. investigators from the FBI and Department of Homeland Security called it a sophisticated assault by hackers, well-funded and well-trained over many months, and possibly the work of cyber criminals in collaboration with nation-states.
This past fall, there was a cyber attack on a German nuclear power plant and an Iranian hacker took control of a dam in New York state from 6,000 miles away.
Experts say defense should begin with partnerships and information-sharing among public, private, academic and government sectors to create a collective defense. Hawaii has already taken many steps in that direction.
“How do we get a more collaborative approach?” asks Williams. “It’s important in how we move forward. And Hawaii (because of its relatively small size) has a unique opportunity to have a shared sense of purpose.”
Lau says Hawaii is already moving forward on that approach.
“One of the things a state can do is set up a fusion center and we are building that, the Hawaii State Fusion Center,” Lau says. “It allows all critical infrastructure people and those associated with the intelligence community to come together in one place. It aggregates all of the federal resources for the benefit of the state and the private actors in the state so that we can exchange information and collaborate on cyber-security issues.”
Hawaii’s Fusion Center is in its infancy, but the state’s adjutant general, Maj. Gen. Arthur J. “Joe” Logan, is already working with UH to build a center where private companies and government can come together. “We’ve built a lot of the infrastructure, and we’d like to have a more formal Fusion Center,” says Lau. Logan is working with the governor and state administration on a bill requesting legislative funding to strengthen what’s in place and to enhance its capabilities, Lau says.
“Part of the Fusion Center is to know who to go to and then have an intelligence-driven computer network defense that’s informed by analysis of adversarial campaigns.” By sharing data and then analysis, said Lau, “we can defend our network.”
Lau points to several other partnerships that help protect Hawaii’s infrastructure. For instance, the Cyber Security Mutual Assistance Group models the assistance that occurs during a physical disaster, like a hurricane. For example, if a utility is under cyber attack, others help with technical assurance personnel. “Everyone has only so many information assurance employees and you need to do the analysis of the attack very quickly,” Lau says. “So this gives us exchange of information and collaboration within our industry.”
“All of the discussion today has gone beyond, ‘Is it going to happen?’ ” Lau told the cyber-security conference. “It’s now about, ‘We need to be able to recover quickly when it does happen.’ It’s not ‘if’ but ‘when,’ and everyone is putting in place programs and doing exercises continually so that when it happens we know what to do. It’s not much different than a hurricane. We must assume a hurricane will hit and we just have to know what employees should do.”
Even with 30 to 40 virus scan tools in place, HEI is continually adding more, Lau says. “You have to be constantly upgrading. Not only do we do tools ourselves, but we also have a whole bevy of outside vendors who are experts in doing things like penetration testing and monitoring analytics who assist us.”
3. ENCOURAGE FRIENDLY FIRE EVERY SO OFTEN
The military offers this advice to civilians: Invite white hats to attack you.
No institution is more aware of cyber threats than U.S. Pacific Command, based at Camp Smith on Oahu and in charge of American defense operations across half the globe. To continually strengthen its defenses, every eight to 10 weeks, PACOM undergoes what is often a surprise cyber attack by a Red Team – a team of “ethical hackers” or “white hats” trying to break in.
“A Red Team is a team that acts like the bad guys,” explains Randall C. Cieslak, senior executive service chief information officer at PACOM. “That’s the ultimate best practices – to use a certified ethical hacker to hack your system.”
If the Red Team does get in, says Cieslak, flaws discovered and exploited are patched by the Blue Team and then, guided by what was uncovered, the Green Team trains personnel in new best practices.
PACOM learns from its mistakes. In the wake of Edward Snowden’s 2013 leak of classified military documents after working in Hawaii as a contract employee of the NSA, PACOM says it reviewed and strengthened all of the “silos” within which information resides, as well as more thoroughly scrutinizing the actions of personnel within the cyber systems.
There are strict divisions of what information is accessible to the internet and what is not, said Cieslak. “We have many different networks not on the internet used for command and control,” he said. “But we do have to interface with the public and other organizations so we have to be able to have our feet in both worlds – and guard very carefully the connections between the two.
“Any critical infrastructure should not be connected to the internet, but you can still use the internet technologies to have a private network to take advantage of long-range remote-control methodology. That’s where encryption comes into play, and there are different strengths of encryption.”
Cieslak says the human element is “the weakest part of cyber security. You can’t patch a human being.”
4. HACKERS ♥ BANKS AND HOSPITALS
The two biggest targets of hackers in the private sector are financial and medical institutions, say cyber-security experts.
Banks are popular with modern cyber criminals for the same reason they were with earlier gangsters: “Because that’s where the money is.” Hospitals, on the other hand, are frequently targeted because they hold patient data that can be turned into money and drugs.
On the black market, an individual’s medical record can go for anywhere from $20 to $60, says Scott Spiker, a cyber-security consultant with ADP, the global HR firm. Compare that to the value of a stolen credit card number, which is worth about $1 on the black market.
“Health insurance fraud has become a big thing,” says Spiker. “And health care fraud carries into drugs and the pharmacy. The health care record has a lot of information that can be monetized, and you can’t just replace it like a credit card. I can issue you a new credit card, but not a new health care record.”
Andrew Rosen understands that his job as president and CEO of Hawaii State Federal Credit Union includes understanding how financial institutions are vulnerable and how to keep them safe. He works with CIO Joel Kumabe to protect the credit union and its 95,000 members from cyber thieves.
“We’re regulated by the federal government, the National Credit Union Administration, and for the last two years, they’ve identified cyber security as one of the top priorities,” Rosen says. “In their audit, that’s what they look for – what measures we have in place to protect our systems and how we protect our members and their accounts and how we’re ensuring that data is secure.”
New banking technologies, such as enabling customers to conduct transactions through their phones and computers, increase security risks, Rosen says. You need to be constantly vigilant to keep things secure while enabling customer accessibility.
“They (cyber criminals) tend to go after financial institutions. We’re a prime target for this type of attack,” Rosen says. In the last two months, he says, there were 1.1 million “exploits” against the credit union’s website or browsers, and 75,000 denial of service types of attacks. All were repelled. “We really have good systems in place.”
Those systems include almost doubling to around 18 or 19 the number of IT specialists over the last five years, as well as constant patching of software, and regular assessment with a new tool that was launched a year ago by the umbrella organization that governs financial institutions. “It allows organizations to determine the level of risk and maturity they have for cyber security,” Kumabe says. “They’ve consolidated some of the industry standards under this one tool so organizations can identify if they’re on the right track.”
Other security steps include constant training of employees and offering customers immediate text or email alerts if their cards have been compromised.
“We also have custom apps for smartphones that let you turn on or off your cards to prevent unauthorized use,” Rosen says. The credit union says it was the first to replace all customer cards with EMV-chip-enabled cards that make counterfeiting harder. In their first year, the new cards have reduced point-of-purchase fraud by 70 percent, Rosen says.
“I forgot my card at a pizza place,” remembers Kumabe, “so I went on my app and turned my card off. It’s a whole new level of protection that technology is allowing us in order to protect our members against fraud.” He later retrieved his card, and turned it back on.
Much has been tightened since an embarrassing incident five years ago, soon after Rosen joined the credit union. A call came from Kumabe telling Rosen that, when customers logged on to the credit union website, they saw a picture of Lady Gaga.
“We had protected the server but we hadn’t looked at the code itself that programmed the website,” said Rosen. “We were relying on a third party to manage our website.”
“The lesson learned,” adds Kumabe, “is that patch management is really important. You have to make sure software patches are installed and updated constantly.”
That updating is crucial, says Matthew Chapman, associate professor of information technology and cyber security at UH West Oahu.
So, on the second Tuesday of each month, be ready.
“That’s when a lot of Windows updates – patches – come out to remove vulnerabilities in the software,” says Chapman, who formerly headed Pacific Command Cyber Operations for the U.S Army before retiring in 2014 to go into academia.
“When these patches come out, some malicious actors reverse engineer them and exploit people who don’t patch their systems,” says Chapman. “So when you get the updates, it’s very important to execute those updates. Do it right away. You want to do it within two weeks because it won’t take long for someone to reverse engineer the patch.”
You always have to improve your odds against cyber attacks, because the odds will always be against you. “No matter how good you get on defense, the offense always has the upper hand,” says retired U.S. Air Force Maj. Gen. Brett Williams, former director of operations for U.S. Cyber Command. “Let’s say I get 1,000 attacks in a day. I have to defend all 1,000. But the attacker just has to be successful once. It’s cheap for the offender, but very expensive for the defender.”
5. COLLEGE STUDENTS ARE TRACKING CYBER CRIMINALS
Jason Torikawa-Domingo is just 22, but he’s already helping to protect Hawaii from cyber invaders.
He is one of four student interns at the Cyber Security Coordination Center at UH-West Oahu, the campus that has emerged as the state’s leader in cyber-defense education.
“We analyze what’s going on in the world and how it impacts our campus, or Hawaii in general,” says Torikawa-Domingo of the student-run security center where students sit at banks of computers monitoring the globe for cyber mischief. “We offer internship-style positions so students get first-hand experience training on the job.
“We have four interns at the center,” says Torikawa-Domingo, who has been fascinated with technology ever since he was a child in elementary school taking computers apart. “One intern, called the global analyst, looks at what’s going on in the world IT-related, and writes a weekly report on it.” The others each specialize in other fields: vulnerability research, information-security best practices and forensics.
Reports are available to the public at www.uhwo.hawaii.edu/cyber, says Matthew Chapman, associate professor of information technology and cyber security at UH-West Oahu. The reports offer a way of keeping up with cyber attacks around the globe and learning to cope with cyber dangers.
In December, a team from UH West Oahu and Honolulu Community College took first place in the National Cyber League competition. It was the first time a Hawaii team has won this national contest.
Last summer, UH-West Oahu went through a certification by the National Security Agency and Department of Homeland Defense to be named a National Center of Academic Excellence in Cyber Defense education, Chapman says.
“We’re the only four-year institution in Hawaii with this certification. Hawaii Community College is certified as a two-year school and UH-Manoa is certified for cyber-defense research. In the UH system, we try not to duplicate capabilities among the campuses, so the center for cyber-defense education is really West Oahu. All of the campuses have something to do in this area, but WO is the focus.”
At West Oahu, students can earn a bachelor’s degree in applied science with a concentration in ISA (information, security and assurance).
Torikawa-Domingo will graduate in May, but he’s already in a yearlong second internship, this with Lockheed Martin Corp. “I put to use the skills I learned on the networking side,” he says. “And, because this is a rotational position, I’ll eventually rotate around to all the different jobs.”
SEVEN SIMPLE STEPS TO STAY SAFE IN CYBERSPACE
Matthew Chapman, associate professor of information technology and cyber security at UH West Oahu, offers these tips:
1. CHANGE PASSWORDS
Be aware that devices that can be controlled by your phone, such as thermostats or lights, may be connected to the internet. If their log-in credentials remain on the factory-installed default, they are vulnerable to attack. These devices are part of the “internet of things,” Chapman says, a major new vein of vulnerabilities that can be exploited by hackers. Put new passwords on these devices.
2. USE ANTI-VIRUS SOFTWARE
PC Magazine does an annual overview of such software.
3. TAKE ADVANTAGE QUICKLY OF SOFTWARE IMPROVEMENTS
Microsoft updates its Windows software using patches on the second Tuesday of the month. Update before a hacker can analyze the patches to discover weaknesses for an attack. Apple and Android also frequently update their software.
4. BUSINESSES SHOULD SEGREGATE NETWORKS AND FUNCTIONS
“People should only be able to access information they need,” Chapman says. “I wouldn’t have any public website on the same network as something more critical like finance or proprietary research. If you segregate the networks and the function, that will increase the security.”
5. USE APPLICATION WHITE-LISTING
It’s a common practice to blacklist certain things; for instance, if you know the name of a virus, you can block it by blacklisting it. The problem is, hackers can alter the name of a virus and new viruses are frequently created. White-listing is the opposite and safer approach: You only allow certain applications to run and, if something isn’t on the list, it doesn’t run. Then if someone clicks on a phishing site, the malicious software that is downloaded won’t run on your computer because it’s not on the list.
6. GIVE INFORMATION-SECURITY TRAINING TO YOUR EMPLOYEES
For instance, how do you recognize an email that is actually a spear-phishing email? Train your network users, Chapman says. “The human interaction with the computer is always a weak link.”
7. BUT ALSO MAINTAIN PHYSICAL SECURITY
“If I can walk into the server room and take the hard drive and dissect it at leisure,” then you’re vulnerable, says Chapman. “Ideally, all the data is encrypted, but physical access to machines is significant for malicious actors. If they can get to a machine, they can plug in to it.”