On 9/11 in 2001, terrorists from al-Qaeda brandished box cutters to hijack planes from United Airlines and American Airlines, crashing one jet from each company into twin towers of the World Trade Center. The attacks killed nearly 3,000 people.
In 16 years since then, a new generation of terrorists brandish keyboards in lieu of box cutters. Their threat looms far bigger than the shadow of the nearly 1,400-foot former WTC towers.
Just as 9/11 terrorists targeted edifices that were business icons, cyberterrorists aim at American business targets, seen by jihadists as evil emblems of free commerce. Business targets include banks as portals to paralyze our financial system, transportation companies to cripple the flow of goods, utilities to wreck electric grids and car companies to derail self-driving cars and kill passengers.
Symantec, a cybersecurity firm based in Mountain View, on Sept. 6 warned that a hacker group known as Dragonfly has targeted energy firms in North America and Europe since 2015.
A cyberincident could shut down portions of American business for long periods. Even regional banks including Santa Rosa-based Exchange Bank regularly fend off attempts that appear intended to inflict damage — more than stealing customer identities and funds.
In August, HBO was hit by hackers who leaked upcoming episodes of shows including “Game of Thrones, “Curb Your Enthusiasm,” “Insecure” and “Ballers,” as well as new shows. In 2014, Sony fell victim to cyberattacks as employees were unable to access the company network, red skeletons appeared on their screens, and emails, personal information and unreleased movies were leaked.
The Sony attack was “way worse” than HBO attacks, said Jim Stickley, owner of Stickley on Security, which consults to Sonoma County companies from its base in San Diego. Hackers had “access to everything,” Stickley said, “mail, payroll. It was a free-for-all.”
Federal authorities attributed the Sony attack to North Korea. The company’s then unreleased spoof movie “The Interview” featured two journalists hired by the CIA to assassinate that country’s leader, Kim Jong-un.
“If they weren’t part of North Korea, they were definitely representing North Korea,” Stickley said.
Hacking is a new form of warfare, Stickley said. “When Russia went into the Ukraine, they hacked their networks first,” he said. “Every major government on the planet has an entire hacking unit” devoted to attacking other countries.
“When someone shoots a bomb at you, it’s war,” he said. “When someone hacks into your network, there’s no precedent set that that’s war. That’s just digital. Everybody is in this weird spot now. If China hacks in and takes down infrastructure, is that an act of war or just a nuisance? You are seeing rogue craziness going on. Nobody has defined” a digital attack. “If you do this, it’s an act of war.”
The United States runs its own digital combat. “We hack everybody,” Stickley said. “We have done lots of damage,” such as hacking Iran’s nuclear centrifuges using Stuxnet, a malicious program developed a dozen years ago. The worm reportedly wrecked nearly a fifth of Iran’s centrifuges then raced around the globe to infect nearly a quarter of a million computers. “We set them back years” in their manufacturing of centrifuges, he said.
In Iran, centrifuge manufacturing was not connected to the Internet, so the worm attack might have been brought in on portable drives, such as thumb drives, he said.
Weapon systems are typically not connected to the net because it makes them susceptible to attack. “Nuke plants are not supposed to have direct connection,” he said, but electric grids for cities typically are connected. He consulted to clients seeking to shore up digital defenses for grid systems.
A large-scale digital attack on a big bank would be “a shocking moment” that could upset the entire financial-payments system, he said, even if no major damage occurred. “Just the shock wave that it could happen would be enough to freak out a lot of people and cause stock markets to crash.”
Attacks against banks or other businesses resemble attacks against countries. “All attacks start and end the same way,” Stickley said. “The actors behind it are not as relevant as the risks themselves,” he said.
The easiest attack route starts with a phishing expedition by a hacker who seeks an executive with deep network access in a bank or other company. The hacker entices the executive to click on an email attachment that downloads malicious code into the network. The code provides continuing access by the remote hacker. Stickley said about 80 percent of hacking uses such methods.
“It is an easy target,” he said. Seven or eight years ago, a hacker might start with the Internet and “bang away at your firewall” to penetrate a mail server or web server. “I would worm my way into the rest of your network. That was hacking.”
The game has changed to trickery. “Now if you want me to break in, I pick a few random employees. I am going to have access to their desktop in an hour,” Stickley said. “Whatever access they have to data, I now have. I have bypassed all the work” of breaking in as an outsider.
Randy Hong works as information-security officer for Exchange Bank, which has some $2.2 billion in assets and 18 branches in Sonoma County. Hong, who has been with the bank for four years, wards off hackers and aims to keep employees from inadvertently allowing malevolent access. On 9/14 and 9/15 he plans a disaster-recovery test.
“Firewall is just part of it,” Hong said of the continuous task of warding off cyberterrorists and cybercriminals. He scans for weaknesses in what he calls the “threat landscape,” where customer data could be taken by hackers anywhere in the world. “People attack from the darknet or the Internet,” he said.
He guards against intentional releases of data by disgruntled employees. “More risk is internal,” Hong said. “Most security breaches are internal.” Vendors can also be the source of breaches. “We push data more and more into third parties,” Hong said. “How can you control those parties? It’s very hard.”
He has seen attacks on Exchange Bank from foreign hackers, but none that crippled the bank’s network. He routinely monitors incoming and outgoing digital traffic — email and web.
“We filter out about 96 percent of emails,” Hong said. Only 4 percent of incoming mail is valid communication; the rest is spam, phishing or other attacks. “That is the case for most companies.”
He has seen attacks such as distributed denial of service, where multiple incoming communications overwhelm the bandwidth of the bank’s system, forcing a shutdown or compromised response. The bank carefully monitors its peak capacity.
“These kinds of attacks happen all the time,” Hong said, “from Korea, the Ukraine, China — all those countries.” Next-generation firewall layers aim to filter out some attacks. “You can detect what kind of activity” the system is encountering, he said, including “intrusive actions.” Chunks of suspicious or invasive code are compartmentalized to keep them from infecting the local-area network. End devices such as desktop or laptop computers can have their own firewall layers.
Hong quarantines email to look for trouble. “We have email secure gateways,” he said. “People pretend to be Exchange Bank employees. We have ways to filter them out. Financial institutions are a big target.” The bank has some 40,000 customers in Sonoma County, including a few thousand businesses. Exchange Bank has about half its employees using Citrix virtual desktops that offer better IT control than desktops on actual personal computers. “We can do all the upgrades, all the scanning” with a virtual desktop in the data center, he said. Virtual desktops prevent users from downloading applications that can infect the system. “A lot of high-security (computing) environments are moving in that direction,” Hong said, requiring two-factor authentication to gain entry. “Once you click on an (email) attachment,” Hong said, a hacker can gain control of the network.
He sees the prospect of cyberterrorism as frightening, such as hacking into Visa or MasterCard. “Not just financial companies,” Hong said, “but utility companies, transportation.”
Hong, who earned a Ph.D. in theoretical physics at Notre Dame, worked previously for Global eXchange Services, now GXS, a company that does global B2B services via the cloud, including electronic invoicing, product catalogs digital commerce, and control of railroad transportation of goods. “If you crack into those systems,” Hong said, “you won’t know if the train is going to depart. How are goods going to” get to their destinations.
“As a country, cybersecurity is one of the top priorities. In the past, war was (about) soldiers fighting each other. Cybersecurity is the real war. Communist countries spend a lot on hacking. The frightening thing is you don’t really know if they are already here (lurking in a system) or not, with backdoors. It could happen any time.”
In designing protective strategies, he assumes that hackers are already inside the system. “It doesn’t matter how good a defense you have,” Hong said. “One weak spot, people will be able to get in and exploit that.” Hackers who break into a financial system can easily make a few hundred thousand dollars, he said, making the effort worthwhile even with tens of thousands of attempts. “Unfortunately, we are always on the defense. I keep myself updated all the time, look at all the new technologies, artificial intelligence.”
Company laptops now contain GPS tracking systems that locate the device worldwide. Security software allows a company, as with smartphones, to remotely wipe clean any sensitive data stored on the laptop. “They won’t be able to hack into it anyway unless they have all the encryption codes,” Hong said. “Most times the effort won’t be worth it” to crack the encryption.
Cybersecurity experts increasingly use artificial intelligence to spot anomalies in network traffic to detect cyberterrorist and criminal attacks. A part of the network continuously watches the rest of the network hunting for suspicious chunks of code. Exchange Bank plans to soon deploy Cisco Umbrella, a security platform and Internet gateway delivered via the cloud. “Where are the bad-guy locations? When an employee clicks on a link, Cisco Umbrella will tell whether the address is good or bad,” Hong said. Communication with bad IP addresses and unknown digital signatures will be identified and instantly blocked with filtering gateways.
Even with multiple layers of security, savvy hackers still get in, Hong said. If a virtual desktop is compromised, he can wipe it out without damaging the rest of the system. “All the data is not impacted,” he said. In a high-security environment, data is partitioned repeatedly to make sure it is not compromised.
Bank employees who email customers are required to encrypt access codes and confidential information, he said. Even if a bank employee inadvertently cuts and pastes customer data, the system can spot constellations of unique digital strings — exact data match — and flag them. Customer data stays in the bank’s network and customers use secure gateways to access it after the communication is authenticated. “It’s called data-loss prevention,” Hong said. “Every customer account is in there.”
Stickley suggests that companies reevaluate whether access to the Internet is needed by most employees. People carry smartphones that can readily access the Internet for personal research or email transmissions. Keeping some of this traffic out of company networks automatically reduces risk from hacking.
“That’s what everybody should be doing,” Stickley said. “How many employees really need web access? The ones that don’t, cut them off immediately. If they really need to be on the Internet, they can use their phones — probably far more secure than the PC they are sitting in front of.”
Cybersecurity involves layers of protection, including firewalls, controlling access through virtual private networks, and encryption of secure data. A company can spend hundreds of thousands of dollars on firewalls and encryption technology, but “if you get that one guy who didn’t know enough,” the entire security effort fails. The best defense against malicious hacking is employee consciousness.
Stickley emphasizes educating employees about how to defeat hackers. “Step into the average financial institution,” he said. Most conduct an annual phishing test to see which employees fall victim, plus some training. “That’s garbage,” he said. “That’s not education. That’s just testing.”
Cultivating business awareness of hacking vulnerability ought to be done at least quarterly if not daily, he said. “(Hacking) technology changes in a week. Any day, there’s a new scam, new way of phishing, a new angle. All it takes is that minor little twist,” he said. “If they’re not aware of it, they’re clicking.”
James Dunn covers technology, biotech, law, the food industry, and banking and finance. Reach him at: firstname.lastname@example.org or 707-521-4257