Keep employees off the Internet and avoid clicking on any attachment or link in an email. Those are the only sure ways to avoid cyberattacks, according to three experts who spoke Sept. 13 in Rohnert Park at a conference on cybersecurity co-sponsored by the North Bay Business Journal and Exchange Bank.
Maybe it sounds severe to adopt such a defensive stance in business. But conference speakers said the Internet has become fraught with peril, rife with thieves who will steal identities and drain bank accounts, pretend to be vendors and present fraudulent bills or download ransomware that paralyzes a company’s network until the ransom is paid.
All it takes for a hacker to break into a business computer system is one inattentive employee, especially one who is great at customer service, one whose friendliness becomes the doorway through which a bad guy pounces. Company executives are favorite targets of hackers; they diligently respond to emails disguised to appear to come from within the company.
One speaker, Jim Stickley, owner, Stickley on Security, spoke with a rapid-fire delivery that he describes as a “monkey on crack.” He delivered hardnosed advice on protecting a bank or other business from hackers and cybercriminals. Since he was a kid, Stickley has been breaking into other people’s computer systems, first for fun then as a skilled white-hat professional hired to test business computer networks and discover vulnerabilities before criminals do.
By the time he was 16 years old, Stickley was developing code for corporations. “I didn’t realize they were making money off me,” he said about his parents, chuckling that his pastime had become his career. “I just thought it was fun.”
Stickley learned tone controls he gleaned from phone-company manuals swiped from service personnel in the field. “When kids were mean to me at school,” he said, “I would go and turn their parents’ phone off.”
He wasn’t malicious about hacking, Stickley said, but it was attractive and fun.
Part of his consulting is about physical security. That includes being hired by a company to get into company networks directly. He shows a video of his suit-and-tie employee piggybacking on the entry of a janitorial employee after hours, gaining physical access to the building. After that, malware can easily be installed directly onto company computers. “Just in financial institutions, I have physically gone into over 1,000 locations and stolen whatever I was supposed to steal without getting caught.”
He shows how the dark web is used by hackers to sell stolen data, including medical records that have social security numbers, account numbers, passwords and driver’s license numbers. “There is always some company somewhere that is losing your data,” he said. “You are now the victim.”
The hacker who steals data usually sells the information to thieves who buy the data on the dark web. “The dark web is the easiest and simplest way to bring these people together,” he said.
The dark web can be browsed anonymously through the Tor browser, which bounces packets of communications through millions of servers worldwide. “The dark web is not illegal,” Stickley said. “It is really interesting.” Such sites end in .onion instead of .com or .net. But the dark web contains realms drawn from sinister, creepy aspects of human misfits, he said, noting that some images cannot be unseen once glimpsed.