2014 was a sobering year from the perspective of cyber security. While nobody thought that the problem of cyber security was “solved” when the year began, most analysts believed that almost all large firms had reasonably robust IT security in place. By the same token, few predicted that 2014 would see more than a dozen major hacks at Fortune 500 businesses ranging from JPMorgan to Sony.
According to a January 6th report from Paul Cerrillo of the global law firm Weil, 2015 is the year U.S. corporations start taking cyber security seriously.
The NIST cyber security framework
On February 12, 2014, the Obama Administration announced the National Institute of Standards (NIST), Cyber Security Framework to “allow organizations – regardless of size, degree of cyber risk or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.”
This NIST Cyber Security Framework includes five main elements:
– Encouraging businesses ad organizations if all sizes to develop the organizational understanding to manage cyber security risk to systems, assets, data, and capabilities. This means identifying the most valuable IP assets, and where are they located (off-line servers, network servers or the cloud).
– This is where the rubber hits the road — protection means developing and implementing systems to protect the firm’s prized IP assets.
– Detection means implementing a means to identify the occurrence of a cyber security event. In many cases, “an event” may be nothing serious after investigated. But an event that is missed or not noticed as something more severe could turn into a catastrophic incident.
– Organizations also need develop an Incident Response Plan for a variety of potential cyber security scenarios.
– Finally, businesses and other organizations need to develop and maintain plans for system resilience and to restore any capabilities or services damaged in a cyber security event.
Phishing or spearphishing
The Weil cyber security report highlights that “employee phishing and spearphishing training is imperative.” Cerillo notes that the most notorious espionage cyber campaigns against organizations have begun with an innocent-looking email sent to an unsuspecting company employee or executive.
If the employee opens the email (or sometimes an email attachment), the malware is installed onto the computer, and then spreads to the company network. According to a December 2014th article from Newsweek: “Once on a system, the malware gathers information such as the operating system version, computer name, user name, and local IDs, as well as system drive and volume information. All the data that is collected is encrypted and sent to a cloud account… in an apparent attempt to avoid detection by anti-malware tools.” After that the hacker can begin his attack and start stealing information. Typical information stolen by hackers includes business plans, M&A information, and customer and employee personal data.
This process is known as “phishing.” “Spear phishing” typically focuses on specific individuals within an organizations. Hackers will use social media sites such as LinkedIn or Facebook to personalize messages or impersonate users so that the spearphishing email is accurate and compelling. Mandiant reports that “91 percent of cyber- attacks start with spear phishing….”
According to cyber security expert Tracy Kitten: “The pool of spear phishing targets in 2015 will be larger and not just limited to a select few, like executives….”
A growing number of companies are now training their employees by using random phishing emails designed to look like they came from either the company or another trusted source. The potential benefits of “anti-phishing” training are significant. One recent study showed that “between 26% and 45% of employees at those companies were Phish-prone, or susceptible to phishing emails. Implementation of [training] immediately reduced that percentage by 75%; with subsequent phishing testing over four weeks resulting in a close to zero phishing response rate across all three companies.”