Continuing our eye-opening chat with Saint Rose cybersecurity experts, we discuss the risks we face every day; how to defend ourselves against hacking and data theft; a commonsense approach to risk assessment; and how to balance our needs for privacy, convenience, and security.
The cybersecurity experts
Zumrut Akcam, Ph.D., assistant professor of computer science
Kimberly Cornell, Ph.D., assistant professor of computer science
Mark Gilder, Ph.D., assistant professor of computer science
Ian MacDonald, Ph.D., professor of computer science, dean of the School of Mathematics and Sciences
It sounds like you could spend all your time doing nothing but protecting your data.
Gilder: It’s extremely difficult to protect everything without greatly impacting your productivity. Some industries, like nuclear plants, have extremely limited or no connection with the internet: In these cases, to access the internet, they have to go to one or two machines that are on a separate network, but they still run the risk of bringing in malware. These environments, though extremely secure, can be frustrating environments to work in.
MacDonald: You’re balancing security versus productivity or convenience.
How do you reasonably protect yourself without going overboard?
MacDonald: In cybersecurity, we take something of a risk-management approach. You identify your most valuable assets, the “crown jewels.” You associate risks to those assets. Then you protect the assets.
You build rings of security outward from there. Take the files on your laptop, for example: You have a passcode for certain software. You have a password for your computer. To get to your computer, you have to unlock your office. To get into the building, you need your ID card.
Gilder: This process is called “Defense in Depth” and refers to multiple layers of security that have been built around critical assets. Each layer can be breached, but it takes time and money. Hopefully, the attacker gives up before having to break through each layer. It’s analogous to protection your home contents with locked doors. Then having a perimeter fence around the house. With cameras mounted on the fence and maybe a few neighborhood watch signs. The hope is that all of these layers will discourage potential thieves.
MacDonald: You’re only as secure as your weakest point, though. In cybersecurity, we call this the “principle of easiest penetration.” I know somebody who has a locked front door, an alarm on the side door, an alarm on the back door, and a security camera on the side door. They left the window open.
Is hacking mostly opportunistic? Are hackers just finding open windows?
Gilder: Many smaller businesses hire third parties to build their websites and might not have standard protections. It is important to verify that these companies know and understand how to develop sites that protect against potential vulnerabilities. For example, SQL injection is a common exploit, and potentially very destructive. It might be possible to write a SQL statement that when entered on a website could delete all of the information. Or even worse, display private data of the registered users.
MacDonald: He could look for open ports, too.
Gilder: It’s very easy to find out the details of the target system and then use the best exploits for that system including open ports, what operating system is running, and the version number, as well as how long the system has been running. It’s a trial-and-error probing sequence to identify what information you can get and then determining the potential weaknesses based on that information.
MacDonald: It’s like an intelligent burglar who goes around the neighborhood noticing who’s not home at a certain time, and which windows are unlocked. Then they go back at that time through that window. It’s not rocket science.
Is that how breaches occur?
MacDonald: Remember the Equifax data breach? Their IT department was approached by the manufacturers of Apache Struts, one of the tools commonly used for web application development, who said, “We have identified a security vulnerability, and we have a patch available to fix it.” The IT folks said, “We’re not running that service.” As it turned out, they were running it on one of their customer-facing sites. Significant time elapsed between when Equifax was alerted of the vulnerability and when the fix was applied. As you can imagine, the data breach occurred in this timeframe. They essentially left the window open, without knowing it.They said there was a lot of collateral damage with the Equifax incident.
MacDonald: This was an even bigger issue because you don’t choose to put your personal information in Equifax, they just have it. Folks who may never have logged onto a website, who may not even have owned a computer, were affected by the breach.
How do you figure out what your vulnerabilities are?
Gilder: A lot of companies hire consultants to attack their networks to see if there are potential vulnerabilities. At Saint Rose, we’re planning to set up a lab to do these types of war games. This typically involves two teams, which consist of attackers (the red team) and the defenders (the blue team). The red team attackers will try to break into a system that the blue team is monitoring without being detected.
MacDonald: A lot of these tools that hackers have are useful for defense, too. If I’m setting up a server or am a developer, I might use the tools to make sure my clients are safe, or to monitor my own server. A tool that’s useful can be used to harm someone, and vice versa.
Aren’t there tools that are used only for evil?
MacDonald: I’d say there are only a few. There are certainly some available on the dark web. One of our intentions is to educate students on the dark web, and our lab might be one of the only ways to get access to it.
Gilder: The “dark web” is really just a collection of machines that is not directly accessible from search engines. You simply need a special program, which makes accessing it trivial. However, in addition to being used by the “bad guys,” it’s also used by law enforcement and journalists to obtain confidential sources and testimony. Of course, there are FBI and law enforcement stings set up to catch criminals.
- Use multiple layers of security, both electronic and physical, to protect your data.
- Don’t put off installing security patches.
- The more careless you are, the more attractive you are to hackers.
Next time: We discuss advances in technology and how they compromise our privacy. In case you missed the first installment, check out Part 1: How our own behavior puts us at risk.