We have become numb to many of these compromises because potential access to business contacts or a dating site seems innocuous but it is likely that many of those compromised passwords were probably the same passwords used by users for their online banking accounts or for access to their corporate email accounts.
At a recent cyber crime event, hosted by Pace University and the ACCA, Chris Novak, who is involved with managing the Verizon RISK Team, reported that many network compromises could have been averted through low cost fixes. The absence of legislation means that LinkedIn, eHarmony and other companies that lose customer data have no liability if their clients later become victims of identity theft. To reiterate, there are no penalties or repercussions for having ineffective security.
It should be noted that not all industries are failing when it comes to network security. Banks and financial institutions have made significant investments in computer security – particularly over the past five years. Payment Card Industry Data Security Standards (PCI DSS) and the upcoming introduction of EMV (Europay, MasterCard and Visa) chip and PIN standards for payment cards in the U.S. is a step in the right direction because organizations are being mandated to improve security or face financial penalties. Sadly, other industries have not followed suit.
The recent report by Mandiant illustrates how extensive the theft of intellectual property in the U.S., by China, has been. These advance persistent threats (APTs) are government-sponsored according to law enforcement.
Secretary of Defense Leon Panetta last year highlighted the potential destruction associated with cyber attacks. He noted how government-sponsored attacks from rogue nations could result in loss of life. Metro systems and air control systems are part of this critical infrastructure, which could be compromised.
No longer are we simply considering data exfiltration or monetary theft but potential casualties. Recent research has illustrated how malware is now rampant in medical devices, which is a tremendous concern. At the behest of DHS, a recent experiment at the University of Texas at Austin demonstrated how easy it is to hack into a drone. Militants have also been successful in the past of hacking into U.S. military drones. The potential to hack into these drones and change their coordinates is frightening.
When President Obama talks about training people to fill open positions, many of those jobs are in information technology and more specifically in computer security and computer forensics. We need to encourage more high school students to consider degree programs in security. Enrollments in IT across the country are still down significantly and many still do not realize the potential for employment. Grant funding has been made to universities but a lot more can be done to build up programs in security at colleges around the country.
Hayes is a professor at Pace University’s Seidenberg School of Computer Science and Information Systems in New York. As the Computer Information Systems Program Chair at Pace, Hayes has cultivated partnerships with the New York Police Department, United Nations, and many other respected agencies. Hayes also manages the computer forensics laboratory at Pace, conducting research with computer science and information systems students.