Defending Sensitive Information: Data Security Breaches and Cybersecurity

Data security breachesAt this point, news of big-name corporations being hacked or suffering data security breaches are no longer surprising. It seems that almost every day another story breaks, whether it’s a giant retailer, a health insurance company, a bank or more. But beyond the headlines lies a complicated war, one that is waged daily.  Retailers, software companies and even governments are constantly building and refining cybersecurity measures; hackers, however, are equally as busy determining how to exploit vulnerabilities. Who, then, will win the battle for our data security? Understanding the history of hacking, and what steps are being taken to combat it, may help.

A Short History of Hacking and Data Security Breaches

A historical overview of security breaches

Although data breaches are synonymous with hackers in the public
perception, the two terms should be considered as distinct.In fact, the
term “hacker” is controversial, with many computer gurus calling
themselves hackers despite not engaging in illicit activity.

In everyday language, however, hackers are typically considered to be maliciously exploiting data breaches to steal sensitive information that can be used to commit a crime.

Despite the nomenclature, the history of hacking weaves into that of security breaches. The bypassing and manipulation of secure wireless technology goes as far back as 1903, when inventor Nevil Maskelyne interrupted a demonstration of Marconi’s telegraph by
sending insulting Morse code messages through a projector. People have been tinkering with technology in similar ways ever since.

The 1970s and ‘80s

The Rise of Hacking

As computers began to gain in popularity throughout the late 1960s, understanding of the technology powering the machines also increased. As the 1970s began, the first true “hackers” began to create underground groups for sharing information about their experiments. The first of these groups, the “Warelords,” formed in St. Louis and traded knowledge over Bulletin Board System (BBS) message boards. These early hackers would collaborate with groups across the country, and infiltrated corporations like Southwestern Bell and other telecom companies. Their existence inspired the 1983 movie about young hackers, WarGames.

In 1983, a similar group called the 414s broke into 60 computer systems at institutions across the country. They hit everything from the Los Alamos Laboratories to the Sloan-Kettering Cancer Center. Their intrusion became the first high profile media coverage of hacking, including the first mass-media use of the term hacker in the context of computer security.

Regulation Begins

By 1986, the government began passing laws and regulations to stop hacking and make many of these actions illegal. Throughout the late 1980s, the government began chasing after hackers using computer equipment for illicit reasons. In 1988, expert Robert Morris developed the Morris Worm, the first computer worm on the Internet. The virus infiltrated vulnerabilities in several high-profile computer systems, including many in the government, and is estimated to have infected 6,000 computers. Morris was quickly captured and became the first person convicted under the Computer Fraud and Abuse Act. By the end of the decade, computer security was fully on the government’s radar.

The 1990s

By the 1990s, the government was poised to take action. The Secret Service launched Operation Sundevil in 1990, ultimately arresting organizers and members of BBS message boards in 14 cities across the United States.  The success of this sting, the first large-scale government crackdown on illegal hacking activities, shook the confidence of the hacking community when it was revealed that hackers had provided information about each other in exchange for immunity. Operation Sundevil and the resulting court cases had a profound effect on the hacking community. The response was the creation of the Electronic Frontier Foundation, the largest nonprofit group in the United States that focuses on digital rights.

The Internet Changes the Game

With the hacking community in need of an alternative to BBS message boards, the first ever hacking conference, DEFCON, was born in 1993. The emergence of the World Wide Web allowed hackers to move beyond BBS into new websites that were able to handle larger communities and were harder for the government to take down.

Soon hackers were becoming cult figures, seen as fighters for truth and freedom in an increasingly corporate world. None embodied this spirit more than Kevin Mitnick. Considered “the most dangerous man on the Web,” Mitnick developed a reputation as an elite hacker after several high profile hacks of massive corporations, including Pacific Bell. After a well-publicized chase, the FBI arrested Mitnick in North Carolina and sentenced him to five years of prison in 1999. “FREE KEVIN” became a rallying cry for the hacker community.

The 2000s

Corporations began a constant escalation of defense measures throughout the new millennium to combat the growing threat of hackers. American Express debuted the first credit card with an encryption chip in 2000, meant to provide protection from the vulnerable magnetic strip, which was easy for hackers to commit fraud with. Although the encryption chip is successful, it has been slow to be adopted in the United States. In Europe, the chip is standard, but in the United States, it is only now becoming widely accepted. Change is coming, however; by October 2015, merchants who have not put systems in place to accept cards with chips will be liable for fraud charges in the case of criminal activity.

The Data Breaches Begin

In 2005, CardSystems Solutions, one of the world’s largest credit card processing companies, had more than 40 million credit card records stolen from their system. This led to the discovery that CardSystems and several companies like it were keeping data in unencrypted form online, making it easy for hackers to steal. The breach, the largest hack in history at the time, set off a series of similar hacks throughout the 2000s.

The 2010s

Despite companies’ best efforts, breaches are still happening on a large scale. The Bank of America and Playstation Network hacks just eight days apart in April of 2011 showcased how vulnerable sensitive information was. The issue does not appear to be going away. In the first half of 2015, the Identity Theft Resource Center reported 215 breaches exposing more than 100 million records. Clearly, cybersecurity is still a significant issue that needs to be addressed.

Types of Data Breaches and Hacks

Remote code execution is a type of data breachNot all data breaches happen the same way. They can involve unique software that finds holes in a company’s defense, or they can be as simple as a stolen
password. Each type of data breach affects a company’s data and servers differently. Some affect just one person; others can affect hundreds of millions. Here are some of the most common forms of data breaches and hacks.

Distributed Direct Denial of Service Attack

DDoS attacks are the result of a server  being made unavailable for users. Hackers overwhelm a server with multiple requests to visit a URL at the same time, causing the server to shut down. With the system offline, the hacker can easily compromise the entire website or a function for his or her advantage.

These are among the most common form of attack in today’s hacking world. Although some groups, like the “hacktivists” of Anonymous, believe that DDoS is a legal form of protest, most Internet administrators disagree. Everyone from the FBI to the NASDAQ stock market have experienced DDoS attacks. In 2013, a Dutch Web host company called CyberBunker caused a global disruption of the Web with a DDoS attack aimed at Spamhaus, a company that fights these spammers.

Remote Code Execution

Performed on either the server or client side of a system, this attack finds a security weakness using a “remote code.” These vulnerable components could be any chink in the armor where authenticated user access can be successfully attacked. These bugs are often found after software updates and can be in anything from a phone app to the encryption system of a massive bank.

Because large corporations may choose not to divulge how their system is compromised, the most commonly known examples of remote code executions are in popular operating systems like Microsoft Windows and Apple’s OS X. Software companies are aware of these weaknesses and seek to find them before havoc can be wreaked. As soon as vulnerability is discovered, a patch is developed and released. However, in the time before the patch, users are susceptible to attack.

Cross-Site Request Forgery

This occurs when a user is logged into an account and then sends a fake request to collect cookie information from another user. Embedded inside a seemingly innocent request, perhaps an image or link, is a command that may lead to an attack. This can include the divulging of passwords, sensitive information, or other critical components. However, this attack is limited in its usefulness; it only works for as long as the victim is logged in to the breached account. As soon as a session is terminated the link is severed.

The most well-known instance of these attacks was in 2008 when customers of a bank in Mexico were attacked after clicking an image in an email. The link took them to a malicious website impersonating their bank that collected the information of countless accounts. The most common prevention to these attacks is added authentication, like CAPTCHA and other two-factor methods.

Social Engineering

It’s the oldest trick in the book, but it works very often. Social engineering occurs when people divulge private information in good faith. The problem is that these people are giving away sensitive information like a password or credit card number to someone with malicious intentions. The “Microsoft tech support” trick has fooled countless of people with phone calls and emails purporting to be from the companies help desk. Eventually, the hacker will ask for a username and password for “security purposes.” If divulged, the hacker will now have access to whatever they were given, and can often cause immense damage.

Modern Strategies Used to Increase Security

Segmenting data is a strategy to increase cyber securityThere are an infinite number of ways to attack cybersecurity, but companies are constantly trying to bolster defenses and protect from attack. Large corporations spend millions of dollars protecting their data and their customers’ data from hackers. Below are some of the common strategies being employed by companies.

Segmentation of Critical Data

One consistent issue that is arising with companies under attack is the isolation and protection of their critical and sensitive data. Information like credit card numbers and health care records have to be segmented away from the larger data network. The controls to protect these higher-level silos of information must also be far stricter than the general network and evaluated on a regular basis. This allows companies to keep data farther away from hackers and make it harder for the regular employee to access.

User Permissions

Who needs access to sensitive data and why do they need it? These are the questions that corporations must ask when it comes to data access. Companies are constantly reevaluating who needs to access data that would be of use to hackers. Although ensuring that the work is being done is important, it is critical to restrict access only to those employees who need it to perform critical functions of their jobs. By ensuring that user permissions are strict, companies can track which employees can access what information and when.

Informing Customers

It’s not just hackers who leave companies vulnerable: Customers can too. Weak passwords and PINs can serve as a gateway into the inner workings of a system. Providing new encrypted credit cards can help remove the risks associated with the decades old magnetic strip system that hackers have mastered. New methods of payment like Apple Pay may help improve security as well.

A Future in Cybersecurity

The war against hackers has no end in sight. The government, countless companies and other cybersecurity firms will need intelligent and highly trained professionals to help improve defense measures and protect sensitive data. With the U.S. Bureau of Labor Statistics reporting that information security analysts earn a median salary of $86,170 annually, cybersecurity is a growing, and lucrative, field. Point Park University offers an online online master’s degree in intelligence and global security, so students can find the program that fits their schedule and desired education level. Graduates will have the knowledge needed to assist corporations and government agencies in protecting against the constant threat of data breaches.

2 1 1 0 3