This week’s Security Central takes a look at the single spear phishing click that caused the Yahoo breach, peeks inside The Active Cyber Defense Certainty Act, and examines why small businesses are increasingly becoming the targets of cyber-attacks.
One click to breach them all. Or at least, one click to breach Yahoo. One simple, mistaken click is apparently all it took for hackers working with the Russian state security service to gain access to Yahoo's network and the email accounts of approximately 1.5 billion people. It's hard to forget. The Yahoo breach was the most staggering intrusion in history - not just because of its scale, but also because of the fact that it took three years to identify the threat.
The FBI has been investigating the attack/breach for two years, but it was only late last year that the full scale and damage of the intrusion came to light. On Wednesday of this week, the FBI charged four people for the attack, two of whom are Federal Security Service (FSB) spies who work for the division that is supposed to cooperate with America’s FBI on cybercrime investigations. Remember our guy Dmitry Dokuchaev? He was one of them.
To briefly recap a bit, it all began with a spear-phishing email that was sent to a Yahoo company employee back in 2014. There may have been more emails sent to other employees, but this one unsuspecting target happened to be the poor unfortunate soul who clicked that mouse. Just one click on a malicious link - that's all it takes. It's a good reminder of how fragile security can actually be. It's worth dredging up the words of Scott Carlson, technical fellow at BeyondTrust, who back in December offered insight on the matter and a few simple but prudent tips for businesses and consumers alike.
“Now more than ever companies need to protect themselves when other companies are compromised,” says Carlson. “We all know users reuse passwords and we can almost guarantee that the answers to user’s internal secret questions are the same as their personal secret questions.”
According to the FBI, the alleged hackers, Alexsey Belan and Karim Baratov, were working under the orders of Russian spies Dmitry Dokuchaev and Igor Sushchin. The Justice Department has charged all four defendants with conspiracy to commit computer fraud and abuse, carrying up to 10 years in prison.
Our second story deals with the debate regarding the right to "hack back" - sort of the "eye for an eye" principle of the cyber world. Hacking back is a bit of a controversial issue, for obvious reasons. It has manifested itself and taken form in a 'Discussion Draft' bill called The Active Cyber Defense Certainty Act, which was proposed by Representative Tom Graves (R-GA). According to an article by Security Week, the bill has been gaining significant traction, garnering bipartisan support and high interest from businesses, lawmakers and groups of academics. Graves states that he expects to present the bill to the House of Representatives for vote within the next few months.
The bill would essentially amend the Computer Fraud and Abuse Act (CFAA), which does a rather poor job of providing adequate defense strategies and tools for proper defense against hacks. It also outlawed counter-attacks of any kind by victims. The proposed bill would help businesses not only defend themselves online, but would also give them the right to fight back.
The new bill uses the term 'active cyber defense' instead of 'hacking back'. Active cyber defense is defined by SANS as "The process of analysts monitoring for, responding to, and learning from adversaries internal to the network." In a study conducted by the George Washington University back in October 2016 titled Into the Grey Zone: The Private Sector and Active Defense against Cyber Threats, experts warn that "today, when active defense is discussed, too often the discussion shifts to 'hacking back' -- offensive cyber measures that are beyond the scope of what we define as permissible activity in this report." This has clearly happened with the Graves proposal: it conflates active defense with hacking back.
The new bill provides provisions and defensive measures for victims. For instance, a victim of a cyber-attack can access the attacker’s computer without authorization in order to glean incriminating evidence and information, which they would then share with law enforcement, thus halting suspicious, unauthorized and malicious activity against the victim’s network. There are stipulations to this, however. A victim is not allowed to destroy information on the hacker’s computer, cause physical injury to another person (an obvious one), or create a threat to the public health or safety.
There are still wide patches of gray areas with the bill, and it will likely take some time and several rounds of revisions and tightening before it makes any progress. But, this is clearly a pretty positive leap. Giving companies and individuals the ability to defend themselves against cyber-attacks without facing legal red tape and repercussions is definitely a step in the right direction.
Our final story takes a look at the small business world, and the barrage of cyber-attacks that relentlessly plague them every day. According to recent studies, small businesses are increasingly becoming the targets of cyber-attacks due to their small size, dismal funds and severe lack of skilled staff devoted to data defense.
Manta recently surveyed over 1,400 small business owners to see what they do (if anything) to prevent company data breaches and exposure to security hazards in general. The research revealed:
- Small business owners underestimate the potential and likelihood of data breaches
- 87% of surveyed small business owners don’t believe they’re at risk of experiencing a cyberattack. However, 12% of small businesses owners said their business experienced an attack in the past.
- Small businesses don’t do enough to protect their data
- About 1 in 3 small businesses don’t have data security measures in place. Of those who do, only 17% employ antivirus software --something security experts consider necessary, but not enough on its own.
- Small business owners largely prefer employees to have work-only devices
- 70% of respondents don’t allow workers to use personal devices for work purposes.
All of these factors make it difficult for owners and providers alike to properly serve and protect. The report's main takeaway emphasizes the dire need for these measures to be broadly implemented. "Overall, with the growth in hackers targeting small businesses, owners should invest more heavily in cyber defense to prevent attacks, which can often be more crippling for a small business than a large corporation."
The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.