Hackers have upped the ante. Data controllers wax fondly about the good old days when data was outright stolen. Back then, in 2013, there was a sense of fair play. Trolls did troll things. Assuming the victim implemented and maintained a “comprehensive information security program” to protect the type of data that was compromised, its insurance carrier may have provided coverage and the issue was resolved. Now, ransomware, extortion and data sabotage may lead to ongoing issues for data controllers. Each of these types of cyberattacks is evolving in ways that are truly devious.
Data theft is to head cold as ransomware and extortion are to chicken pox.
Think of your computer network as patient zero. Ransomware is akin to the chicken pox — it hits fast, is contagious, and the signs of the illness can stay with you until you adopt an assumed name. Ransomware malware previously “only” locked your keyboard or uploaded unsavory files to your system. Attackers would notify you of the amount of Bitcoin required to regain access to your data or remove the offensive files. In 2013, hackers significantly increased their use of ransomware to (1) infect your system and, (2) install a cryptographic key to lock and unlock your data. Once in, the attackers would gauge whether to access your financial accounts directly or send a ransom demand with a countdown showing when your data would become permanently inaccessible. Now, ransomware such as CryptoWall spread and infect the shared drives that connect to patient zero. If your whole office is infected, a quarantine may be required until all viruses are eliminated.
Data sabotage initially seems to be an asymptomatic attack, but can quickly become fatal.
Hackers using data sabotage can remain innocuous while they mine data. Only when hackers know enough about your data to cripple you or enrich themselves, is the true measure of their destructive nature realized. Data sabotage may occur over a period of time and employ many distinct steps. Manipulation of the numbers reported in a Form 10-Q can cause a corporation’s stock to crash and affect an entire industry. Competitors may also find vulnerabilities in your security that they may exploit.
A case with espionage, extortion and pseudonyms is a sign of things to come.
Wire Swiss GmbH (Wire Swiss) is currently seeking a declaratory judgment and alleges civil extortion against its competitor, Quiet Riddle Ventures dba Open Whisper Systems, and Moxie Marlinspike. The litigants develop end-to-end encrypted messaging software. Wire Swiss claims the defendants threatened to accuse Wire Swiss of infringing on copyrighted software code and publicize “vulnerabilities” in the security of Wire Swiss’ encryption software. Wire Swiss’ payment of a $2 million licensing fee would prevent the threatened action. Wire Swiss claims that the specter of publication of security vulnerabilities in its encryption software could cause catastrophic damage to its reputation. Wire Swiss further claims that the defendants’ threat coincided with the announcement that their Signal software had been incorporated into the WhatsApp messaging application. If true, the plaintiff’s allegations are a prime example of how data saboteurs profit from their hacks. This case may also be fodder for legislation to create a safe harbor for security self-evaluation.
The best policy may be to trust no one.
Developing a zero-trust, multilayer security plan may be your best method of protection. Here are some common tips that may help keep your data virus and hack free:
- Encrypt or anonymize your data.
- Erect firewalls.
- Invest in “anti”— anti-virus, anti-malware and anti-spyware software.
- Update your software regularly.
- Consider using a “kill switch”— when suspicious events happen, the IT department should automatically be notified and the network should shut down if no protective measures are taken.
- Ensure granular access control is used.
- Regenerate session identification on every inquiry to you.
- Use double or triple authentication.
- Log errors instead of displaying them to potential hackers.
- Revoke credentials when certain events occur.
- Implement “eventing” so you know when certain categories of data are accessed and/or modified.
Sadly, no safeguard is guaranteed. Using multiple defenses will at a minimum, ensure you are not the slowest one running from the bear. Good luck, and may your houses remain pox-free.