Pratum Blog

DDoS attacks were used in a bank heist targeting the wire transfer switches at several banks. There are two primary things to take away from this.  You can read about the attacks here.

  1. Diversions to siphon resources away from the actual attack are not new. They've been common place in both the physical and cyber worlds for a long time. We need to remember that our efforts during incident response can't be so full and swift that our our ability to detect and respond to new attacks is weakened.

  2. Monitoring only a few "critical" systems isn't enough. We need to monitor multiple points along any path that data traverses to ensure we have a holistic view of our data security.

The bad guys are getting smarter, more organized and more patient. Our defense tactics need to evolve with these changes. Are you adapting or still relying on what worked last month?

If you have been watching the details of hacking attacks over the past couple of years, you should have noticed a disturbing trend.  Attacks are shifting from mass destruction to maximum impact as their goal.  Gone are the days where the majority of attacks would be focused on having global impacts but were relatively minor in severity. We're moving into an age where the primary goal is to cause catastrophic damage to a very small group or individual.

Motives are changing.  The attacker profile is changing.  More and more targets of hacking are not just getting caught up in the massive sweep of global attacks.  They are becoming targeted victims.  This means our risk assessment must change.  No longer can we try to "fly under the radar" or assume our company isn't "big enough" to be a target.  It also means we as individuals need to begin thinking about becoming a target as well. Every company, big and small, has competition or those who want to see it fail.  Every individual has the potential to upset another and become the target of violence. 

Are we ready for some of this animosity to be carried out via cybercrime? Are you uncomfortable right now?  Are you worried about cybercrime in ways you might not have been 10 minutes ago?  The key is not to be affraid, but to be informed and aware.  Just as we're not paralyzed by the threat of physical crime, we can't be paralyzed by the threat of cybercrime.  We do however need to be "street smart" and know the risks that cybercrime poses to our professional and personal lives.  We need to understand the profile of hackers and their motives.  When we understand the risks, we can better identify the appropriate precautions we need to take to protect ourselves and our companies.

DEFCON and Black Hat are two prominent hacking conferences that come around each year. And each year we hear the news outlets gush over the next “ground breaking” hacking attempts that will shatter our lives forever. We hear how hackers are going to crush the confidentiality, integrity and availability of our data and destroy modern society. Really? We’ve had the BlackHat conference for a few years now, 17 actually. I’m pretty sure society has been moving along ok each year since then.

Let’s put this into perspective. Information security is all about risk. We each take risks every day. We drive or ride a motorized vehicle to work, we eat foods we didn’t grow or prepare, we use sharp blades to shave hair off our face…you get the picture. Risk is everywhere. We take precautions to lower our risk like drive the speed limit, wear safety gear at work, buy insurance and many other activities. Information security is no different. We face the risk and then take certain precautions to lower the risk that a hack will occur or at least lower the impact if it does occur.

In information security, we have risk when we have an asset with a vulnerability AND an actor which is willing to take action to exploit that vulnerability. Without the actor (threat) we have no risk. Are their real risks with information security? Absolutely. Could someone die if a hacker were to exploit a weakness in a medical device? Yes. Could someone spy on you through your Xbox, phone, laptop, TV or other device with a built in camera? Sure. Is it absolutely going to happen? Maybe.

While the news media will bring out story after story about the crazy new hacks that are being released, remember this. Many of these hacks have several dependencies. Everything has to fall in place for them to work. Not all of them, but many of them can be thwarted with simple security controls. There are 20 security controls that are used as a baseline for information security. If you implement and manage these controls well, the risk that these or any other attacks will be successful drops significantly. So take precautions, implement basic security controls and live your life.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.