Treasury and finance departments are budgeting unprecedented amounts of cash on cybersecurity. But if that money is solely going to cybercrime prevention, then the hackers have likely already won, argues Josh Goldfarb, chief security strategist, enterprise forensics for FireEye, a network security company.
Speaking at the EuroFinance International Cash & Treasury Management Conference in Miami, Goldfarb stressed that only so many attacks can actually be prevented. Corporate treasurers need to accept that eventually, hackers will slip through their companies’ protections. The companies that can recognize and respond to those attacks are the ones that are truly in the best shape.
For about 20 years, cybersecurity focused almost completely on prevention, noted Goldfarb. Recently, however, it has evolved and now security experts are looking beyond often futile attempts to keep hackers completely out of the system. “You can’t focus entirely on prevention, because the hackers will find a way in,” said Goldfarb, who noted that antivirus software is only successful at stopping about 23 percent of attacks. “So when they do, we have to be able to detect that they’ve gotten in rather quickly and then respond.”
Understand the attack
If hackers breach your organization, the first thing they will do is gather all the information they can on you. “For example, maybe I’ll set up a rogue Wi-Fi access point in the hotel, so that when the conference organizer tells you to put all of your cell phones on Wi-Fi, I’ll just collect all the information you’re sending each other back-and-forth,” said Goldfarb. “That’s a great way to get information.”
Hackers may also look up profiles on LinkedIn, Twitter and other social media sites to gather data on a company’s employees. The more people have a presence online, the easier it is to get information on them. Goldfarb noted that, because he has a big presence online, he gets hit frequently with phishing emails. It can be difficult, even for a security professional like him, to detect which emails he’s getting are the dangerous ones. “If it’s hard for me, it’s going to be hard for people who aren’t technical,” he said.
Fortunately, Goldfarb said the more we know about how attacks work, the more clues we can find to detect them, nothing that attackers leave evidence on the network. “We can use this evidence for detection and response,” he said. “If we’ve properly architected our security telemetry systems—systems that gather information for monitoring and auditing purposes about what’s going on across our enterprises—we can use this information to detect that hackers have gotten into the network.”
Another step businesses can take is doing a better job of segmenting their networks. Those that don’t are putting data at risk, Goldfarb said. “For example, someone who works in human resources—although he or she may not have an account on a system that processes financial information—likely has a network route,” he said. “They have access to that system through the internal network.”
In many breaches, like the infamous 2013 Target breach, hackers get in through a third-party, HVAC contractor. “The contractor had access to the retail stores’ networks,” Goldfarb noted. “What Target forgot to do was segment the point-of-sale machines from that heating and air conditioning network.”
The attackers figured out that they could compromise the third-party contractor, because that is much easier than compromising a multinational corporation directly. “They hopped from the heating and air conditioning network right over to the point-of-sale terminals and stole credit card information,” said Goldfarb.
The cost of doing nothing
Cyberthreats can significantly impact a company’s bottom line. The average cost to clean up a breach is about $3.5 million, Goldberg said. Additionally, customer shopping habits may change due to an incident. For example, even if a retailer’s customers continue to shop at their stores post-breach, they may be inclined to pay with cash instead of credit cards. People who use cash typically spend less, which hurts profits.
A breach also could result in the loss of intellectual property. Several years ago, a major defense contractor was compromised resulting in the theft of plans of an attack helicopter. “That was millions and millions of dollars of U.S. Department of Defense research and development taken within the span of a few months,” Goldfarb said. Additionally, there could be serious legal repercussions, as businesses like Target found out the hard way.
Goldfarb noted that hackers’ skills continuously evolve. “Hackers treat hacking like a business function,” he said. “We ought to treat detection the same way.”