What CIOs can learn about security threats from 4 recent hacks

The media and the public are finally waking up to the fact that almost all organizations are at risk of getting hacked. Analyzing a few recent high-profile breaches might just help you prevent the same thing from happening at your company.

Keeping one step ahead of hackers is no easy task for IT security executives. There are so many ingenious hacker ploys, shady tricks and nefarious techniques to compromise your data, it might seem like no company could ever keep up. Cybercrime is clearly on the rise, and CIO have plenty of reasons to be anxious.

Four recent high-profile hacks demonstrate that cybercriminals are breaching networks, stealing data and using social engineering to trick employees. We asked several security experts to weigh in on these cases, how they occurred and what CIOs should do to reduce the likelihood of a similar compromise. Hint: it’s more than just installing a new firewall and insisting that employees use antivirus apps.

1. OPM data breach

This high-profile data breach is disconcerting because the Office of Personnel Management (OPM) handles security clearances and background checks for federal employees. At last count, 21.5 million government employee records were stolen. Most reports indicate that the OPM hack occurred because of a lack of basic security infrastructure precautions. A former subcontractor stole the data while doing background checks, according to both the public hearings on the breach and to data security expert Alan Kessler.

[Related: How OPM data breach could have been prevented]

Kessler, CEO of data security company Vormetric, says there was a long history of OPM relying on legacy systems and not investing in security infrastructure. The big lesson for CIOs, according to Caleb Barlow, vice president of security at IBM, is to avoid the “shiny new object” problem in security. Some CIOs are drawn to a new innovation or the latest technique, but forget the fundamentals. “Basic security needs, such as patching, monitoring who has privileged access, identifying risks, and knowing where the organization’s critical data resides, need to be met before anything else,” he says.

Yorgen Edholm, CEO of enterprise file-sharing company Accellion, told says the OPM breach is a reminder to CIOs that hackers are not just trying to steal credit card numbers at banks or other financial info. The breach involved social security numbers, healthcare records and even fingerprints stored in a database. CIOs need to investigate ways to protect all systems instead of relying on measures that protect only financial data.

2. St. Louis Cardinals hacking the Houston Astros

This recent breach involved an employee (or group of employees) stealing such sensitive data as player evaluations and stats from a rival baseball team. It’s unique in that it’s one well-known entity attacking another entity (as opposed to an obscure, foreign cybercriminal). It points to a need for CIOs to look within the four walls of a company for attack vectors.

Matt Suiche, the well-known entrepreneur who now works at VMware, says companies need to do a better job of protecting data from employees, subcontractors and third-party vendors. He says there are too many lines of attack, so the idea of just protecting a company using a firewall and antivirus software from outsiders doesn’t make sense. It’s better to have a multi-factor security approach that impedes any cybercriminal.

[Related: FBI investigates St Louis Cardinals over Houston Astros hacking]

“Companies hire away employees from competitors all the time, and using the same passwords in your old and new company is an invitation for problems,” says Stu Sjouwerman, the CEO of security company KnowBe4. “Password management and creating strong passwords is a must these days, until we deploy stronger authentication procedures like two-factor authentication and/or biometric security measures like fingerprints and facial recognition.”

“Sometimes the biggest breaches are not the work of spy agencies, organized crime syndicates or even sophisticated hackers, but rather the act of a former employee or business competitor,” says Accellion’s Edholm. He says corporations should protect systems against rogue employees, use unique and complex passwords for all employee access, own and track all encryption keys, and train employees thoroughly on cybersecurity best practices.

3. Ransomware resume phishing 

This ingenious hack has many variations, but it’s essentially a con against an employee where the hacker sends in a resume as a compressed (.zip) file. The employee opens the file, which triggers a malware app that encrypts the hard drive and any shared network drives. The hacker then demands a ransom payment to remove the malware and restore the drive. It’s not a dissimilar approach to a recent scam where hackers purloined financial information from pre-published press releases…and then made bank on said information.

One of the most nefarious examples of ransomware came last year when an Australian news channel was hacked using a Cryptolocker; the hackers demanded payment to release the data. In many cases, the ransom payment must be sent in untraceable Bitcoins.

KnowBe4’s Sjouwerman says the problem with this scam is how effective it can be. In their own tests, they found that 60 percent of employees tested at a bank opened a resume sent by email. He says the most recent attacks involve the name of fictitious female applicant.

IBM’s Barlow says there is ultimately one main solution to a phishing attack, which is to constantly educate employees. There are always new attacks. The education should involve phishing tests where employees have to make the right decision (such as not clicking a link or not responding). If they fail the test, the company needs to do additional training.

4. CEO money transfer spoof 

This last type of security breach is making headlines because it specifically targets the executive teams at large companies. It’s mostly a social engineering hack: A criminal first gains access to the executive’s email, likely by guessing a password or running a password generator. They use the exec’s account to request a money transfer through the accounting department. It’s ingenious because the accounting department assumes the credentials are valid (because they are).

KnowBe4’s Sjouwerman says one such attack involved the international magazine publisher Bonnier Group and resulted in a money transfer of at least $1.5 million. The hacker used the email of the former CEO, David Freygang, and requested that the transfer remain urgent and confidential. In some ways, this hack plays on fears (not doing what the CEO asks, or the CEO getting in trouble) that are similar to the recent Ashley Madison hack, a dating website for married people looking to have an affair, that retained detailed profiles on its customers.

The frightening stat here, according to the IBM’s X-Force Threat Intelligence Quarterly Q2 2015, is that 25 percent of all cyberattacks involved conning one particular employee. It also bypasses all traditional security measures, such as encryption, firewalls and anti-malware attacks. It’s not even a technical breach, says IBM’s Barlow, because it could be one hacker gaining access by guessing one password for a high-ranking official.

The answer, he says, is in collaboration. Phishing attacks should be categorized, documented and discussed – similar to how hackers use the Dark Web to make their plans and share information. “The ‘good guys’ need this same type of collaboration to stand a chance against them,” he says.

Join the CSO newsletter!

Error: Please check your email address.

More about AccellionFBIMicrosoftThreat IntelligenceVormetricX-Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts