Get Ready For The Hack Attack That Drives A Big Company Out Of Business

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://finance.yahoo.com/news/ready-hack-attack-drives-big-021741279.html

I had an interesting conversation with a person in the computer security
industry a few weeks ago.

This person is absolutely convinced that 2015 will be the year that some
company goes out of business because they didn't plan adequately for an
attack.

Normally, I'm skeptical about these kinds of stories from companies that
sell security products. They have a vested interest in making things sound
as bad as possible, and there's a long history of security companies hyping
up remote threats in press releases.

But this person has been in the industry a long time, and consults
regularly with huge, well-known companies who are buying his products (as
well as competing products that solve slightly different but related
problems — there are lots of ways to attack a company's computer systems).
He told me some other crazy stories I'm not allowed to recount. And he
wasn't hyping his product — he didn't even want to be quoted.

Then the Sony hack happened. There have been estimates that Sony could
suffer a loss of more than $100 million — and that was before a couple of
former employees sued the company.

The Sony hack is different from most past hacks on this scale because the
people who got the information don't seem to be out for personal gain.
Instead, they're actively trying to embarrass and perhaps even destroy the
company.

Then, a report revealed that hackers basically shut down Sheldon Adelson's
casino in Las Vegas in February.

So I got back in touch with this person to ask why we suddenly seem to be
at a breaking point. Here's what he told me:

- The motives of sophisticated hackers have changed from self-gain to
destruction. In the past, the most sophisticated hacks against companies
were carried out by big nation-states or criminal organizations. Nations
were generally looking for information they could use to get a military or
economic edge, or to share with companies in their own countries. Criminals
were generally looking to sell intellectual property to a company's
competitors. They weren't really looking to destroy the company whose
information they stole. Now, these sophisticated hacking techniques have
started to trickle down to individuals, including "nationalistic hackers,"
who are less interested in financial gain, and mainly want to cause harm or
seek revenge. These folks have always been around, but they're able to
cause much more damage now than they were a couple years ago.
- Company officers are only now becoming aware of the threat. Boards of
directors and C-level officers are most directly responsible for risk
mitigation. They have traditionally been focused on other threats —
competitive threats, regulatory threats, and so on. Only in the last year
or so, starting around the time of the Target hack, have they become aware
of how much damage a computerized attack can cause. Previously, the
decision to buy more and better security equipment was left to somebody in
the IT department, and they had to convince the company to take their
advice. Now, this responsibility is being kicked upstairs — but it takes
time to plan a response.

Interestingly, this person didn't blame big shifts in technology, like
companies moving information off their premises and into data centers run
by big providers ("cloud computing), or information leaking out on mobile
devices like smartphones. It's simply that lower-level attackers are able
to do what only the richest hackers could do a couple years ago.

It's hard to imagine Sony going out of business from this attack, but the
casino attack actually shut down computes and wiped hard drives.  Imagine a
similarly successful attack on a bank. Or a health care provider.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!