Page 28 - The Edge - Summer 2019
P. 28

PRE-SPRING CONFERENCE

                          By Don Harris

                          Here Are Ways to Prevent

                          Hackers from Attacking
        Michael Nyman


           It has been said that there are only two types of companies –   a situation where a firm paid out $600,000 before the hacking was
        those that have been hacked and those that will be hacked.   detected.
           Furthermore, some would say there are two types of companies   Credential harvesting is different than phishing, though
        (or perhaps school districts), those that have been hacked and   phishing is involved, Nyman said. It’s more toward web and cloud
        those that will be hacked again.                       providers. “They try to manipulate users into thinking they’re
           That sobering assessment from Michael Nyman, Director of  going to the right source” Nyman said. “They harvest credentials.”
        Information Security for CLAconnect, provided AASBO members   Nyman noted that many people use the same password for
        with strategies that can minimize the chances that some bad guys  various programs. If compromised in one system, a hacker will
        will hack into your school district’s computer network.  try it out on other systems. He recommended using a variety of
           In a Pre-Spring Conference presentation April 3, Nyman, a   passwords.
        Certified Public Accountant with 20-plus years of experience, told   “Hacking is run like a business with different departments,”
        how hackers steal from unsuspecting organizations and how to   Nyman said. “They have departments for writing malware, sending
        prevent those invasions.                               phishing emails, stealing data, selling data, and conducting
           Smart phones are connected to every device in your home, your  payment fraud. And the weakest link in security is people. Hackers
        email system and the Internet, he said. “Everything is connected,”  target the weakest link – they don’t go after firewalls if they can
        Nyman said. “Malware can take over your phone. My product or  find a way to get to someone who gives up their credentials.”
        system can talk to yours. How do we manage that? Everything can   Some mitigation keys include: first and foremost, train users
        talk to everything.”                                   regarding email phishing. Also, maintain current patch levels,
           Hackers have monetized their activity. Instead of hacking   remove local administrators who have no need to access business
        as a prank, they are using it to make money, he said. Today   transactions, maximize your relationship with your bank, isolate
        there is more hacking, more sophistication, and now smaller  the PC that is used for online banking, and implement breach
        organizations are being targeted, mainly because they have less   monitoring and an incident response process.
        money to spend on security.                               Make sure you have dual control, Nyman said: “One person
           The cost is staggering. Nyman said global cybercrime cost   prepares the transactions and another person approves them.”
        businesses up to $400 billion annually. Some theorize it will reach   It’s important to know the safeguards your bank has in place,
        $2.1 trillion this year.                               and isolate the PC used for online banking from everything
           “So, what are the bad guys doing?” Nyman said. “The term   else. “Keep it away from the network – in case the network is
        hacker – they’re not hackers anymore – they’re more like attackers.   compromised,” he said.
        It’s becoming a more business-type model to try to get money.   You information security strategy should have the following
        In the past, someone hacked somebody by getting through the  objectives: users who are more aware and savvy; networks that
        firewall just for sport of it. Now, they’re realizing that once they   are resistant to malware; and a relationship with your financial
        can get in, there is a gold mine of data. Hacking or attacking has  institution that is maximized.
        become more sophisticated.”                               Among the keys to mitigate risk, Nyman recommended
           There are key areas of hacking. Organized crime is recruiting   turning off unneeded services, changing default passwords, using
        hackers  to  develop  malware  for  phishing  expeditions.  It  can  strong passwords,  having centralized audit logging, analysis, and
        involve wholesale theft of personal information. “In the old way,  automated alerting capabilities, and know what “normal” looks
        they used physical force to get money from people – they beat it  like.
        out of them,” Nyman said. “Now, they use methods to digitally take   He strongly recommended having a defined incident response
        money from people.”                                    plan and procedures in place, including data leakage prevention
           Another area is ransomware. Targeted businesses weigh the  and monitoring.
        cost of paying the ransom, Nyman said. And even if you pay the   “Whatever you do, think about how can you make your users
        ransom, you may be targeted again, he said. “They hold your data   more savvy and how can you make your network more resistant
        hostage.”                                              to malware,” Nyman said.
           Some hackers use credentials to commit online banking and
        credit card fraud, taking over your system, sending out fraudulent   Mike Nyman can be reached at: michael.nyman@claconnect.com
        payments. Often they create fictitious employees. Nyman told of  or (602) 604-3524.




        28                                                                                THE EDGE  |  SUMMER 2019
   23   24   25   26   27   28   29   30   31   32   33