Shaquille O’Neal was easily one of the top 50 greatest NBA players, if not one of the greatest basketball players of all time. However, over his career, Shaq shot a paltry 0.527 free throw average. With this in mind, Dallas Mavericks coach Don Nelson orchestrated a plan during the 2008 playoffs to put Shaq on the free throw line as much as possible, as a disruptive strategy to keep him away from areas of the court where he was most effective. He called the plan “Hack-a-Shaq.” Similarly to Nelson’s strategy, cyber threat actors are constantly searching for ways to access networks.
Data miners are looking for a window of opportunity. A network can be penetrated through various means, and intruders only need access to one. Network managers are running a relay race, passing the baton from one network protector to another. The issue, however, is that network intruders are relentless, and network managers are consistently outmanned. This leaves network defenders vulnerable to fatigue. There are innumerable vulnerabilities out there, and it isn’t an understatement to say that a cyber-war of attrition is ensuing. All users of the Internet are caught in the crosshairs, and the risk of collateral damage is high.
This struggle is exacerbated by growing levels of sophistication among cyber criminals. In the Computer and Information Security Handbook, Second Edition, West says that if you’ve been hired to maintain security on the Internet, “the task is simply daunting.”1 How can networks be completely secured against hackers? Is it possible to know where all of the entry points will be? Today, companies are faced with securing their domains against everything from simple mischief to cybercrime and espionage. Attacks sponsored by nation-states such as China and Russia occur routinely and with varying motives. Threats also originate from organization insiders. And the cost of cybercrimes is escalating—it has been reported that cybercrime now drains close to $445 billion each year from businesses.2
Cybercrime losses put a strain on the economy in the form of stolen intellectual property, lost jobs, and company shutdowns. Organizations that have been highly publicized targets of cybercriminal activity include NASDAQ, JP Morgan Chase, and Morgan Stanley. In 2011 and 2012, several high-profile banks, including JP Morgan, were victimized by a wave of denial of service attacks. These attacks disabled JP Morgan’s online banking websites and blocked customers from accessing their online bank accounts. Disruptions of services like these can ultimately result in a loss of customers and negative publicity for the company. Companies under attack must also dedicate sizable resources to combatting the threats and restoring their systems to a functioning state. Even though the attackers may not have benefited monetarily from the attack, these organizations suffered measurable financial impact. In order to prevent heavy losses at the hands of cyber attackers, we know it is critical for effective cybersecurity policies to be put in place. But what makes a policy effective?
We Can Explore the Universe but Can’t Secure a Network on Earth?
How is it possible to witness unprecedented technological advancement in space exploration, even to the edge of the solar system, and yet we cannot seem to secure networks here on Earth? The answer is the frequency with which cyber thieves are adjusting their tactics. They have specific high-value targets in mind, and use every attack they can leverage against them. Unlike denial-of-service attacks, recent network breaches against Goldman Sachs, Target, and Home Depot are examples of targeted attacks. The continuation of these breaches makes it seem like no network is safe from intrusion. What could be the issue here? Who or what opened the window of vulnerability?
Hacker Motivation and Threat Mitigation
An employee who is fired, receives a layoff notice, was passed over for promotion, or didn’t receive a pay raise has the potential to facilitate a data breach. Unfortunately, this is no longer the exception in post-attack analysis. One noteworthy example was an autonomous software designer at the University of Texas, Austin who was charged with gaining unlawful access to the university’s computers. After obtaining this unauthorized access, he began malicious activities against the network that caused an estimated $200,000 dollars in damage.3 His motivation stemmed from being fired three years earlier. He wanted to get back at the university and those responsible. The hacker, along with another person who assisted him, now faces felony charges, but posted bail and was not taken into custody.4 In retrospect, however, was he a trustworthy employee from the start?
A Call to Action
Patrick Henry once said, “Now is the time for all good men to come to the aid of their country.” This sentiment is echoed time and time again in government agencies and corporate America, and has renewed meaning in the battle against malicious actors. Optimistically speaking, this battle isn’t lost; the alarm is sounding for network administrators to shore up their networks against intrusion, and companies are hiring ethical hackers to bolster their defenses. Consider this a call to action—get your organization ready before you become the next victim of a hack-a-Shaq, denial-of-service, targeted attack, or insider threat!
- Vacca, John R. “Unix and Linux Security.” In Computer and Information Security Handbook, 63. Amsterdam: Elsevier, 2013.
- Pepitone, Julianne. “Cybercrime Costs Businesses $445 Billion and Thousands of Jobs: Study.” NBC News. June 9, 2014. http://www.nbcnews.com/tech/security/cybercrime-costs-businesses-445-billion-thousands-jobs-study-n124746.
- Read, Brock. “Charges Filed on Hacking at U. of Texas.” The Chronicle of Higher Education. December 5, 2003. http://chronicle.com/article/Charges-Filed-on-Hacking-at-U/29243/.