These past few months, American security systems seem to have virtually checked out while Chinese hackers are checking in. The hackers’ jobs have even taken a turn to professionalism—hackers, apparently, get weekends off too.
To give you a recap, here are some of the victims who have been hit:
The White House
The United States Chamber of Commerce
The New York Times
The Wall Street Journal
The Washington Post
Department of Energy
And many more...
These aren’t small companies and those hackers aren’t bored teenagers.
Which raises two important questions: What exactly is going on? And are we in the midst of a cyber-espionage campaign?
“The New Normal”
First, let’s gather up the facts before having a meltdown.
Like a rock thrown into pond, a ripple effect was set in motion when companies admitted to being victims. It used to be rare for companies to admit that they were hacked; silence is golden with the threat of lawsuits and company posterity hanging in the balance. In 2010, for example, Google announced it was one of two dozen companies that had been breached. Only Intel and Adobe Systems confessed to being targets.
Now admission to hacking has become a trend. For instance, when Twitter stated it had been hacked, Facebook and Apple made public statements two weeks later.
These public announcements are due in part to instill awareness. Mandiant founder and chief executive Kevin Mandia says that these cyberattacks may become “the new normal” and “everybody needs to get smarter from each breach, almost like a neighborhood watch.”
But how did the hackers infiltrate the technological infrastructure of these corporations so easily? Their method was quite elementary:
The hackers used spear phishing.
What is Spear Phishing?
Spear phishing is when you receive an email from a trusted source—a friend or someone in your company—and under the guise of your boss, coworker, etc., they send a link with a cleverly formatted bogus page that requests your personal information. Once the information is entered, the hacker can pose as the individual and access company data.
Unfortunately, hackers also count on good Samaritans to do the work for them, as well. On 60 Minutes, former State Department official Jim Lewis said thumb drives (memory sticks) have been banned at the Pentagon for this reason. Figuring it belongs to a coworker, a person who finds the thumb drive may plug it into their computer to find out whom the drive belongs to. This is where infiltration starts.
It also takes months for a company to be hacker-free. Every corner needs to be checked, yet some threats can go unnoticed or overlooked. A thermostat and printer at the Chamber of Commerce, for example, were still communicating with an Internet address in China despite system cleanouts.
The U.S. is a Vulnerable Target
To improve cybersecurity in the wake of these attacks, President Obama signed an executive order this past February.
“We know that cyber intruders have probed our electrical grid, and that in other countries cyber attacks have plunged entire cities into darkness.” – President Obama
Hacking goes both ways. The U.S. also engages in hacking other countries' systems. However, Lewis says the U.S. has more to lose: “We are in the top of the league…We’re the place that depends on the Internet. We’ve done the most to take advantage of it. We’re the ones who’ve woven it into our economy into our national security in ways that they haven’t, so we are more vulnerable.”
How to Prevent Hackers
To protect yourself from being hacked you have to be self-aware.
- Never open up a link in an email from a person you don’t know.
- If the email is from a person you do know, contact them first before clicking.
- If you find a thumb drive, do not plug it into your computer.
You’ve Been Audited!
Hey, this kind of audit’s okay! A security audit is a way to check up on your computer system to make sure nothing is amiss. If something’s out of line, technicians can investigate before your system becomes infected.
Maintenance and monitoring is also a proactive way to protect your system from potential threats. IT services design programs that monitor servers and alert technicians. These programs also offer data backup service and anti-virus monitoring.
To learn more about security auditing, monitoring, and data protection, visit NSK’s website.
Sources: huffingtonpost.com, nytimes.com, cbsnews.com