J.P. Morgan Chase Bank, the latest victim of a high-profile data breach that took place last summer, compromised the accounts of 76 million households and 7 million small businesses. The attack, one of the largest intrusions on record, joins a growing list of cyber crises for major corporations in just the past year, including Target, Home Depot and Jimmy John’s.
According to IBM Security Services’ 2014 Cyber Security Intelligence Index, in 2013, “more than half a billion records of personally identifiable information — including names, emails, credit card numbers and passwords — were stolen.”
The report states that when “consumers lose faith in a company’s ability to keep their personal data safe, the company can ultimately lose customers. Most certainly they stand to lose money, and in some cases, intellectual property.”
IBM cites that in 2013, “each lost data record cost companies an average of $145 per record, with companies in Germany losing the most per record for each data breach ($201), followed by the United States ($195), and companies in India the least at $51.2.”
The impact to a major retailer with millions of leaked credit card numbers could be more than $100 million in direct costs, including fines, according to the document, which added: “A university that leaked 40,000 records could suffer over $5.4 million in losses.”
Good to be bad
“The bad guys are winning,” according to David Schoenberger, chief innovation officer with Colorado Springs-based SecureCloud Systems. He said cyber criminals have been steps ahead of those with protecting sensitive data since the dawn of the Internet, and SecureCloud is fighting to change the tide.
“Part of that is because we’ve focused on the wrong thing for too long,” he said. “We’ve been trying to keep the bad guys out and not doing something different with our data.”
According to Schoenberger, the focus of online data security has been securing perimeters and not the data the perimeters were created to protect.
“The model has been to build a big fence in front of a thick wall, but everything is free and clear if you can get through the wall. If you can break in, you can have it,” he said. “[SecureCloud focuses] on the exact pieces of data and securing those.”
If one were securing the file of a birth certificate online, for instance, Schoenberger said they would have to secure multiple pieces of information, including date of birth, name and address. Rather than encrypting that file as a whole, SecureCloud encrypts individual pieces of data, breaks that data apart and stores it over multiple servers. The data is replaced on the client’s website with placeholders, or “tokens,” Schoenberger said.
Those tokens are swapped out for sensitive information in real time if all parameters are met to decrypt that data. The concept means devoting fewer resources to protecting a site’s perimeter with firewalls, but rather finding ways to protect the data once a breach has occurred.
Schoenberger said, with SecureCloud’s encryption capabilities, the best-case scenario for a hacker would be decrypting one piece of data. Without supporting data, that single piece of data would be useless.
“A hacker, if they were very lucky, might get your first name, or just your date of birth without a name,” Schoenberger said. “It’s the one-two punch of securing the perimeter, but also encrypting those individual pieces of data separately.”
While the private sector is taking steps to create a safer Internet, local academic and military institutions are taking up the charge as well.
“Vulnerability exists for the entire business sector,” according to Lt. Col. Greg Bennett, deputy director of the U.S. Air Force Academy’s Center of Innovation. “The level of sophistication in terms of the actors who are exfiltrating data has grown more sophisticated over time. Their technology and methods used to be simplistic, but they’re growing very complex and [breaches] are harder to detect.”
Bennett said cadets studying cyber security at the Academy currently benefit from a research partnership with Intel and indirect funding provided by the Department of Homeland Security.
“We have a cooperative agreement for about three years that centers around cyber security at our anti-malware lab at the Academy,” Bennett said. “Intel’s research centers around … a unique approach to finding malicious codes and code reuse.”
Analyzing the hackers
Dr. Martin Carlisle, head of the Academy’s computer science department and former director of the Academy’s Center for Cyberspace Research, elaborated:
“Many hackers tend to be lazy and reuse certain parts of code to shorten the process and condense the amount of time it takes to write [malicious] code,” Carlisle said. “Writing novel code takes time. Hackers will use existing code and make it look different enough so as not to be picked up by malware protection.”
Carlisle said research is being done to create systems that identify malicious coding before it becomes a problem. He said detecting data exfiltration in real time is another tool used to protect systems.
“The end goal is to determine if traffic is not normal or if it’s malicious, and to trace it and to shut it down,” he said.
Dr. Edward Chow, professor of computer science at UCCS, said there needs to be more education and shared resources within the tech world to create a more secure environment.
“The good people aren’t as good at sharing resources and experience and techniques,” Chow said. “For some, they just don’t know how to report incidents to the FBI or other authorities.”
UCCS has grown its computer science and security offerings over the past 20 years, and the university now offers degrees in cyber security through the doctorate level. Chow said anyone with a programming background can take part in National Security Agency-sanctioned programs through the school’s Department of Computer Science.
Students completing the four courses will receive a graduate certificate in Secure Software Systems from UCCS. In addition, the courses can constitute 40 percent of a master of science in computer science, master of engineering, information assurance or software systems engineering options, according to the UCCS website.
The MEIA program and curriculum are certified by the National Security Agency’s Committee on National Security Systems and meet the Information Assurance Professional Training Standards, the website states.
Chow said the courses are currently designed for people working in IT with some experience in high-level programming, but courses geared toward the general public may be available in the near future.
For information on graduate certificates and the computer science program at UCCS, visit online at uccs.edu/cs.
According to Carlisle, cyber crime has increased lately for several reasons, including fewer relative risks associated with cyber theft versus back-alley muggings.
“Criminals are motivated by profit,” he said. “Cyber crime can mean high profits with less risk.
“[Criminals] will weigh the incentives. Hitting the hot dog stand downtown once won’t bring in as much money as a J.P. Morgan, so criminals are less likely to invest as much time. But if hackers can hit a thousand small businesses and get a little from each one, the risk pays off.”
Carlisle said smaller businesses must make tough decisions regarding security. Most don’t have the money to spend on high-end cyber security systems or IT departments, and by using cloud storage and relying on the security of companies such as Google or Amazon, small businesses are making themselves a small part of a larger target.
“Companies just aren’t investing in secure technology,” Schoenberger said. “A company might have one or two security people, or even a whole team, but they’ll always be behind the curve. They’ll always be trying to plug holes rather than doing something proactively. Budgets in security don’t support the proactive approach. Security has always been reactive.“
Schoenberger said SecureCloud Systems offers packages for every budget, including licensing the technology to larger companies for their own use, to providing encryption services on specific data that only carries a charge when it’s opened by a user.
Schoenberger said clients so far have included 12 state authorities that have used SecureCloud’s encryption capabilities to secure personal information entered into Affordable Care Act databases. He said Colorado is not one of the states, and he would not disclose additional clients.
“Typically, every individual who interacts with any business is at risk,” Schoenberger said. “If you interact with a business, a government or a health care provider, it’s just a matter of time [before your data is breached.]
“It’s not an ‘if.’ It’s a ‘when.’ ” n CSBJ