Last fall, when people on the East Coast reached their desks the morning of Friday, October 21, many had trouble loading popular websites such as Twitter, Spotify, The New York Times, and CNN. The sites were extremely sluggish or didn’t load at all. The disruptions were caused by a massive, daylong cyberattack on a New Hampshire-based server company, known as Dyn, which routes internet traffic and supports large websites.
The cause was a distributed denial of service (DDoS) attack, a common strategy in which hackers create a flurry of fake web traffic to overload servers. But this event was especially alarming because the attackers launched it using ordinary wireless devices that are linked via the internet, including security cameras, DVRs, and computer routers. Known as the “Internet of Things,” these devices rarely undergo system updates or have strong password protection, which allowed hackers to turn them into a digital army of sorts, explains Matt Petrosky, MBA’08, director of strategy execution for cybersecurity software firm Carbon Black, which specializes in arming a company’s computers and networked devices against attacks. “It was maybe the first time we’ve seen consumer devices used to this magnitude to take down major websites and throw off millions and millions of people’s online experiences,” he says.
The Dyn assault illustrates the increasing sophistication and complexity of cyberattacks, say alumni working in the industry, and points to the need for increased protection and cybersecurity experts. Petrosky, who joined Carbon Black more than a decade ago when the company was known as Bit9, helped write the company’s mission statement. It refers to cybersecurity experts as “cyberdefenders” who “collectively defend our connected way of life.” C-level executives are taking note, says Hans Olson, MBA’14, who oversees cybersecurity policy as assistant undersecretary for Homeland Security for the Commonwealth of Massachusetts. “It’s not just an information security problem,” he says. “It’s a business problem.”
All businesses, regardless of the goods and services they offer, are vulnerable to hackers and cybercrime, alumni declare. A business is only as strong as its firewalls and other security measures, says Jeff Bamberger, MBA’94, senior cyber/IT risk management and security consultant at OpenSky, an IT services company that helps businesses adopt digital technology and protect their cyberinfrastructure and data. In an analogy that he often shares with clients, Bamberger describes each business as a house, with information technology controls as the foundation. “If the foundation is weak, the house is going to crumble and possibly fall down,” he says.
It’s Not Who You Think
A cyberattack is any attempt to compromise a computer network, whether or not the hackers succeed. Most attacks fall into one of three categories, says Petrosky. The first is espionage: attempts by governments to steal sensitive information from other governments or foreign businesses. One example is the 2015 breach of the federal government’s Office of Personnel Management, in which hackers stole detailed information about 22.1 million people, including their addresses, performance evaluations, and fingerprints. Little is confirmed about the attackers, but The Washington Post and The New York Times reported that federal officials believe the breach was the work of the Chinese government.
The second type is the work of vigilantes, or “hacktivists,” such as Anonymous, a loosely affiliated group of hackers who attack networks to make a point (one of their first actions was a DDoS attack against the Church of Scientology) or expose security vulnerabilities. The third is monetized attacks, in which hackers attempt to steal large quantities of personal data and sell it on the black market. “Attackers might make $20 per credit card number, $30 per social security number,” Petrosky says.
Despite the notion that cyberattacks are largely waged by lone teenagers in their parents’ basements, hacking operations are increasingly professional, reports Petrosky. “Cyberattackers can buy all the same software that defenders use,” he says. “They can test their methods in a lab, and say, ‘All right, if I take two emails per minute out of this network, is that going to set off alarms?’ They’re very, very careful. They also have teams of people and project managers with objectives and deliverables, goals and milestones. It’s very sophisticated.”
Cyberattackers also are notoriously difficult to track. “It’s very easy if you’re a bad guy to make yourself look like you’re coming from Canada when you’re actually coming from Australia,” says Jack Huffard, MBA’00, president, COO, and co-founder of Tenable Network Security, which offers security audit software that checks for holes in cyberdefenses. Olson of Massachusetts homeland security adds that the offender could be sitting in the next cubicle over, with a surprising number of cyberattacks being launched by disgruntled employees.
Attackers use many strategies to gain access to computer networks, but one of the most common is social engineering, or “phishing.” Hackers send documents or links via email to employees, hoping they will click and unwittingly download malicious code that gives hackers a foothold into the network. Huffard himself has received so-called “spear phishing” emails, which are more individually targeted. Huffard’s emails appeared to come from Tenable’s CFO, requesting wire transfers, but Huffard knew they were fake because the company’s wire-transfer procedure doesn’t involve email. “If you’re not looking out for things like this, the damage can be significant,” he says. Huffard forwards such emails to the company’s IT and research departments to help them guard against future phishing emails.
Another entry route involves finding code errors that have not yet been patched or corrected, leaving devices’ security measures weakened. These errors often crop up in places where old cyber infrastructure is linked to newer systems. “Most networks include an array of different systems that have been cobbled together over time,” Olson says. The challenge of meshing disparate systems is a pressing issue for Olson, who is responsible for developing policy to protect critical infrastructure in Massachusetts, including the electrical grid, oil and gas facilities, and water treatment plants, as well as links between state government and its 351 communities and towns.
Olson started his career in the Navy before moving on to the Defense Intelligence Agency as a civilian intelligence officer. He was deployed to multiple locations around the world, and some of his work included cybersecurity. After leaving the DIA, he earned his Babson MBA and worked for a startup energy company in Massachusetts. When Gov. Charlie Baker was elected in Massachusetts, he created a new homeland security position that includes oversight of cybersecurity and hired Olson to fill the job. Olson admits that he sometimes loses sleep over the worst-case scenarios. “Let’s imagine it’s February 2015, we are receiving 10 feet of snow, and it’s one of the coldest Februaries on record,” he says. “Imagine a cyberattack against the electrical grid, or against an oil and gas provider, so that people can’t heat their homes. Those are the types of things I worry about.”
Weina Dorsky, MBA’09, director of cybersecurity for the Navy’s Program Executive Office for Littoral Combat Ships, also is motivated by the big-picture impact of her work. She coordinates all policy and strategy for cybersecurity on the fleet of small, fast, agile ships that can operate close to shore. An electrical engineer by training, Dorsky has worked for the Department of Defense for more than a decade and has seen the emphasis on cybersecurity increase during that time. “It’s no longer just a box to check. Cybersecurity is now built into the design of new ships,” she explains.
In her work securing the ships’ data and networks, Dorsky says she always is thinking about the sailors who will live on those ships. “We owe it to those men and women risking their lives for us to protect those homes,” she says.
Tools for Cyberdefenders
One of the most important steps to securing protection, alumni say, is an honest assessment of a company’s networks. “If you don’t understand what’s on your network, and what state it’s in, you’re going to have a hard time knowing if you’re secure,” says Huffard of Tenable. “We’re going to show you where you don’t have firewall coverage and where you have misconfigured servers, which will allow you to be more proactive. We look at your network and say, ‘Everything is tight,’ or ‘You have some open holes here.’”
Another critical step is so-called “cyberhygiene,” which refers to a collection of routine habits designed to keep systems and data safe, says Olson. “Approximately 80 percent of cyberincidents could be prevented if people followed basic cyberhygiene by updating their software with the recommended patches sent out by software companies,” he says.
In addition to these baseline strategies, cyberdefense also may involve layering multiple protective tools, an approach called “defense in depth,” says Dorsky, who helped institute this type of architecture in the Navy’s future frigate designs. These tools include switches and routers; software that detects intrusions, monitors systems, and erects firewalls; and a popular strategy called security information and event management (SIEM). According to Bamberger of OpenSky, SIEM centralizes and monitors data logs from multiple systems, then performs “event correlation,” or analyzes those logs to spot suspicious patterns. For example, systems administrators can set SIEM to alert them if multiple failed logins occur on a variety of systems. Tenable’s Huffard likens SIEM systems to “a motion detector inside your organization that helps differentiate between normal and abnormal activity.”
Monitoring a network is far more complicated than it used to be, continues Huffard, who has worked in cybersecurity for more than 16 years. “With the emergence of mobile and the cloud, every organization has a hybrid IT infrastructure model now,” he says. “Companies have some data on-premises at the facilities, some in the cloud, and they’re also doing stuff on their phones and iPads. And all of that has to be identified and assessed.”
One of the biggest shifts in the battle against hackers may be the rise in information sharing among cyberdefenders. “Attackers have been sharing stuff on the dark web and collaborating with each other for years,” Petrosky says. But until recently, cyberdefenders had few “safe” places to gather and were hesitant to share details with one another, in part because being hacked was viewed as a sign of weakness, Petrosky says. And some companies worried that admitting to a data breach or other attack could affect customer relations. More companies, however, acknowledge how hard staying ahead of increasingly sophisticated attacks can be. “Many defenders now accept that you will be compromised at some point, or they operate as if the attacker is already in the network,” Petrosky says. “There’s a good chance that’s true, and what’s more important is how you respond when it happens.”
In his current position at Carbon Black, Petrosky has been building a private online community where the company’s customers and other cybersecurity experts can discuss current threats and recent cyberattacks. “We’ve started saying that each attack will make us stronger as defenders,” says Petrosky, noting that when organizations identify attacks and share details about them, hackers must return to the drawing board to research new strategies, thus raising their costs.
Bamberger, who has worked for more than 20 years in cyber and technology risk management, often checks the Privacy Rights Clearinghouse website, which maintains a list of all reported data breaches. “Reviewing details of the breaches can help teach us where weaknesses tend to reside,” Bamberger says. Sometimes, the details leave him shaking his head. He gives a hypothetical example of an employee leaving his laptop in an unlocked car and having the laptop stolen. “You wonder how companies allow such disregard for basic controls and awareness,” he says.
He sees benefits in the practice of thinking like a criminal. “Put yourself in the shoes of people who want to do harm to your organization,” he says. “If you were one of them, how would you go about it?” Bamberger reminds clients to make cybersecurity part of everything their organizations do, including physical security. He sometimes provides security audits for clients’ facilities and is astonished by the speed at which he can gain access to sensitive areas and information. “It’s too easy to get into a building these days,” he says. “If you dress the part, people think you belong, and someone will hold the door open for you, giving you potential access to information.” He gives an example of copy machines, which may have hard drives that hold images of copied documents. Someone dressed as a repair person could take that hard drive and any sensitive information it contains.
In his audits, Bamberger also advises companies to use caution when firing employees, who may be disgruntled enough to harm networks or steal data as they depart. Employees should never be allowed to return to their computers after termination. “It gives them an opportunity to be malicious on the way out,” Bamberger says, noting that even people leaving their jobs voluntarily may do damage as they go.
He and other alumni encourage companies to educate employees about a range of basic security controls, such as locking computer screens when they walk away from their desks and using strong passwords. Some security protocols are inconvenient for workers. Email attachments, for example, are a common target for attacks, so some companies don’t allow employees to send or receive them, notes Petrosky of Carbon Black, or attachments are collected on a server, scanned by a security team for malware, and then released.
A Congressional report on the massive data breach of the federal Office of Personnel Management suggests that it might have been prevented with mutifactor authentication, a login process that involves a password along with other steps, such as a key card, PIN number, or fingerprints. Cybersecurity experts understand that this type of security can be a hassle for employees. “Even we get annoyed at some of the inconvenient tradeoffs that you have to make,” says Petrosky, “but we know that we have to protect ourselves.”
The Future Of Cybersecurity
One of the top hurdles to cybersecurity is often cost. “Unfortunately, our budget doesn’t increase just because cybersecurity threats do,” says Dorsky.
Budget constraints are always an issue, agrees Bamberger. He suggests that organizations conduct risk assessments, which allow them to make savvy budget decisions, avoid wasteful spending, and decide which cybersecurity risks are their biggest priorities.
Alumni also say that improved tools are needed to take on increasingly complex attacks. “I’d have to say the balance is tipped in the attackers’ favor right now,” Petrosky says. He gives the example of businesses, such as major retailers, that should have the financial means to defend themselves properly, yet attackers still are walking away with millions of personal records. “That’s a sign that we haven’t adapted to the new realities of the attackers,” he says. “I think the cybersecurity industry as a whole has accepted that we need more advanced, more dynamic, more proactive types of solutions.”
Venture capitalists are paying attention. “We’re seeing an incredible amount of capital going to new companies creating new cybersecurity options because some of the old solutions aren’t working,” says Petrosky. He believes next-generation tools like those offered by Carbon Black will help tip the balance back to the defenders. Huffard at Tenable makes the case that useful tools are available, but companies need to employ them more effectively. “Organizations have to adopt more systematic approaches to continuously monitor the state of their network and their defenses,” he says.
Cyberthreats show no sign of easing for now, so vigilance is key, agrees Olson of Massachusetts homeland security. “Cyberdefenders have to be right 100 percent of the time,” he says. “Cybercriminals only have to be right once.”