Cyber security: Net threats rise by James Dunn, Business Journal Staff Reporter

Expert: 97% of businesses’ computer systems are hacked. Companies are increasingly vulnerable as Internet security declines.

Sony Pictures Entertainment officials in December bowed to cyber attacks and online threats and halted its Christmas Day release of The Interview, a satiric film about assassinating Kim Jong-un, North Korea’s 31-year-old dictator. A day later, President Barack Obama blamed North Korea as the source of the Internet attack and poked fun at its ruler’s fear about a comedy starring Canadian-born Seth Rogan, who at 32 is only a year older. The president vowed a “proportional” response without specifying. The next day, North Korea’s sparse Internet service crashed, and Sony reversed course to release the film online and in independent theaters.

The case shows how astonishingly vulnerable Sony was to a focused, sustained expert attack on its computer systems. Attackers absconded with millions of files including employee emails and medical records. The business damage includes the dent in Sony’s market image as it allowed vague terrorist threats posted online to alter its marketing plans. Internet security and Internet crime have taken over the business stage as well as the international news stage.

In Internet crime, bad guys usually leap ahead of good guys, according to Kevin Villanueva, senior manager and leader of the Moss Adams IT Security and Infrastructure Practice. Within the past year or so, malicious hackers hit not just Sony, but Target, Neiman Marcus, Home Depot, JP Morgan Chase — big companies with North Bay and Bay Area operations that allowed valuable data to be compromised.

Every business stores and uses data about customers. If the system that manages business data links to the Internet, it faces increasing insecurity. Threats to business from Internet attacks intensify as business migrates to the cloud.

It’s not just big companies that face computer system risk. An Internet security expert from Milpitas-based FireEye in November estimated that 97 percent of businesses are hacked. Maybe your business is among the 3 percent that resist hacking. If not, you can reduce your business’s vulnerability and harden defenses.

Mr. Villanueva’s team serves Moss Adams clients in California, Oregon and other states throughout the west. Moss Adams LLP is the largest accounting firm in the North Bay, according to Jeff Gutsch, partner in charge of the firm’s offices in Santa Rosa and Napa, which have about 85 total employees. Mr. Villanueva, with Moss Adams for about 13 years, is based in the company’s Seattle office.

“In my area, cybersecurity,” he said, “we get brought in because clients want to comply with a specific data security regulation,” such as the payment card industry data security standard (see sidebar).

Sometimes Mr. Villanueva responds due to an audit or “for the CFO’s peace of mind,” he said. “When clients engage my team, it’s typically as a preemptive measure, making sure their systems and networks are secure,” and that they have good practices for keeping critical business data secured.

“Attacks vary in the level of sophistication,” he said. The Target breach involved compromising the credentials of a third-party service provider, an HVAC vendor based in Pennsylvania.

“They’re not only trying to hack into the network using traditional hacker tools, but incorporating social engineering, preying on individuals’ desire to help out another. It was a multi-pronged attack,” he said.

Point-of-sale risks

In the Target and Home Depot incidents, “the point-of-sale system was the root of the attack,” said Mike Lawrence Jr., security manager for the Burr Pilger Mayer accounting firm.

Mr. Lawrence runs the network for Burr Pilger Mayer, with half a dozen offices in the Bay Area, including Santa Rosa, St. Helena and San Francisco. The company has about 370 employees, with nearly 50 in the North Bay.

In the Target incident, “they attacked the central system where all the processing was being done,” Mr. Lawrence said. “If you used your credit card to purchase something at Target and you’re worried about that exposure, you can request a replacement credit card from your bank,” he said. “Chase was offering credit monitoring services for people affected by” the breach there.

To reduce business risks from exposure to Internet hackers, minimize stored customer data, Mr. Villanueva suggests. Does your business need to keep credit card data after a transaction occurs? “With credit and debit card account numbers,” he said, “and the security codes on the back, they really should not be on an entity’s network. They should not be stored after the transaction has taken place” unless there’s a valid business reason, such as recurring payments.

Reducing personal customer information on a network can “minimize the attack footprint,” for a hacker, he said. Most businesses need to hold onto customers’ email addresses, which are often available elsewhere on the Internet. “If somebody wants to find your email address, they’re going to find it,” he said. “They’re pretty innocuous” and low-risk, though email accounts can be used in phishing attacks. “They try to trick you into clicking on a link embedded in an email,” he said, “that leads an individual to a malicious website, or downloads malicious software.”

Customers tend to hold businesses responsible for protecting their information. “Businesses overall are getting smarter,” Mr. Villanueva said. But with “mom-and-pop shops, they tend to outsource their IT function” to third-party vendors that maintain their networks. “Smaller businesses are trying to transfer the risk and responsibility to that provider. But that doesn’t get the company off the hook.”

Encrypt data, use firewalls

Encrypting data while it is stored on a company server is one way to protect it, he said, but that step involves costs, such as for encryption software and configuring computers. Big retailers, for example, should not keep credit card information in their databases, Mr. Villanueva said, unless it is encrypted for both storage and transmission. “They have a huge responsibility to make sure that the information is kept secure,” he said. “The risk of inadvertent exposure or unauthorized access needs to be minimized.” He recommends encryption especially for health care companies that keep sensitive personal health information.

Even with careful network management, businesses still face risks from hacker attacks that penetrate to steal customer data. Cyber-liability insurance, Mr. Villanueva said, is offered by Travelers and AIG. “We’re hearing about it more and more. It might indemnify customers who have experienced losses.”

A network firewall serves as a barrier between a company’s internal systems and the Internet.

“That’s cyber-security 101 — basic,” Mr. Villanueva said.

Cisco Systems, based in San Jose, has a firewall called an “adaptive security appliance,” he said. Firewalls check data packets as they move in and out of a network.

“They keep out the bad ones that look like an attack,” he said. “They’re like a traffic cop stopping each car that goes by, asking: Where are you going? Who sent you? What’s your purpose?”

More advanced fourth-generation firewalls may detect statistical anomalies in data traffic and can ward off attacks even before they hit a network. The systems determine what a network’s baseline traffic is then compare current traffic to that baseline. If there is unusual traffic activity at the firewall, such as an increase in packet size or frequency, “the firewall might recognize that something fishy is going on, that an attack is brewing,” Mr. Villanueva said.

The firewall might terminate an active session or drop suspicious packets to thwart the attack. “Clients don’t want to disclose” the fact of a cyber-attack occurring because it can ruin the company’s credibility with clients or customers, he said.

Ethical hacking

“Instill a culture of cyber-security in the organization,” Mr. Villanueva said. Such a culture should include “penetration testing or ethical hacking,” he said.

Consulting fees for such services can range from $12,000 to $120,000 for a big organization.

“We have a team of ethical hackers, a methodology and a set of tools we use to mimic the activities that a real-world hacker would take to infiltrate our network,” he said. “We get asked to do that regularly. It provides peace of mind as to how secure a network is from the outside. All of our guys who do that are tinkerers,” he said. “They love technology and have a background in network or system administration. Once they find a vulnerability that can be exploited, they notify our client right away. This is something that needs to be fixed.”

Payment Card Industry Data Security Standard (PCI DSS)

• Created jointly in 2004 by Visa, MasterCard, Discover and American Express to optimize security of credit, debit and cash card transactions, and protect cardholders against misuse of personal information.
• Maintain secure network in which transactions are conducted with effective firewalls that allow convenience to cardholders and vendors. Protect wireless local area networks that are especially vulnerable to eavesdropping and hackers. Don’t use defaults supplied by vendors for authentication data such as personal identification numbers and passwords. Allow customers to easily change their data.
• Protect cardholder information wherever stored. Secure data such as dates of birth, mothers’ maiden names, Social Security numbers, phone numbers and mailing addresses against hacking. When cardholder data is transmitted through public networks, encrypt data, especially in e-commerce.
• Guard systems from hackers with anti-virus and anti-spyware software updated with the latest definitions and signatures. Check applications for vulnerabilities that might allow cardholder data to be stolen or altered.
• Restrict access to system information and operations. Collect only information needed to effectively carry out a transaction. Assign every person who uses a computer in the system a unique and confidential identification name or number. Protect cardholder data physically as well as electronically. Use document shredders, avoid unnecessary paper document duplication and lock dumpsters to discourage criminals from rummaging through trash.
• Monitor networks to ensure that all security measures function properly and are up-to-date. Scan all exchanged data, applications, random-access memory and storage media frequently.
• Define and follow a formal information security policy. Enforce with audits and penalties for non-compliance.