Why are we seeing so many major hacking attacks now?

Jim Boyles of IBM Security, interviewed in a “fireside chat” by WRAL TechWire Editor Rick Smith, had a one word answer at WRAL’s ““Hackers, Malware, Ransomware and You,” Executive Exchange on Tuesday.

Boyles, a specialist in security engineering, intrusion prevention, and data management who came to the Triangle from Michigan for the event, replied : “Money.”

Continuing, he said, “At the root of it is always money. Someone wants to take a valuable commodity.”

Another part of the problem, he said, “Is that people like what’s easy.” So we use Amazon’s one click button and trust the company to keep our data safe. We all carry cell phones and trust those devices to keep our data secure somewhere.

Why are we seeing so many state sponsored attacks now, Smith asked.

WTW Insider event coverage:

  • What’s missing from your cyber defenses? Experts discuss how to counter attacks.
  • Where can companies find cybersecurity talent? There’s a big shortage.

“State sponsors want to influence an election, it’s because that (candidate) affects trade agreements” and other economic and political factors. State sponsored attacks “Try to destabilize a country from an economic standpoint rather than a military one.”

How can enterprises protect themselves?

“First,” suggested Boyles, “identify where you data is. How do you make sure your information stays where you want it to be? Security people need to secure the entire chain, from the end point device to the request to authenticate who’s there.”

Will growing frustration with the lack of security on the Internet lead some people or companies to turn away from the ecommerce and the net?

Boyles said he’s skeptical that many will take that route. “Some small percentage might become data-preppers and go dark.” But as an analogy, he said, “We can’t carry-on without gasoline in our economy, regardless of how expensive it gets, we have to make use of it. Our data lives are similar.”

Multiple layers of security needed

Our devices do have vulnerabilities. “Our phones will tell anyone who asks where you are and we probably need greater regulation around who keeps those records and for how long,” Boyles said.

But despite the vulnerability of our devices, he returned to his theme that we like what’s easy.

“We still want to hit Google and find out who that character in Game of Thrones is.”

Will more organizations turn to virtual private networks (VPNs) and leave the public Internet?

“VPNs are only one mechanism and going to a completely private network reduces your ability to do commerce,” Boyles said.

Instead of VPNs alone, he said, “You always want to have multiple layers (of protection). It’s like a medieval castle. There are walls, towers, a moat, and interior walls.

Are passwords going away?

He also advised, “Make security easy and invisible. IBM and other companies need to come up with security systems that people don’t require a highly complex password.

He touted IBM’s Blockchain, the open ledger system that guarantees the immutability of information that guarantees the same information goes from the source to the destination.

Are passwords going to be a thing of the past?

“Passwords need to be so long and complex that people don’t remember them. Nobody likes going through that whole password reset.” Instead, we should be using multi-factor identity capabilities such as IBM’s Verify product which uses a fingerprint ID to verify a user’s identity.

Facial recognition has vulnerabilities that make it an unreliable security upgrade today, Boyles said. But even biometric IDs, retina scans, the palm of your hand, should not be used alone, he said.

“You don’t put a single deadbolt on your door and have cardboard walls.”

The security battle is a constant effort to stay slightly ahead of the bad guys, he added. “Every time someone builds a better wall, someone else finds a way around it.”

Companies do need to be more proactive about protecting data, he said. Hacking incidents damage a brand, affect stock price, and can destroy a business. “If I get bitten by a company that loses my information, I’ll stop doing business with them. So they need to do everything they can to make my information safe.”

Action items

Asked for three action items on security, Boyles suggested:

  • Identify where your crown jewels are and the risk of losing them.
  • Ask who has access to that information internally and externally.
  • Keep all your patches up to date.