When it comes to cyberspying and computer hacking, it might seem like only large companies and government agencies are at risk of attack.
But as cybersecurity pro Chris Coleman sees it, small companies and everyday people should be worried, too.
Coleman is president and CEO of Lookingglass Cyber Solutions, a software firm with offices in Arlington, Va., and Baltimore.
Cybercriminals regularly go after big players in banking, government and telecommunications, but they also attack small service companies and individuals, who can serve as back-door entrances to their ultimate targets, Coleman said.
Coleman recommends everyone read email with suspicion to avoid viruses that give attackers access to bank accounts and other personal data.
Cybercrime and espionage cause up to $100 billion in annual losses nationwide, according to a new report from the Center for Strategic and International Studies, and computer-security firm McAfee.
Protecting companies and governments from attack is a lucrative industry. Cybersecurity spending for critical infrastructure, including energy, health care and water and waste management, is expected to reach $46 billion globally by the end of the year, according to ABI Research.
Coleman will be in Las Vegas this week for the annual Black Hat USA security conference, which runs Saturday through Aug. 1 at Caesars Palace.
What are the top cybersecurity concerns for companies and government agencies?
First, there’s brand — the ability to steal information and affect someone’s brand name.
Second, intellectual property theft.
Third, damaging operations, whether it’s financial or, for governments, harming the economy. If I can take down a system that a company uses to make money for a number of hours, that can impact their bottom line.
We’re also seeing cyberthreats move into the physical world. We are a highly network-dependent society — new buildings all have smart infrastructure connected to a network to control heating and cooling systems, for instance. There has been a huge increase in interest by nation states, hacktivists and cyberterrorists to be able to impact that.
Are these things small companies need to worry about? Or do they affect only large operations?
A small company should be concerned for a few reasons.
Often, they’re soft targets. Maybe I’m trying to get into a large company, and it’s too hard. But, they’re doing business with a small company, so people try to get through that way.
We have seen a large uptick in breaches at law firms. A malicious attacker can use a small company’s resources to target other people with denial of service attacks. That’s when you overwhelm a website with so much traffic that the site crashes.
What are some unique cybersecurity concerns for Las Vegas companies?
Las Vegas is highly based on tourism, and everything has to be run effectively and efficiently. Energy is a major part of that. If I have the ability to affect the power grid or the casinos’ ability to secure quality of life within the casinos, I can potentially wreak major havoc.
Las Vegas is very high tech, and its security systems are probably all networked. The ability to interfere with the casinos and affect the region’s financial health is a real and present danger.
Have any cyberthreats been eliminated over the years?
Throughout the past 15 years, there have been various cyberthreats. For example, the computer worm SQL slammer appeared in January 2003, and another bug, Conficker, surfaced in November 2008. They made a splash because of the rapid degree they spread.
People think we have those under control, but today, Lookingglass still sees those kinds of worms. While they may no longer be on the front page of the news, we track 1.6 million Conficker-infected hosts per day. The virus or worm is no longer active, but these machines are still infected.
What do average people need to do to protect themselves?
Whether you’re receiving emails or doing something else on the Internet, you have to operate with common sense and have suspicion about every email you receive. Phishing is a major way viruses are spread. You get an email from someone you know asking you to click on a large, ugly link.
People need to update their software regularly to protect themselves from being exploited.
What new methods are hackers using to get into people’s bank accounts?
They’re traditionally based around phishing, and they’re very sophisticated. They can go after mobile phones and mobile banking.
They’re taking very small amounts of their profits and investing in new exploits at a lightning pace.
We were approached by a security researcher who had a list of European banks’ database systems that he was able to exploit. He didn’t hack them himself but knows they’re vulnerable to hacking. He had data that we could have used to help banks with their cybersecurity, and he wanted us to pay him 30,000 euros for it. We weren’t interested, but it was real information.
Selling exploits is a thriving black market. There is a whole underground for it.
There has been a lot of news about hackers from China and suggestions that the Chinese government is behind many cyberattacks.
It comes from other countries, too, and being able to attribute it back directly to a government is extremely difficult, even if you can pinpoint the country of origin.
But China is obviously a very noisy participant. This new term of ‘cyberwarfare’ is very real. Those types of things are happening daily, and it’s for economic prosperity and espionage.
Do people take cyberthreats seriously enough?
I think we waited too long to take it seriously. But it's on the minds of CEOs of large global enterprises as one of their top concerns about running their companies.
How much do companies spend each year on cybersecurity?
Depending on the business sector, it is increasing.
Some of our financial industry customers are looking to double their staffs and spending for cybersecurity. And large global companies are already spending $10 million to $30 million a year on this.