Cybersecurity expert: Hackers target humans, not machines

Oct. 17--Hackers don't target machines; they target humans as the easier route to gaining access to their target -- computer networks, on which they can find data and other valuable information, according to a Denver cybersecurity expert.

John Sileo, the opening speaker Monday at the National Cybersecurity Center's Cyber Symposium, spent an hour telling about 300 cybersecurity and information technology professionals how to reduce the chances of their organizations being hacked. He also showed how easy it was to get a member of the audience to give up enough information to access their iPhone and how he was able to handle more than 20 devices left unattended at breakfast before his speech.

Sileo said two-thirds of the 347 million people affected by data breaches in the past few years at Equifax, Facebook and Target took no action to protect themselves or their data, such as changing passwords to their accounts or modifying their online habits to avoid being hacked. He said some sort of personal information is available for sale on about 90 percent of all Americans as a result of data breaches.

"We are so overwhelmed with what we have to do, we don't protect what is most important. Hackers are going after the part of our brain that is on auto-response. The first defense is to be skeptical," Sileo said. "Criminals tend to hack humans first, and businesses tend to fund the training of humans last. The Target breach was due to failing to train the humans" on the basics of cybersecurity.

Sileo learned about cybersecurity the hard way. He was facing arrest and prosecution and his software company, which he had built from his parents' electronic repair business, was destroyed by cybercrime committed by his best friend and business partner. He had to spend more than two years fighting the false charges.

He compared technology to the character in the movie "The Princess Bride" that has a good and evil side -- Westley being good and the Dread Pirate Roberts being evil. He noted that Ross William Ulbricht, operator of the dark web marketplace Silk Road that Sileo described as the "Amazon of the dark web," used the alias Dread Pirate Roberts.

"We have been highly incentivized to want new technology and ignore the risk of sharing our data. Can we enjoy technology without obsessing over the risk" of using it? Sileo said. "The key to cybersecurity is to respect both faces of technology and align what you do on offense with data with your defense. The issue is assuming that the problem is always someone else's."

Sileo said he has learned that knowledge isn't enough to fight cybersecurity attacks.

"We will change our behavior when we begin to understand the threat and take it personally," he said. "It is our responsibility in business to proactively protect what we value most and protect it as your own. Otherwise, we will continue to be hacked and threatened. The problem is we are so overwhelmed by what we have to do, we don't protect what is most important."

Businesses must train employees to develop cybersecurity reflexes, so they instinctively react correctly when they are hit with a cyberattack.

Sileo also recommends that responsibility for security extend all the way to the boardroom; organizations spend 4 percent to 7 percent of an information technology budget on cybersecurity; security training reflect realistic targets; that user access be segmented to reduce exposure to attacks; risk and vulnerabilities be evaluated regularly; third-party vendors be vetted thoroughly; and organizations have a plan to respond to breaches.

The most common type of cyberattack is phishing, where the hacker sends an email asking the target to click on a website that downloads malware or a virus, Sileo said. The best defense, he said, is to hover your computer cursor over the link to show the real address to which the link is pointing and read it right to left -- the most relevant part of the address is the ending, such as ru for Russia. He said a breach of insurance giant Anthem was traced to the chief information officer clicking on a phishing email.

Whaling also is a popular cyberattack type in which a hacker targets the assistant of someone in a senior management role while the manager is traveling and cannot be reached. The hacker sends an email to the assistant asking for a wire transfer, which cost New York-based Ubiquiti Networks $39 million in such a scam.

Ransomware is a form of cyber blackmail in which a hack gains control of a company's critical data or files and holds it hostage for a ransom. Sileo said half of the victims pay the ransom.

Hotspot sniffing is a growing form of hacking in which a criminal sets up a free Wi-Fi hotspot to steal data from unsuspecting users that make a connection to the hotspot.

Strong passwords and password management software are a good defense for such scams, and blockchain technology represents a promising way to guard against cyberattacks, Sileo said.

"Resilience is our greatest security because everyone eventually will be a victim of this."

Contact Wayne Heilman: 636-0234 Facebook: www.facebook.com/ wayne.heilman Twitter: twitter.com/wayneheilman

___

(c)2018 The Gazette (Colorado Springs, Colo.)

Visit The Gazette (Colorado Springs, Colo.) at www.gazette.com

Distributed by Tribune Content Agency, LLC.