There are no hackers, only spies, says Eric O’Neill, former FBI counterterrorism and counterintelligence operative.
O’Neill shared “cloak and dagger” stories about taking down the notorious spy, Robert Hanssen, at a recent event. Hanssen spied for the Russians, the Soviets and then the Russians again, from 1979 to 2001 – right from the offices of the FBI. He was ultimately caught while making a drop in a park at night and is serving fifteen consecutive life sentences at a super max prison.
Hanssen Was The First Hacker
According to O’Neill, Hanssen stole information by exploiting the failures of computer systems. He was able to access and steal data throughout the Bureau without the FBI noticing. He was even one of the first spies to share information by using data disks. When he made his first drops to the Russians, he would drop five and a quarter floppy disks. The Russians initially tried to play them on a record player and scratched their heads because they wouldn’t make music. Overtime, the packages got smaller as he moved to three and a half floppy disks and finally thumb drives.
Dispelling The Myth Of The Hacker
Hollywood is responsible for the perception that hackers are overweight guys, sitting in a dark basement, hammering away at a computer. You hear tap, tap, tap. Suddenly there is an eureka moment. The hacker hammers the enter key, and says, “We’re in”. O’Neill is trying to dispel that myth. Hackers are not typically using brute force methods. Rather than hacking computers, they’re trying to hack people to find easy ways to access data. Hacking is the evolution of espionage. Now that we store data in computers instead of paper, spies and their modern day equivalent, hackers, had to become more sophisticated in how they steal information.
The Trusted Insider
Like the case of Robert Hanssen, the most wicked, nefarious hackers, are trusted insiders who steal information and are responsible for data breaches. They are the hardest to identify and catch. Unlike worrying about a specific end point like a laptop, phone or thumb drive, you need to worry about a person. Like Robert Hanssen at the FBI, this person is sitting in your company behind your firewall, with access to your proprietary information. They can be very hard to detect. If you don’t have a plan to catch them, and if you don’t know where your information is and what you’re trying to protect, sometimes you don’t even know that it’s gone.
O’Neill says that in the past, you had to worry about your competitor up the street trying to steal your information. Now you have to worry about state-sponsored, militarized hacking crews, sitting in warehouses and with stealthy advanced persistent threats. They are just waiting for someone to make a mistake so they may pass through your firewall. It’s very hard to protect against. Some of the biggest hacks have come out of China. State-sponsored hackers want to steal technology, information, and more recently, identities. Identities have value and can be sold on the internet.
Hacktivists Is The New Buzzword
Hacktivists break into computer systems for political or socially motivated purposes. One example is Anonymous, which according to O’Neill “is both good guys and bad guys” because they take down ISIS websites. WikiLeaks is another hacktivist, that publishes companies’ proprietary information so competitors can legally learn from it. And then there’s the Impact Team which attacked Ashley Madison, a dating site for married people. Impact Team gained access, probably through a trusted insider, and stole the names of all the people who registered. Impact Team threatened to publish these names and email address unless the site was shut down. The firm refused and the information was published for everyone to see.
Worry About Social Media
Social media can really trip you up, O’Neill warned. Hackers can “recruit” employees by learning enough about them from posts and tweets to craft authentic looking phishing emails to gain access to personal accounts or to enterprise passwords. The recent Anthem breach is an example how social media can be used against a firm. Anthem had good cyber controls in place and prohibited their system administrators from listing their current job function on social media to help protect them from cyberattacks. However, government sponsored hackers used LinkedIn to search for everyone who worked at Anthem. Hackers then methodically searched for anyone who had worked as a system administrator at a prior firm. Hackers then sent phishing emails to all those people. A few system administrators at Anthem clicked on links and the hackers quickly gained access to millions of consumers’ personal information, including names, birth dates, addresses, email addresses, employment information and Social Security/member identification numbers.
3 Tips To Prepare For Breaches
How can firms prepare for the breaches that are going to happen? O’Neill offered three tips:
- Compartmentalize sensitive, important information. Understand where the data is and what are all the points where it can be accessed. Build circles around your core information to protect the data and limit access. Audit and monitor access to the data from within and outside the firm.
- Be diligent. Actively find out whether, and from where, information is being accessed. Understand which endpoints are being accessed at what time. Whitelist applications for your firm. Watch for employees that connect their personal laptop to the network. Their personal laptops may be loaded with gaming software that may provide access to communities, voice and chat right across your network.
- Beware of social media. Teach your employees to be careful what they post and which links they click on. Put protections in place to protect users from themselves. O’Neil concluded, “It’s as though we all live in a massive reality show and we don’t see the cameras. But those cameras are there, they’re recording, and that stuff lasts forever. And who knows, someone might go through it in the future”.
This article was written by Joanna Belbey from Forbes and was legally licensed through the NewsCred publisher network.
Online Degrees & Certificates In Cybersecurity
American Military University's online cybersecurity programs integrate multiple disciplines to ensure you gain the critical skills and management practices needed to effectively lead cybersecurity missions – from government or private industry. Learn from the leader. American Military University is part of American Public University System, which has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education.