Malicious hackers have plagued corporations and government organizations around the globe for over a decade now, and the constant race between hacking victims and hackers to be the most technologically sophisticated seems never-ending.
Just recently, Yahoo announced its investigation of a hacking incident linked to the highly mediatized “mega-breaches” that took place at MySpace and LinkedIn. Enormously politically influential hacks recently took place in the United States, where the Democratic National Committee and DCCC admitted to having their servers intruded. The DNC hack yielded the leak of nearly 20,000 emails, many of which were embarrassing to DNC staff and party leaders.
According to researcher Troy Hunt, a total of 1.3 billion online accounts have been breached in just the past few months. Rick Holland, head of strategy at security company Digital Shadows, says that the actual amount of breached accounts probably numbers much more.
“Initially, they won’t be putting the data on the public market,” explains Holland, whose security company monitors underground markets and the message boards that allow for illegal trading to take place. “Instead, they will talk to a few select people in off-the-market chat sessions.”
According to Holland, by the time a public sale comes around, the batch of stolen login name sand passwords has generally already been sold many times before.
Different kinds of data go for different prices. One hacker allegedly sought around $100,000 for 655,000 records taken from three US healthcare supplies. The Yahoo data dump, however, has been going for under a couple grand. That said, Holland assures that the data yielded from the Yahoo hack could still make it relatively easy for cybercriminals to find victims for their ransomware campaigns.
So why are corporations, especially those that are among the most well-funded in the world, always losing to hackers when it comes to cyber security wars? According to Holland, it’s still difficult for even major companies to set up defenses that will keep data from being stolen.
“We are not seeing any rapid move to biometrics,” Holland explains. “And two-factor authentication systems are not easy to set up and deploy at a large scale.
Security consultant at Mandiant Marshal Heilman adds that breaches, whether small- or large-scale, rarely actually yield a change in large companies’ day-to-day security strategies:
“It’s just business as usual for a lot of them,” he admits. He went on to say that most of the data stolen in mega-breaches only makes it possible for cyber criminals to gain access to a network. Then they have to navigate the system looking for profitable data.
“Companies should look at the core parts of their business,” diagnosed Heilman. “Anything else going missing is not the end of the world… I don’t think it’s ever fair to say that it is a company’s fault that it got breached… We build companies to do business, and security comes along after that.”
Unfortunately, the worst cyber vulnerabilities tend to lay at the level of human error:
“That is the mushy human layer, and most technologists have decided that users are stupid and they cannot patch stupid,” explained Stu Sjouwerman, founder of KnowBe4, a training program that helps educate employees about how to avoid being taken in by hackers’ fraudulent schemes.