Here we go again. Another data breach. This time it is Anthem Inc. (Blue Cross / Blue Shield) Eighty million affected people, if the information is valid. Major OUCH! So far, over the last year or so, we’ve seen Home Depot, Kmart, Target, Sony, and others, “enjoy” their fame in this increasingly growing “club.” Based on what I know so far, I’ve been impacted by the Anthem breach, and the Home Depot breach.

These breaches are scary things that most people don’t fully understand. Best case, their email address was exposed. This will bring even more spam. Yay. Worst case, their personally identifiable information (PII in industry terms) is now in the hands of people who would like to sell it to other people. Selling your name, birth date, home address, and social security number is very lucrative, I’ve read. Suddenly, there are two of you in the world. One of you is living a responsible, crime free life. The other is doing who knows what, opening credit accounts at who knows where, and keeping the ill gotten gains. See, scary.

I’ve worked with many facets of security throughout my technology career, most recently more formally as a part of a Certified Information Systems Security Professional (CISSP) certification program. At the risk of sounding like my dearly departed grandfather, there was a time when “security” meant little more than a user name and some password. Any password. Preferably one that wasn’t obvious…like “password”. Once one had that, it was a game, really, just to log in to a system and poke around–see what you could get. Sure, some of the more wicked people would log in to bank’s back-end systems and try to move money around. But, for the most part, hackers of those days were more interested in bragging rights, not actually causing harm. Not that I ever did this, mind you. 🙂

With the growth of technology, however, there is a level of complexity that has grown exponentially. Now, simply visiting the wrong website (or clicking on a seemingly harmless link in an email message) can install program (malware) on a computer. Yep. Open a website, have a new (hidden) program installed on your computer. Gratis. Unfortunately, this type of program isn’t one that most people want. No prompt for a password, no interaction from the individual “behind the wheel” of the computer.

So what?!

That’s exactly what most people would say. If it isn’t harming their computer, chewing up their data, or keeping them from getting their work done, it’s not a blip on their radar. For people who are not familiar with data security, that seems like a rational thought. It’s akin to the “if it ain’t broke, don’t fix it” view.

Unfortunately, this level of an attack on a computer (and let’s be clear, it is an attack), is the worst. The best way to correlate the harm of this is to compare it to something that many people understand. Think of having a cold. You ignore the cold for a good bit of time. Suddenly, your “cold” has escalated into a fever, lots of coughing, and cold sweats. It seems your cold managed to morph itself into a severe respiratory infection. Now, you have to take a bunch of antibiotics, and enjoy a few sick days out of the office. Oops.

What are they?

These hidden gems (viruses) generally lurk in the background of an infected computer, working silently. (Just like that cold that brought more fun!) Viruses (malware) can be crafted to do many things, but the most common type do one or more of the following:

  • Log all keyboard activity (keyboard logger). This activity, along with the application that was active at the time, is packaged up and sent to a series of remote servers located throughout the world. The purpose of this type of program is to capture login information (user name, password, system on which they’re used) so they can be used at a later time for more nefarious purposes. Thank banking site that you just logged in to? Well, with this beauty behind the scenes, the banking website address, your user name, and your password have just been gifted to some hacker located in Russia. Note that the server(s) do not reside in Russia. The hackers have a bit more intelligence than to lead the authorities to their front doors. They generally have a very complicated path between them and their servers–hiding their tracks appropriately. In fact, sometimes, they might even use one of the infected computers as a repository.
  • Transfer information to servers outside of your environment. This was once a pretty rare type. But, as the art and science of hacking has matured, so have the expectations and goals of those who hack. This type of virus, like the keyboard logger, sits silently in the background. But it isn’t, by any means, idle. Instead, it is busy going through all of the files to which a computer has access. If it finds a file it thinks is useful (document, database, etc.), it transfers that file to servers around the world. So, that database of customers on your computer—or on your company’s file server—is copied to a source outside of your company. This particular virus concept is appearing to be more and more popular these days. Unlike the old days, this doesn’t require ongoing interaction from a hacker. Once the seed is planted, it grows–and does its own thing. It’s very efficient.
  • Payload distribution. This type of virus starts as a loner. Once it has infected a system, it constantly “phones home” for the purpose of updates. There are many reasons why the author(s) would want to update the virus, but the most common reason is to give it further instructions on what to do next. Nine times out of ten, the first cycle of this virus will find ways to infect other computers in an organization. It does this using many methods, all of which make use of one or more exploits (bugs/computer program defects) on the target computers. Over time, that virus that found its way onto one system in a company can replicate itself across hundreds of computers. The subsequent cycles for this type of virus vary, but almost always include the activities noted in the prior two examples. And, throughout all of this, the virus is still phoning home–often to update itself so that it becomes harder to detect.
  • More “traditional” viral activities have focused on malicious activities on workstations. One can debate the mentality of someone who writes a piece of software with the sole intention of wiping out someone’s data. Early viruses of this type did exactly that. They would “infect” a disk, and do one of a number of things. Randomly wipe files, hide documents, or trash the whole disk. Of course, they also found ways to infect disks (yes, this was in the day of floppy disks), so that they had transportation to their next unsuspecting victim. As the world began to embrace technology more widely, this level of virus began to have a bit more thought applied to the actual target(s). Instead of randomly impacting computers, the viruses are launched against organizations for whom the virus authors had a bone to pick. Peeved at XYZ company because they laid your dad off? What better way to get even than to launch a virus behind their doors. A sick twist on a Robin Hood scenario.
  • Relatively new over the past few years is a type of virus referred to as “ransomware.” As the name implies, this type of virus has one purpose: to achieve a gain in one form or another. Generally, the gain is financial. The hacker will encrypt (lock and render unreadable using the usual program) targeted documents (word processing, spreadsheets, etc.), and then solicit the victim for cold, hard cash. When people try to open the document, they get a message that the file is encrypted, and that they must pay $X to decrypt the file. A variant of this method is to demand something that isn’t of monetary value, but has some other value to the hacker. They might, for example, demand that an organization publish an apology for something they think the organization did wrong.

These are not the only types–there are many others. Another favorite creates a “bot” network whose sole purpose is to wreak havoc on websites. The goal of this is to “wake” the bots, and have them flood targeted websites with requests. (I like to think of this as an equivalent of going to my relatives on Thanksgiving. Multiple people talking about six different things at the same time. Pandemonium.) When the bots are summoned, they send these requests to a website selected by the hacker(s) that planted the bot virus on computers. Suddenly, there are thousands, or tens of thousands, bots sending requests to a single website. The website cannot keep up with the requests, and ultimately succumbs…rendering it unusable to any legitimate requests.

As of this writing, there have been an estimated 333 healthcare data breaches in the last year. Think of that. That means that there have been 333 opportunities for people to access private health data for the general public. That’s you and me, folks. Combining this with other pieces of sensitive information that is now in the hands of people who shouldn’t have access, the severity of the problem becomes a lot more apparent.

The irony behind the latest batch of data breaches (note that the Anthem breach is too new to have any forensic information disseminated) have very innocent beginnings. Generally, they started just as noted earlier in this entry–an unsuspecting computer user clicking a seemingly innocent link, or opening an email message that had a similarly innocent looking link. Another common method is email messages that contain attachments that look legitimate.

Technology is my career. And over the years, I have learned a thing or two. But the sophistication of the methods used to dupe someone to open that link or file is advancing every day. At least once a week, I get an email that looks like it is from a friend or colleague. Then I see a link or file, and I wonder why that friend or colleague is sending me a link or file. So, I employ methods that I’ve learned over the years to validate that the link or file aren’t malicious. Nine times out of ten, they are malicious. The file (invoice.pdf) or link (http://skskfjj.ly) looked innocent enough. But the trouble lurking behind both was more than one would suspect. For those who do not work extensively with technology, they probably found their “mark.”

The best advice any technologist can give to those who do not work with technology: If you think something is wrong, it probably is. Check with someone who can help understand the risk. Keep your anti-virus/anti-malware tool updated (Symantec/Norton, Trend, etc.). Although these tools are not 100% foolproof, they’re better than nothing.

A bit of personal advice: Keep a free email account for distribution to anyone outside of your inner circle, and in your inner circle. If someone isn’t a trusted friend or colleague, give them a secondary email address that is used only for that purpose. Automatically suspect that anything received in that secondary address is suspect. I actually take this a step further. I have a third email address that is specific to financial institutions. It isn’t an easily guessed address, so the Spam (junk) mail is minimal. Though this advice is not a guarantee that you won’t get fake email messages with bad links or files, they help. The side benefit is that the “inner circle email address” will likely have very little Spam.

Oh, and if an email isn’t mailed directly to you (look at that TO: field!), it’s probably junk. (Distribution lists at work are the exception–or not.)