Most data thefts could be stopped, says cyber investigator

It often seems as if organizations are helpless against cyber attacks — after all, even veteran experts admit that a determined intruder can’t be prevented from breaching the network.

But a security consultant maintains that the spread of many notorious breaches could have been stopped if security teams had paid attention to clear warnings of an intrusion.

“That is  a recurring theme of almost every large breach I’ve worked,” Timothy Ryan, a former FBI cyber investigator and current managing director of security at Kroll Inc. told the Capacity North America telecom conference Thursday in Toronto. “It’s not that it was malware that couldn’t be detected. It’s that somebody inside the organization knew what was going on and it never escalated.”

He gave as an example an unnamed multinational company in the Middle East that “virtually printed money for a living” and spent a lot on IT security. One of its subsidiaries detected and stopped an intruder, then warned the parent company — which apparently did nothing to prepare for the possibility of another attack there.

When Ryan did the subsequent investigation, the CSO told him he only realized there was a problem “when all the screens in our network operations centre started to flicker and go offline.” The attacker had found a way in wiped almost all the company’s data.

Sounds like last year’s attack on Sony, but Ryan said, this was years before. However, he said it was also is similar to the attack on Target stores, where the FireEye detection system warned of malware on the company network, and one on the U.S.-based Wyndam Worldwide hotel chain in 2008-2009.

Ryan predicts that data and network destruction will increasingly be the strategies of attackers. some of whom will demand a ransom before data is wiped while others will merely flip the switch. “We will all be reminiscing about the sweet old days when people were just stealing credit cards,” he told the audience of carriers from Canada and the U.S. “Your networks provide a war-fighting capability, and when those networks go down it degrades the capabilities of the country that you operate in.”

That’s why he said carriers and Internet operators face unique threats. As infrastructure providers they not only have to watch for attackers wanting sensitive data, they also have to have to detect attackers who want to crash their networks.

The problem, he said, is IT teams face too many alerts from systems and don’t know how to prioritize them. What CISOs have to do, Ryan said, is have a “succinct” incident response plan that defines a security incident and how it gets escalated.

An incident, he added, isn’t ”any time there’s a technical problem that cannot be readily explained.” In fact, he added, your organization is most likely to be warned of an intrusion in one of three ways: From an outsider (law enforcement, the media or a partner); your security infrastructure alarms, or a user that has been locked out or had email bounced back. CISOs need a response plan for each. “Any emergency response plan that categorizes every bad incident that could happen at your company is a waste of time.”

He also touted the merits of new end point threat monitoring/detection tools — such as CrowdStrike or Carbon Black — which capture process and network connection information for every host. That can alleviate the need to do a lot of forensics on an attack, he said.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now