Equal Opportunity Attackers in Cybersecurity

Cybercrime is up by over 400% since the start of the pandemic, and we are witnessing an unprecedented level of hacking with numerous US Federal agencies and major IT cybersecurity companies laid victim to state sponsored criminal network infiltration.

I spoke with Alexander Grijalva, a cybersecurity specialist. Mr. Grijalva is an adjunct professor at the New York City College of Technology, and owner of Security Hourglass, a cyber risk management consulting company. He is also the Chief Information Security Officer at VillageCare, a community healthcare provider, in New York City. His 30-year cybersecurity career has covered the financial, retail, and healthcare sectors, from sole proprietorships to Fortune 500 organizations. He focuses on cyber risk management and incident response, and assists individuals and organizations in understanding and remediating their cyber threats and risks, and helps them respond to hacking incidents and breaches. He has presented at industry conferences in the United States. Aside from his college professorship, he also teaches a HIPAA privacy and security course at Columbia University in their Health IT certificate program. 

We spoke about common lines of cybersecurity attacks, why medium sized businesses should take precautions and what they can do to protect themselves.

This interview is an excerpt of a longer podcast that you can find at Riding the Wave: Project Management for Emergency Managers

Andrew Boyarsky

Our primary target market of companies are small and medium sized businesses, organizations, even municipalities and county governments. Why should they be concerned about cyber security? 

Alexander Grijalva

When it comes to cybercrime, it's probably the most equitable environment, meaning that there's no target too small. We're all targets of opportunity. In fact, the FBI just last week announced that cyber crime had gone up by 400% during the pandemic. We're all targets of opportunity by the very fact that we’re all so interconnected. Attackers can just be on a network and look for victims because it's no cost to them. 

To your point, what you hear a lot in the news is the big ticket items, the Equifax and stuff. But in fact, the small businesses and medium businesses are a big target because they're easy to get to. The cybercriminals really profit by volume and not so much by the big bank heist. Those make the news. They're more notable and you see them make a big splash. But, for people like myself that pay attention, that look at the statistics and try to identify weak spots, we see that it's really small and medium sized businesses that are targeted because they're easy to get to.  You can get something quick from them, or they offer you an opportunity to get to bigger fish because we're all so interconnected from small suppliers, educators, what have you. We don't function in a vacuum. We're all in touch with other people, and that's what they look for is to kind of get into our networked relationships and then branch out to find suitable targets for cybercrime. 

Andrew Boyarsky

When the retail company Target that was hit by a cyber attack a number of years ago, this was through an HVAC company that had access to their WiFi network, and they were able to hack through and to get into their systems. Is that correct? 

Alexander Grijalva

Yeah, it was a supplier, a very small business with a computer that was using free antivirus software, which means that it wasn't actively looking for for cyber attacks. Their computer was connected to a server at Target that was supposed to be low-key connection, just to submit invoices or what have you. But from there, once they went through the supplier to that server, that server actually had access to the rest of the Target computer network, including customer data.

Andrew Boyarsky

Was that common among large retailer to provide that type of access to their outside contractors?

Alexander Grijalva

Not uncommon, in fact. Back in the day, I actually worked for an electronic data interchange company, and our job was to get small suppliers into the supply chain. So we would work with Walmart and automobile companies and target their small suppliers and get them into the logistical network through the company’s internet. 

These small companies really had few transactions, other than to put in their orders with their larger clients, but they were connected to the broader network, at Walmart network or GM. So that’s just reflective of the fact that, whether you see a big company, it’s still the smaller ones who can cause the larger ones to vulnerable to cyber risks. 

Anthem, the big insurance breach that happened about five years ago, also happened through a small, third party supplier of theirs. It wasn't that they themselves were the target, it was a third party, a little small vendor that they did business with. It was that route into the Anthem network that caused the bigger data breach that affected tens of thousands of people. 

Andrew Boyarsky

So what are the primary areas of vulnerability that hackers try to penetrate?

Alexander Grijalva

First and foremost it is still email, because despite the development of chat, from instant messenger systems to Skype, the primary form of communication remains email. For cyber criminals it is the easiest thing is to send emails out, and it’s easy enough to identify people's email addresses. You could buy them in bulk from marketing resellers., and that's really where, on average, about 60% of the world's attacks come through, email.  For small to medium sized businesses, the rate is slightly higher, because they're not doing so many conference calls and stuff. Most of their transactions are being done through email. 

We often think of spam that comes in your mailbox as just junk mail, but we also get a lot of phishing emails that are trying to get you to fall for certain scams. Now, the most famous back in the day that you may remember is the “Nigerian Prince” scam. And the thing is that even those emails that had poor English would be so obvious to people who’d say “Wow, this is such a lie. How are there people who would lose tens of thousands of dollars falling for those scams!” 

Now, scammers have evolved from that in that now their phishing emails are two sentences, with perfect English. They don't put any malicious content in the emails in order not to trigger any sort of anti-malware software, or to trigger Google or Yahoo’s email filters. Just straight English saying, “Hey, I have something here for you. Can you just please click on this link or provide these details?”

And often these phishing emails have already collected some information about us through what we call open-source intelligence. They’ll collect some information from your LinkedIn profile, or on Facebook, and tailor the message enough to make it seem like they know you, to make you feel more comfortable to reveal information, which is why it's so successful. Despite how sophisticated a lot of our email security technologies are, they can still bypass them. It remains a big issue around the world for the last at least 10-15 years. Despite the evolution of security technologies like artificial intelligence, machine learning, more investments in infrastructure, it's still a very successful means of getting through because people still fall for it. 

Andrew Boyarsky

So you talked a little bit about the impact that this has, which, at the end of the day, these are criminals who are trying to get the money or trying to find a way to get to the larger company. What are the specific impacts? I mean, what are we looking about in terms of the cost around some of these things? What do companies risk losing if they are the victim of a hacking event? 

Alexander Grijalva

For small businesses, you have cybercriminals who are really looking for high volume, really quick and dirty type of work that yields even just a few dollars because they make their money off volume. This is where it goes to where people say, “Well, we really have nothing of value”. That is just not true; we all have something of value. We just don't know at times what it is. And these folks are great at identifying that, because once they take something away from you is when you go, “Well, I really needed that and cannot lose it. That's valuable to our company.” 

The larger statistic is that small businesses lose billions of dollars a year on cyber attacks. But if we were to, kind of just peel away, those numbers and really look at the details, it can average anywhere from $100 to $10,000, depending upon who they hit. So for some people, it may turn out that especially when you're a smaller business, and you're using your office computer also as your home computer, and you have vital company and customer data and you haven't backed them up. Suddenly, when someone says, “Hey you don't have access to that anymore”. People say, “And I have no backup. That's valuable to me. So now I'm coughing up a thousands to hundreds of thousands of dollars”.

That doesn't take much from the cyber criminal to do this kind of work. Everything is prepackaged, easy to set. They'll send out thousands and thousands of emails, and they just have to grab a few people in order to make this profitable to them. Your people say, “Well, why don't we catch them and stuff?”. Well, most of them are based overseas in countries where we don't have extradition treaties with the government, so they're in safe havens. And they can do this continuously, and they make money off it. Well, $1,000 to $2,000 a person, is not a big deal, maybe for a small company, but for a cyber criminal they’re easily making $20 -$30,000 a month doing this kind of stuff.  And again, what some companies, especially mid-sized companies can lose in terms of what they have to pay, at least to unlock this stuff can range in the tens of thousands to hundreds of thousands of dollars.

Cyber criminals vary, and there are 1000s of them. Some of them are working in professional outfits, while some of them are just individuals. You don't know what you're going to get. Even if you say, “Well, I'm willing to cough up the money”, you don't know the person you're transacting with is actually going to honor that and say, you gave the money. They're going to give you the means of unlocking that stuff, right? That has happened before where people get burned in that process.

I think it's just important, whether small businesses or medium sized enterprise, for any business to realize that we're all targets of opportunity. We’re so busy trying to do business, live our lives, that sometimes we forget to do certain things that would be common sense, and that's what cybercriminals exploit. They exploit those gaps in our attention. 

Andrew Boyarsky

So, given those vulnerabilities, potential impacts, and what the hackers are looking to accomplish, what measures can a small/medium sized enterprise or organization take to protect themselves? 

Alexander Grijalva

There are a few basic steps that are quite standard, they're not just promoted by just industry professionals like myself, but including the government agencies, the FBI. And the cost is small to safeguard your company. That includes buying anti-malware software like a Symantec or McAfee, really basic stuff, making sure that you're paying for a service and not just looking for a free service. The differences are that a free service doesn't do active monitoring. Often the free services try to entice you to pay for something extra. Forget about that and just pay the thirty or forty bucks for an annual subscription with a reputable vendor to protect your computers, your mobile devices.

The other thing is to stay on top of patching. Windows especially has a lot of vulnerabilities because 80% of the world uses a Windows machine as their home computer or work computer, so it's a big target. It's not that Apple iOS and Macs are more secure. It’s that they have a smaller market. But actually, during the pandemic, there was a new study showing that Macs, because of the larger home remote workforce, that cybercriminals have been focusing more in identifying issues with Apple iOS systems. Every software has a vulnerability, so people need stay on top whenever there's an alert from Microsoft or from Apple saying there's a new software update. Install it, patch your system. Microsoft has what we call Patch Tuesdays. Almost every week now they're releasing patches to Windows for Internet Explorer or even third party software like Adobe Acrobat, Java.

The other important measure is around passwords. During a phishing email, the primary focus aside from ransomware or trying to deliver something to lock your machine, is also to get access to things like your email account.  If you fall for a phishing email and your email account is compromised, you may have not just communications, but also data stored in it. I once had a physician that I knew whose Gmail account was compromised, and she had all of her son's medical data in her Gmail account. She used it as a storage mechanism, so she had X-rays, she had all his medical history because he had a severe illness. All of that was stolen because her Gmail was compromised. So using strong passwords also using things like multi -factor authentication, which companies like Google, Yahoo and Microsoft offer for free. So it’s not even an additional service it’s for free.

It protects you in the case that you do fall for a phishing email, in case that you do provide your credentials to someone and you go, “Oh, my God, I gave them out, and this was not legitimate”. Well, now they still need another way of getting into your account, right? It's an additional security layer. Look, I have fallen for phishing emails in the past because in the middle of working your mind is focused on other stuff. You see an email it looks somewhat legitimate. You're like, “What does this person want now?”. You're scratching your head because, you know, the day is hectic and suddenly you realize I just fell for something.

So I've been burned by not taking some of these precautions, so what I'm sharing is not so much of a kind of strict textbook approach, but also through my own experiences, having fallen from these attacks, even as a security professional. I think that you know, the other part of guarding your business and yourself is to ensure that you don't use the same password across all your accounts or your email password, and accounts should not be the same as your bank as your health insurance or mortgage account.

People say “Well, you know, I have too many accounts. I can't remember all these passwords. I'm going to use the same passwords for all of them”. Well, then you only have to be hit once, and then everything is open, and you probably have emails indicating that you’re a Chase customer, that you’re a MetLife customer, and then the cyber criminals think, “Well let's just try these credentials, and I'll see where get in”.

Even if you're not hit with ransomware, you're not coughing up money, the idea of having to change all your passwords, reviewing your networks etc., if something has been stolen is very time consuming. Hiring a forensics team can cost $100,000 or more to help you put all this stuff together and analyze what's going on, and time is money. Well, you know, cybercriminals understand that, which is why they know, to come after the folks who really can't afford to lose time or lose access to resources because they don't have a buffer to say, “Well, I can absorb these kinds of losses”.

Andrew Boyarsky

For medium sized companies, the stakes are higher. We're talking about businesses anywhere from 50 to 500 employees, anywhere from, let's say, a million or so up to fifty million or one hundred million in revenue, or maybe a little bit above that but in that range. Stakes are higher because they may serve other companies much larger than them. The level of compliance and requirements that they have when they have vendor audits and things like that and liability issues at play. So what are some of the measures that they need to put in place to ensure that? I mean, you talked about some of the basics in terms of password changing and admin controls and monitoring email and things of that sort, which I assume most companies are doing. Are there other areas that they need to focus on to ensure that they're taking adequate mitigation measures? 

Alexander Grijalva

One thing that actually surprises me when I work with medium businesses, or what I often call mid-tier businesses, is that businesses of that size with fifty to a hundred folks, still often operate with an IT department of a size as if they were a very small organization. I have worked with a lot of mid sized companies that still have their employees use Gmail accounts for business communications. Instead of having a business class email platform, we're talking maybe about $6 a person a month subscription, they have their employees each use a personal Gmail account with their name, the name of the company @gmail.com. This puts their business at risk. If that person leaves, they still have access to all those emails, they can still conduct themselves as a representative of the company.

I've seen companies that have ecommerce sites. Really basic ecommerce sites that may do some sort of order processing or marketing that don't use encryption. So when people log in, they can put in their username and password, and it’s all transmitted in clear text over the network. We're talking about a service that may cost about $15 a year to implement, still not being implemented across the board.

I think it's important for mid-sized businesses, especially those that have grown, that have started off with five, ten or so employees and now are much more successful and larger, to also upgrade the systems that they use to conduct their business. These system security measures they can implement are relatively cheap, especially if you're an organization that need to meet regulatory requirements. If you process credit cards, you have to comply with the credit card companies data security standards: BCIDSS. New Jersey, New York, and Connecticut all have very strong privacy laws as well to secure credit card numbers, driver's license numbers, service numbers. More often than not, most businesses are trafficking confidential information that has some sort of regulatory requirement. 

What can kill the organization with costs is less defined, that may come from the cost to hire lawyers to answer either agency requests potential. There have been a lot of lawsuits around data privacy and data security breaches. Some of them have turned into class action lawsuits. There are companies that have had to shut down because they cannot afford to do this anymore. They go out of business.

The fact of that matter is that it happens a lot in terms of being targeted, having a compromise. You just don't know what the impact is going to be. That's one thing you can't truly measure. And it's really important for businesses to understand that some of the basic stuff is not that expensive. You don't have to do what a Fortune 500 does spending you know, half a million dollars a year on security software. Sometimes just doing the really basic stuff helps, because what cybercriminals are looking for is the easiest target. 

If they see that you have basic layers in place, they'll move on to the next person. They’ll go “Alright, You know, I tried. I tried. Eh, you know what? There's someone else out there a lot easier. I'm not going to spend that money”. Cybercriminals are business people. They have rate of returns that have key performance indicators. They do the math. They know how much time they want to spend on a target. So if they come across you and see well, you know, sent you phishing email? Turns out they have multi-factor on the email account. Eh, I'm not gonna waste anymore time on this I'm gonna move on to the next target. That's really what it boils down to. 

Andrew Boyarsky

You mentioned a lot of different measures that individual companies/organizations can take to protect themselves. If there's a company out there that really wants to take a closer look at their level of vulnerability or exposure, where can they go for some further help? 

Alexander Grijalva

You know what, the information changes so often that you need to have a broad range of sources to stay on top of things. The United States does have a central emergency response team and they have a website and I can share that with you later. There are FBI announcements, the consumer protection agency. Also, when it comes around credit card protection as well, if you're a senior, Medicare, CMS. The centers for Medicaid and Medicare also offers some guidance. So the challenge is that it's fragmented, because each of these agencies tend to cater to what their audience is.

I think that's where people in organizations/businesses feel overwhelmed is there isn't really not one central resource. You have dozens of other agencies security magazines, emails, newsletters, and stuff. It's a lot to stay on top of which is why some places need to hire a security person or a team to stay on top of it.

For more information on Security Hourglass visit: https://securityhourglass.com/ .