So you think your IT is secure and you’re fully protected? MafiaBoy says, “Not so much.”
I had a great opportunity to meet Michael Calce (aka MafiaBoy) at a small reception a few weeks ago. If you haven’t heard the name before, maybe you are more familiar with his impact on modern society. In 2000, Calce executed a cyber attack against Yahoo, eBay, CNN, Dell, and Amazon, which temporarily took these sites offline and caused an estimated $1.7 billion in damages. He was only 15 years old at the time.
So why do I find meeting a criminal mind a great opportunity? Today Calce is reformed and doing the opposite of what he did 18 years ago: working with major corporations on IT strategy process, policy, and defense systems to counter potential cyber attacks.
When you speak with Michael, you can almost see the thought process swirling in his eyes. His ability to understand the underbelly of today’s cyber world allows him to move in step with those trying to cause harm.
Perhaps you have a great IT employee or have an outsourced managed services company. You trust them because they told you that you should, and they know much more about IT than you do. However, how secure is your environment? How do you know if you have the appropriate IT security solution in place? Have you had an independent security review conducted to help you understand what is being done and what potential vulnerabilities exist?
And are your printers secure?
Before you start laughing and stop reading, I urge you to take a moment and really think about what this means. Sure, someone could print a document on my office printer, but who cares? Very few cybercriminals would waste time hacking into a printer to print a few pages. However, they would hack a printer to gain access to your network or to pull the history of previously printed pages. Most people forget that the printer is on the network and can act as a gateway to other, more important systems. Everyone secures desktops and servers, but the lowly printer is often forgotten; it is left open and ready for anyone with the know-how to tap into it.
Most major printer manufacturers today have security features built into their products such as sending alerts for suspicious activity. This may not be sufficient as, by the time you get the alert and act, the cyber-criminal has infiltrated and perhaps infected your entire infrastructure. HP takes the process one step further. Their printers and other devices are self-healing; the moment they detect anything out of the ordinary they wipe out the foreign code and reset the device to default before a hacker can get in.
Ask yourself: “Are my printers monitored and managed? Do we still use the default passwords that came with the printers?”
Ok. So, now you have secured your printers. You have invested in self-healing systems and monitoring. Surely, you can now sleep well at night, right? The answer: not necessarily. Securing your IT environment is not a “set it and forget it” process. It is ongoing.
One of my Managed Services clients decided to bring in a vending machine with healthy snacks for their employees. During installation, the vending company asked for the machine to be connected to the network for credit card processing and inventory count. Allowing this device on the corporate network could open up a gateway for nefarious activity from the outside. The company did allow an internet connection but isolated the vending machine from the rest of the network.
Today the world is becoming more and more connected. Personal devices are introduced into the workplace network whether directly connected or wireless. Corporate policy should not allow any device access unless authorized. Although the corporate world is taking measures to protect their environment, we still hear about significant breaches on a weekly basis. According to IDC, 40 percent of Canadian companies have had some data breach.
“In the hacking world, security is more of a response than a proactive measure. They wait for hackers to attack, and then they patch, based on the attacks.” – Michael Calce1
Your corporate environment may be somewhat secure; what about your personal space? Is it that important to secure your home’s network? Maybe you have dabbled in smart home tech IOT (Internet of Things). You started with a light bulb or thermostat connected to the home network and expanded to the home alarm and front door lock. These devices can be breached if not properly secured. Once compromised, they are used as a springboard to information on your home network, to gain access to your corporate network, or to enter your home when you are away. Remember, MafiaBoy was only 15 years old and when he was able to compromise multi-billion dollar corporations.
Personal breaches have even gone beyond the home. Personal medical devices, such as pacemakers, are often “online” for maintenance and other functions. Certain devices can administer medication automatically based on a doctor’s input. We know today that these devices have been hacked and can be controlled thousands of kilometers away; leading to bodily harm for those who depend on them.
The world is becoming more and more connected. On the one hand, this connectivity provides an unbelievable advantage to us all. On the other, it creates new dangers that we must all be aware of to prevent or at least limit exposure. The US already has certain legislations accompanied by fines for not reporting breaches. Canada is passing a law whereby all companies must notify the government of any breach big or small. As of this writing, only the province of Alberta has such legislation, while Ontario, Newfoundland and New Brunswick only require breach disclosure that affects healthcare.
The majority of the population assumes they are not a target, but this is simply not the case. Whether you are the object of a cyber attack or just a stepping-stone on the path to someone else, everyone must share in the responsibility that is awareness.
The MafiaBoy documentary is available for viewing on HERE.
Managing Partner, Toronto
1 The Interview: Mafia Boy speaks up – MacLean’s Magazine April 17, 2014