Security Experts:

Was 2011 the Year of the Hacker?

The question most asked throughout 2011 was, “is this the year with the most hacks?” There is no straight answer. I think the best way to answer the question is to pose another question.

“Why was there more news about hacks, and why would anyone be surprised?”

Okay, that’s two questions, but the point is that companies have been working without rest to secure their data. While Internet security technology has improved, companies are slow to catch up. Hackers, on the other hand, are fast and seem to be ahead of the game.

Year of the HackerThat gap is the difference.

How else can we explain the NASDAQ hack in February?

Company officials said that its “web-facing” application, called Directors Desk, was “potentially affected.”

Directors Desk, founded in 2003 and now owned by NASDAQ, is a solution to help board members communicate and collaborate securely, which the company says is used by more than 10,000 directors around the globe. According to its web site, many of these companies are considered to be in the Fortune 500 realm. 

While money is usually a hacker’s objective, imagine the motivation behind a hacker who can shoot one rogue application and eventually penetrate thousands of companies? It is a hacker’s gold mine.

Also, what companies should take notice, is that web-based applications like Directors Desk, boast multiple levels of protection to guard clients' confidential data against undesired access.

Such protections include employee background screening; policies that restrict physical and logical access to classified information; management of information systems; fire walling; intrusion detection; risk assessment, and guaranteed destruction of expired data.

And still they were breached.

Much of what happened to NASDAQ is unknown. As experts were pointing out, sophisticated hackers do not immediately try to capitalize on the situation, but lurk unknowingly, gathering information to find the best optimal method for long term gains. It seems that 10,000 companies could go a long way in that objective.

So far, it seems the year of the hack could be better termed the year of the hacker.

In March, RSA, a known leader in security and web fraud detection, was attacked, resulting in sensitive customer information being threatened, lost or possibly stolen. Who knows? The company’s two-way authentication products related to its SecurID were reportedly breached. This is an authentication process utilized by 30,000 customers, according to company data.

In November, we learned that the attackers in RSA's SecurID tags likely also hacked into Google, Facebook, Microsoft and others. A total of 760 organizations, with many in the Fortune 500 club.

Abbot Laboratories, Price Waterhouse Coopers and Wells Fargo and even IBM and Intel were at the top of that list. Government agencies on the list include the European Space Agency, the IRS (an obvious target for obvious reasons), and the General Services Administration.

It is quite a list of who’s who, isn’t it?

The NASDAQ and RSA hacks, were at first considered “surface” hacks, and the public was led to believe it was under control.

It wasn’t under control.

The true hacker is lurking within the company, preparing. This information gathering process could be as short as a week or as long as five years.

Like NASDAQ, speculation continues and RSA confuses the matter with denials and blame. The greater question is, if RSA, known as a security-tight company, can be hacked, what about companies who have no budget for security? What can they do? I have been adamant that cutting costs on data protection is an invitation for disaster.

In February, the Canadian government confirmed that some of its computer databases had been hacked by foreign hackers. Years earlier, the government cut funding to its data-securing budget.

Whoever was behind the hack-- a nation (in this case China was blamed) a company or an individual, could have been after data contained in the federal Finance department and Treasury Board computers. If this level had been compromised, information on private citizens could have fallen into the hands of these hackers.

The Canadian government was forced to shut down Internet access to thousands of workers in the Finance Department and Treasury Board, because they reported that hackers "posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks.”

It sounds familiar.

Spoofing. Phishing. This just tempts us to ask another question in a year of unanswered questions, “Why are these hacking techniques working so well against the millions of dollars some companies, not all, put towards Internet security?”

There is only one answer to this one - they work.

What it boils down to is a hackers’ use of social engineering tricks of links, fake emails and deal scams. The old trick of taking advantage of our human nature to be friendly and accommodating still gets the job done.

Thanks to employees working on company computers, the proliferation of social media, and now the interaction of smartphones link to company computers, social engineering and phishing remains the hacker mandate.

The result is data or identity theft. It is easy because we are friendly by nature. We are social beings. We like other people. We want to be accommodating to others. We want to share. When it comes to company security, we are told as employees to basically go against our human nature, and shut out the world, at least when we are on the clock.

This is difficult to ask of any human being.

Most people would not divulge certain details to strangers but it is amazing what information is shared through social networking. That means IT workers are bound to eventually find, if not too late, all kinds of malware: spyware, viruses and more.

These are just three companies hacked in 2011. Sony, HB Gary, and social media sites like Facebook were also targeted, and who knows how many others.

This is the real question on 2011.

Perhaps companies are reporting more hacks, or just bits and pieces, handing out tidbits of information to the media, while the depth and trueness of the story run deep. These were major hacks, but sometimes good things come in smaller packages? We can only speculate about how many others have been hacked.

Companies have been taking advantage of the Internet to market and sell their products and services, a logical evolution when it comes to doing business. Without it, the door-to-door old time sales method will surely shut a company down.

So will a hacker, who is also on the Internet.

And there is the gap again, exploited by the hacker.

We do not know how many companies are on the Internet. How many hackers are hiding in the shadows. Who gets hacked? Who doesn’t? How many times? When? Where?

So was 2011 the year of the hacker? The only thing we know for sure is that their work is not yet done.

Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company's Chief Technology Officer and Certified Ethical Hacker. Prior to joining Digital Locksmiths, he was a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit. Follow Terry on Twitter at @TerryPCutler