Just recently, the website of the Commission on Elections (Comelec) was hacked by hacktivist group Anonymous Philippines, leaking personal information of 55 million registered Filipino voters, including 1.3 million passport numbers of Filipinos overseas and 15.8 million records of fingerprints. This could expose those affected to identity theft.
While governments are always the target of hacking, private companies have also been attacked by some form of cyber attack. Thousands of multinational companies generate revenue from the simple information you provide them through surveys or application forms—your data is stored and classified for marketing purposes. Your email address is worth more or less a single cent in USD and the basic information on your credit card plays between $20 to $50. Taken singularly if that were stolen, that doesn’t look like much of a profit.
But ever since crime syndicates realized how lucrative selling information was, companies now have to deal with an even greater horror—their data, their livelihood, being held for ransom through encryption.
Bill Gates’ Trustworthy Computing memo issued 14 years ago triggered Microsoft’s relentless efforts on building the most secure software and platforms that customers and businesses enjoy today, and for good reason.
“The most attacked entity in the world is The White House,” said Pierre Noel, Microsoft Chief Security Officer for Asia. “Can you guess who’s number two? It’s Microsoft, and that is why there is no other company as the world that’s more vigilant about security than we are.”
At a Security Summit spearheaded by Microsoft Philippines for businesses and government agencies, Noel identified types of cyber culprits that may be lurking within or around unsecure networks and infrastructure.
Anonymous, one of the most infamous “hacktivists” in the world, has taken credit for the hacking of an estimated 38 government websites along with social media accounts of various celebrities. They’ve been observed to utilize different Denial-of-Service (DDoS) attacks—flooding their target’s network with traffic such as spam to incapacitate the target from utilizing any measures to arrest the attack.
“Usually, this group is harmless. Unlike the other cybercrime rings, these people attack you because they simply don’t like you. It’s personal. And they try to make a point by defacing your website or instigating DDoS attacks,” Noel warned.
“However, when I see a DDoS attack, you have to be wary of one thing: you are being distracted from a real attack that is happening underneath it.”
Despite the popular notion that countries engage in cyberwarfare to declare war, Noel contradicts this by saying, “Cyberwarfare is there to nudge you or steal information from you—a form of espionage.”
He further addressed government organizations to acknowledge themselves as targets of these attacks, focusing on building a cyber resilient system rather than a security-centered system: “You should know that you are subject to cyberwarfare. If these people will try to attack you, no matter how much money you spend or how many people you employ to try and stop these attacks, they will succeed. What you need to do is to make sure that these attacks will not impact your organization in a significant way through resiliency.”
Noel identified organized crime associations that take a more terrorist approach to cybercrime, employing ransom and blackmail attacks to extort money in the form of Bitcoins and other currencies from their victims.
“The first thing to know about these cyber criminals is that they are very much like terrorists—they follow no rules. They will do everything in their power to extort from you,” he said. “They just want money.
“Instead of stealing your data, they encrypt your data demanding you to pay money to have it back.”
Lastly, companies were reminded to be weary of their own employees, and emphasized the importance of setting clear policies, access restrictions, and clear accountability among any personnel who handle sensitive company data and information.
“All it takes is for one of them to wake up one day and decide that they don’t like you anymore,” he said. Citing the massive credit card data theft in South Korea, where a computer contractor stole credit card data from 20 million Koreans through his company’s system by simply using a thumb drive to collect the information he eventually sold off to marketing agents, Noel urged them to lessen human dependence in systems.
“You can do whatever background check you want, but know that you can only trust human beings at a certain point,” he advised, “Make sure that there is minimal human interaction with your administration accounts.”
Tips to keep security a top of mind practice
“First you must start with simple data classification,” Noel advises. “Identify which of your data is critical to your business and then identify your risks.”
Despite his earlier reminder that behind every security concern is a human being, he persists that companies still need one man to stay in charge of their security network. “Someone must be ultimately responsible but you need to keep that person under strict control. Like for example, forbidding them from using administrative accounts for email and browsing,” he said “that’s the person who will work hard to keep your security practices up and keep the admin accounts right under strict control. He’s also the same person you fire when things go wrong,” he added jokingly.
Once employees are kept in check, Noel also urged business owners to have even the most basic of antiviruses on every machine and asked them to desist from using pirated software on any of the office machines. He ended by imploring them to religiously patch operating systems and applications when updates arise. “Always, always patch your software,” he said “Hackers are always multiple steps ahead of you in the security game and a sure way you can keep up with them is if you keep upgrading your systems with the latest versions of the applications.”