Sophisticated cyber crime methods are changing the definition of hacking

UNIVERSITY PARK, Pa -- More than 100 banks in 30 countries have joined the ranks of Anthem Blue Cross Blue Shield and Sony Pictures. As targets of unprecedented, and likely some of the most costly, cyber attacks in history, the financial institutions, insurance company and film studio are reeling after record-setting amounts of data, money, internal emails and more were stolen by hacker groups, which in some instances are believed to have been sanctioned by nation-states. Just last year, thieves behind the Target and Home Depot breaches made off with customer credit card numbers and cost the corporations millions of dollars.

But most data breaches don’t make headline news, and sometimes companies don’t know they’ve been hacked until it’s too late. In 2014 alone, there were more than 740 breaches in the financial, business, health care, education and government sectors, according to the Identity Theft Resource Center. That figure is expected to climb in 2015.

Penn State’s own intrusion detection and prevention system operated by Security Operations and Services, the University’s cyber security team, identifies and blocks approximately 157,000 hostile systems from accessing 200,000 computers on the University network on any given day. And within the next year, areas across Penn State will participate in a security assessment to gather data to use as a benchmark for future planning. For a vast institution like Penn State, what one area does in the realm of its own network security processes can have profound implications on the rest of the University.  

“This is the world we live in now,” said Matthew Snyder, chief information security officer for the Penn State Milton S. Hershey Medical Center. “If you would have told me a couple of years ago that a data breach could cost $1 billion, I would have thought you were crazy. Now, it’s not too far fetched — these guys don’t play by the rules.”
Laws and regulations that the majority of the world adheres to mean very little to a growing faction of cyber criminals, commonly referred to as advanced persistent threat (APT) actors. Since emerging in the early 2000s, APT actors use sophisticated tools and tactics to gain access to and steal digital information they can use or sell at a later date. With economic and political motivations, these groups are characterized by their ability to patiently infiltrate computer networks and remain undetected for up to two years on average before being caught or revealing themselves — by then, the data breach has already happened.
The world is dealing with a level of sophistication among APT actors that over time has also become highly coordinated, according to Kevin Morooney, vice provost for Information Technology at Penn State.
There’s a spectrum of hundreds of known APT actors that are going after everything from intellectual property and health data to credit card and social security numbers — a far cry from the earliest days of the Internet when hacking was almost like a kind of playful vandalism. Eventually, hacking became more sophisticated and economically focused, but was still primarily unorganized.
“Today, these threat organizations are well-funded and run like large companies with business plans, many employees and headquarters,” Morooney said. “That kind of threat flies in the face of how universities have generally chosen to design their network architectures and accompanying services: open, fast and available.”
Institutions of higher education rely on sharing knowledge and information to promote collaboration and educational achievement. But, they also have an imperative to protect the troves of intellectual property and personally identifiable information in their care.  
Safeguarding this data has always been a serious job, but it’s getting even more complicated since the majority of breaches are the result of malicious or criminal activity (and not employee error or system glitches), according to a 2014 Cost of Data Breach Study by the Ponemon Institute.
“If a state-sponsored or criminal APT actor wants something, they’ll come after it — they don’t care if someone has dedicated his or her entire career to a research project. They’ll steal it in minutes,” Snyder said. “There’s very little that can be done to prevent a cyber attack, making incident response a critical component of an organization’s cyber security strategy.”

For the health care and higher education industries, finding a way to remain open to the world, yet secure, is an opportunity to change the operating paradigm, according to Snyder. The cyber security model is shifting from an entirely prevention-driven approach to one that blends prevention with incident detection.
“Going forward, organizations will assume they’re going to be hacked and begin to formulate incident response processes and decisions based on that presumption,” Morooney said.

Since the cost of being breached is expected to grow in 2015, that’s a wise strategy. While health records can be sold for $316 each on the black market, education records are not far behind at $259 per record, according to the Ponemon Institute.

“As citizens, we’re going to see huge changes in how we engage the Internet. It’s not just an IT, Penn State or United States issue — it’s a global shift,” Morooney said. “Developing a healthy level of skepticism at the individual level for what we click and where we go online — even places we think are safe — is a step we can all begin to take.”
Amid a bevy of unknown threats, Snyder finds a way to stay positive. “With cyber security being so dynamic, it’s almost impossible to make it black and white,” he said. “It’s gray. You can be creative, innovative and come up with solutions that other people might not have thought of before. So, what’s going to happen in the next year? A whole lot.”

Last Updated April 30, 2015