How (Cyber) Secure Are You? The Bigger Picture

Feb 12, 2015

Jack Davidson is a professor of Computer Science at the University of Virginia, and president of Zephyr Software.

Today we revisit the question “How secure are you?” in the second half of our two-part series on cyber security.

The first segment explored steps consumers can take to keep themselves safe. Now we look at the broader picture—national cyber security and the recent widespread hacks that have compromised the personal data of millions of Americans.  Here's WMRA's Kara Lofton.

Warfare no longer is relegated to a battlefield of guns and bombs, but has expanded to include malicious attacks via keystroke. As 1984 as this might sound, the reality is that the recent hacks into megacompanies such as Anthem, Sony, Target, and Home Depot were all cyber crimes of increasing sophistication and breadth. In this world, where data is synonymous with money, homeland security is not just protecting homes and families, but protecting people’s identity.

Jack Davidson is a professor of Computer Science at the University of Virginia. He is also president of Zephyr Software, a company that does research and development on cyber security for the US Government.

He said that for both personal and corporate attacks…

DAVIDSON:  The real answer to everything is it is all about the money. And what they are trying to do there is gain personal information—social security numbers, maybe if there is bank account information so they can do identity theft but really the bottom line is they are trying to steal it from individuals so they can steal their identity so they can run up credit card debt.

Any software program inevitably has vulnerabilities, but it is not always clear where vulnerabilities are until they get attacked. So in the programming world, there is a simultaneous dance of programmers trying to find and fix vulnerabilities while hackers are trying to find and exploit them.

DAVIDSON:  One of the problems is that software has become so complex that it is almost impossible to build without having some of what we call bugs or flaws in it. And these flaws can be exploited by malicious people. So one of the things that the government is trying to do is to find these flaws or bugs before the software gets deployed out there, and being used and then can be hacked.

In technology, there is constantly a tension between usability, affordability and security. As more and more companies are hacked, though, security is beginning to be prioritized.

REID:  In 2014 we had a lot of hacks in the retail industry, well that’s because a lot of the companies in the retail industries were not encrypting the data…we called them soft targets.

Edna Reid is a former FBI consultant and teaches Intelligence Analysis at James Madison University.

REID:  So if you are looking at network security, if I don’t think I’m going to be hacked, I’m not going to go through the extra expense and steps of encrypting my data. But you look at places like law enforcement, healthcare, they should be actively encrypting their data—law enforcement organizations do that, but we found that historically healthcare organizations have not been doing that.

Encryption is simply a way of coding data so that it can only be read with the correct key or program. One healthcare organization that did not encrypt their data is the insurance giant Anthem, whose breach earlier this month affected 80 million Americans, including both Reid and Davidson. As Reid mentioned earlier, healthcare and retail organizations are not required to encrypt their data although they are strongly encouraged to do so.

While encryption can certainly provide some protection for companies’ vulnerabilities, it will not protect companies if employee credentials have been compromised through phishing campaigns, as was the case with the 2015 attack on Anthem. Anthem is now saying that they believe at least five employee credentials were compromised prior to the attack.  

One could argue then, that the real problem is not whether or not data has been encrypted, but which employees have access to that data.

Reid says unfortunately there isn’t a lot people can do to protect themselves from attacks like the one at Anthem except to call for the company to implement stronger security steps. As for retail—she strongly suggests paying cash whenever possible.