66

BizVoice/Indiana Chamber – July/August 2017

By Matt Ottinger

Beware of Risky Behaviors, Sophisticated Threats

BEHIND THE

CYBER CURTAIN

WannaCry. It’s the aptly-named

computer virus that, according to

European law enforcement agency

Europol, hit 150 countries and

infected 200,000 machines in

May. The ransomware cryptoworm

attack targeted computers using

the Microsoft Windows operating

system by encrypting data and

demanding users pay to recover it.

Ransomware is just the latest

iteration of computer hacking that

has businesses – both large and

small – searching for advice and

protection.

“For the bad guys, it’s a low-risk, potentially

high-reward endeavor,” contends Chuck Cohen,

Indiana State Police captain and director of

the Indiana Intelligence Fusion Center (IIFC).

“It’s a phenomenon we’ve seen with regularity

over the last several years. But Indiana

businesses and government organizations tend to

be high-value targets because they hold

information that is critical to run their operations.”

Trojan viruses, phishing, malicious bait

and switch programs and cookie theft are

other common hacking techniques. Denial of

service attacks can also be an instrument of

destruction for businesses.

Sid Bose, an attorney in Ice Miller’s

Litigation and Intellectual Property Group,

tells the story of such an attack.

“In a smoke screen situation, a company

was getting bombarded with millions of

requests through its online web portal from

different computers that had been compromised

by malware, which essentially made them

little drones,” he recalls. “It basically brought

their network to a grinding halt because it

couldn’t handle the load from these attacks.

“On its face, the motivation was thought

to disrupt the operation of the portal, but an

investigation showed that the attack was a

smoke screen to pull money out of the company’s

bank account. Those are sophisticated attacks.”

Breaking bad behavior

Vulnerability is often most evident in

human frailties rather than technical

weaknesses, according to experts.

“There’s a popular saying: Amateurs hack

computers but professionals hack people,”

Bose relays. “Phishing is so successful because

it takes advantage of our behaviors and the

desire to want to be useful when someone

makes a request of you.”

Bill Mackey, an assistant professor at

Indiana State University (ISU), is launching

new courses (Intelligence Analytics and

Cybercriminology) to train students in the

behavioral aspects of cybersecurity. Mackey

also owns Alloy Cybersecurity – a firm that’s

hiring ISU students as interns to offer real

world experience in the field. He outlines

behavioral-based approaches to exposing a

company’s vulnerabilities.

“We look at names, email addresses and

basic information from web sites,” Mackey

notes, explaining phishing efforts will often

relate to a person’s hobbies or a company’s

industry. “Using open source intelligence,

we’ll find out how active you are online and

how much information you’ve divulged that

we can access. Then we’ll try to use that

against you. It might go beyond just the

standard phishing email from corporate

saying, ‘Click on this link.’

“We can get incredibly personal,” he

adds. “If we know John Doe drives a certain

car or eats at a certain place or donates money

to a certain group, that will be exploitable

and a vulnerability we could attack.”

Mackey also says training ISU students to

be behavior analysts will help close a critical

knowledge gap.

“What I’ve found is that businesses are

“A problem we see is that a business

may have taken great steps toward

security and computer hygiene but

their vendor hasn’t.”

– Bill Mackey