Every day, bad actors from throughout the United States and as far away as China and the Baltic states assault Central Washington University’s computer networks to get at sensitive data.
“It’s a never-ending storm,” said Andreas Bohman, CWU’s vice president of information security.
Bohman talked about cyber security risks for businesses and families at CWU today, where he showed guests how to crack weak passwords, hijack unsecured wireless networks and mine information from social media profiles with too much information and too little security.
“It’s all given from the perspective of how to protect yourself, but in order to do that you’ve gotta kind of see the opposite side of the spectrum as well,” Bohman said Wednesday.
Bohman, a cyber security professional with a background working for multi-billion dollar corporations, and as a signals intelligence and electronic warfare officer in the National Guard, said that a little can go a long way for people trying to protect themselves online.
“The key is to not be totally secure, but to be secure enough that when someone comes to look at you, they’re going to go somewhere else,” he said. “When you’re going to burglarize a house and you see that ADT picture in the window, you’re probably going to go somewhere else, right, because it’s not worth the trouble.”
Striking the right balance is difficult. To everyday people, and even more so for those in academia, technology is used for collaboration and sharing information, he said. Too much security, and the system simply won’t be useful.
That often leaves it to individuals to be more careful.
The biggest problem he sees is weak passwords, he said. A famous example he recalled was a security breach at government contractor Booz Allen Hamilton that yielded 90,000 passwords.
About 80 percent of them, he said, were things such as “password” or “123456.”
Preparing for today’s presentation, Bohman drove around town and was able to detect 30 to 40 open and unsecured wireless networks.
“As long as you have anti-virus on your machine, as long as your wireless router doesn’t have a default password, as long as it’s encrypted, that sort of thing,” he said. “Once you hit those security concepts as a private citizen, any potential attacker is going to go for an easier target.”
Gary Rogers, a professor at CWU’s Information Technology and Administrative Management program, agreed, saying a lot of cyber security can be boiled down to the level of common sense behind locking house and car doors.
If hackers want to get at your information, they will, Rogers said, but there isn’t necessarily a large return on investment for them to attack a home network.
That’s why they send out millions of phishing emails to trick people to into giving information to legitimate-seeming websites or troll for unsecured wireless networks.
Like anyone else, hackers’ motivations can vary, he said. A hacker that takes down a major news organization’s website probably won’t make off with a lot of valuable information, but it is a chance to show off his or her skills to friends, the hacker community and the world.
“You got A-list actors and they’re the best, and you got B-list actors, and then you’ve got horror movie actors,” Rogers said.
Small businesses, for the most part, should take the same precautions as private citizens, Bohman said. The trick is keeping everyone in the business on board.
“It doesn’t have to be big and dramatic and cost a lot of money, it could be like a five-minute security moment before your staff meeting where you just kind of talk about the basic things,” he said.
When a business should scale up, though, is difficult to determine, he said. Some say the IT budget for businesses should be about 6 to 10 percent of the total, he said. For very large companies, some say the amount spent on security should be about equal to marketing.
Small business, though, should consider their services before making any big security investments, he said.
Landscapers and auto mechanics can still probably conduct business if their computers go down, he said. But if a business deals in data, security should be a high priority.
“You have to start right away, because if that were to be compromised, then it’s game over,” he said.
Rogers recommended small businesses pay to have their websites hosted by third-party services, which will likely have stronger security systems, and more time to manage them, than a small business.
Get used to it
It’s best that people get used to basic security steps now, Rogers said, because the problem isn’t going to go away with time.
“It’s like spam,” he said. “The reason why there’s so much spam is because it works.”
The extent of the problem can be hard to fathom.
Depending on who you ask and how you count, the annual cost of cyber crime could range from $24 billion to $120 billion in the United States, according to a study by the Center for Strategic and International Studies — a Washington, D.C., think tank — and bankrolled by the computer security company McAfee.
The cyber security minor Central started offering this quarter is already overfilled, Rogers said, with more students on the wait list.
Students learn the issues behind cyber warfare and cyber crime, then go on to attacking and defending each other’s programs.
“It’s a hot program because there’s tons of jobs,” he said.