Some hacker wormed his way into John’s lost Blackberry. It was a teeth-clenching shame. John lost money, data, identity, and countless hours in restoration time.
A legion of hackers unleashed a service denial at a target corporation (this time Visa), so flooding the system with slave requests that legitimate business crumpled to a standstill. An absolute disaster. No real communication got through. Clients, vital business, and payroll was lost.
And a small, very sophisticated hacker core invaded the systems of a U.S. military helicopter and a 2,000-passenger aircraft carrier. This could have been a true American tragedy — except for the diligence of #b#Aleta Ricciardi#/b#, a principal scientist at Sarnoff who advises the national Special Operations Command on protection against cyber threats from all corners. Even the lion must defend itself against flies.
Today’s lions, both commercial and military, face a swarm of potentially lethal cyber gnats that can bring the organization down. And today’s threat landscape hosts thousands of new viruses and vulnerabilities mostly unknown a mere decade ago.
Ricciardi will join several experts to discuss “Keeping Up with Security” at this year’s New Jersey Technology Council CIO Conference, on Friday, February 25, at 8 a.m., in the Heldrich Hotel in New Brunswick. This panel, moderated by Angelo Valletta, CIO of Sun National Bank, will discuss the latest in security techniques. Cost: $200. Visit www. njtc.org.
Ricciardi grew up nurturing computers. In 1980 she left her Centerport, Long Island, home to attend Cornell University, where she earned her bachelor’s in mathematics in 1984 and her Ph.D. in computer science in 1993. After teaching these subjects at the University of Texas she went to work at Bell Labs, just as the Baby Bells were splitting and Lucent was acquiring every telecom it could afford.
Ricciardi’s Bell Lab’s findings led to her launching Valan Inc. in Princeton, which developed sorely needed telecom software for linking various business and governmental systems. “It was five great years, with many life lessons learned,” she says.
Revamping her original software systems, Ricciardi formed her second firm, Kayak, which developed multi-user Internet games that could be played on cell phones and handhelds. “The real challenge” says Ricciardi, “was working on such a restricted device where everything was slower and smaller, but still had to keep the interest of a person in Princeton playing with someone in Bavaria.”
Since 2005 Ricciardi has worked at the Sarnoff Corporation, overseeing the development of leading-edge software to defend against invasion and corruption of military systems.
“Security all centers on people,” says Ricciardi. “Whether you bring them on board as employees or outsource security to a cloud, they have to have the right implementation and a lot of foresight.” Finding that security talent and maintaining the effective home/outsource balance becomes the business owner’s primary concern.
#b#Wandering amidst clouds#/b#. Cyber security, like so much safety, begins at home. Initially, Ricciardi recommends using securely encrypted http// sites, within the limits of one’s hardware. Further security tools may be implemented in layers. Specific firewalls and data privacy policies can be deployed as needed, specific to your business.
Beyond these basics it may be beneficial to employ some outside data storage, as both watchdog and facility large enough to deal with one’s own data explosion. “You cannot open any tech journal today,” says Ricciardi “without ads inviting you to kick your data to the cloud. Tiresome as these ads are, there’s a logic in having your data in the hands of an IT staff as sophisticated as the next attacker.”
While the original cloud is the massive-scale wi-fi network recently acquired by British Sky Broadcasting Group, countless companies now offer cloud computing services that provide remotely housed applications and data storage. The question is, how does one shop for a cloud?
One accepted way is to first examine your own business routine and determine the gaps in your system. If you handle a lot of varied data streams, is the firewall amply impenetrable? Do you seek anti-fraud protection for your customers with a system that swiftly ferrets out fraud anomalies? Perhaps your need is more archival and the secure future of long-term data is most vital. There exists no silver security bullet, only answers to specific needs.
Finally, read about the physical plant in which your data will be hosted. The measures taken are quite indicative of the company’s thoroughness.
#b#Net threats#/b#. Businesses, realize it or not, are public entities in the public eye. As such they stand vulnerable to a host of threats from individuals worldwide who may interpret their actions as less than favorable.
Just this past December, shortly after the arrest of Julian Assange, founder of the online journalism whistleblowing site Wikileaks’, thousands of contributions to his defense fund began pouring in. Made online, most of these were made via Visa and MasterCard whose leaders received intense governmental pressure to not accept such contributions.
When Visa and MasterCard agreed to deny further contributions to Assange’s legal defense, a small army of hackers engaged in what has been termed “distributed denial of service.” In essence, they enlisted the knowing and unknowing aid of thousands of computers to flood the www.mastercard.com and www.visa.com with so many requests that the sites were temporarily forced to shut down. “This is similar to the tactic believed to have been used by the Russians when they attacked Georgia in 2008,” says Ricciardi. “It really softens up the enemy.”
In addition to the enemy, this attack brings to light another, less ostensible invasion. The overwhelming of the credit card giants would have been impossible had the hackers not planted “botnets” (robot computers) with a code that ceded control to the hackers on cue. These codes may lie in your firm’s computers and you would never know it.
#b#Military invasions#/b#. Since they are not linked to the general Internet, military systems are fairly secure from service denial and other public mass attacks. However, this in no way places military and federally protected systems out of hackers’ crippling reach. Last November Iran’s nuclear program toppled to a complete and confused halt under the attack of the Stuxnet computer worm. This ultra-sophisticated virus, operating like a smart bomb, was able to leap from computer to computer until it found its target: the nuclear centrifuges in Nantanz, Iran, and the Bushehr power plant.
It remains unknown whether the virus was distributed on a thumb drive by someone entering the plants and whether the actual carrier acted deliberately or was merely a mule. But the invasion of the system caused the centrifuges to whirl uncontrollably and explode, while the main steam turbine at the Bushehr was similarly destroyed.
“Whoever composed Stuxnet,” says Ricciardi, “spent years making it and had an amazing knowledge of how the Iranian system worked.” Many are claiming that such a highly targeted destruction would be impossible without an insider at least assisting the effort.
The number of hacker invasions are legion and prove beyond a doubt that everyone is vulnerable. Considered psychologically, many people wonder at the joy the criminal hacker receives from spreading disaster to individuals he does not know, in ways in which he may never take credit.
To this Ricciardi shakes her head. “You don’t have to understand the thrill to appreciate the reality,” she says. “The only thing we can do is to keep employing the best available practices and hope to stay one step ahead.”