In a world where technology is advancing by leaps and bounds, cybersecurity has become a fundamental pillar for data protection and the integrity of companies. In this publication, we will explore the evolution of cybersecurity in the business environment, based on the presentation by Oscar Lugo, an expert with more than two decades of experience in the IT industry, during one of the MAU Talks at Millennia Atlantic University’s School of Business.
The Evolution of Cybersecurity in the Business World: A Comprehensive Perspective
The Origin and Evolution of Cybersecurity
The First Steps
The history of cybersecurity began in 1971 with the emergence of the first virus, a program capable of replicating without user interaction. This was the first sign that it was possible to execute code remotely on other systems. In 1983, the term “computer virus” was coined, marking the beginning of an era where computer security would become an increasing concern.
The Rise of Viruses and Cyber Attacks
In 1988, the world was introduced to the first worm, the Morris Worm, a program made up of several parts that assembled to execute malicious code. This event was followed by a series of notorious viruses like Melissa in 1999 and the destructive ILOVEYOU in 2003, affecting millions of users worldwide.
The Era of Social Engineering
Kevin Mitnick, the first famous hacker in the United States, demonstrated that social engineering is a powerful tool in the hands of hackers. His ability to extract information without the need for a computer marked a milestone in the history of cybersecurity.
Cybersecurity in the Business World
The Financial Impact of Cyber Attacks
Cyber attacks represent not only a threat to information security but also a huge financial cost for companies. It is estimated that cybercrime will cost 8 trillion dollars in 2023, with an average of 4.35 million dollars per security breach in large companies.
Target in 2013: A cyber attack through a third-party provider led to a massive data breach, resulting in a lawsuit of over 400 million dollars.
The Pipeline Attack in 2020-2021: A ransomware attack that affected the gasoline supply in the United States, demonstrating the vulnerability of critical infrastructures.
The Importance of Prevention and Response
Companies must now design their security infrastructures in layers, like an onion, integrating advanced technologies such as Next Generation Firewalls and incident response teams. The implementation of patches, updates, and the adoption of practices like multi-factor authentication are essential to mitigate risks.
Emerging Technologies and the Future of Cybersecurity
Artificial Intelligence and IoT Devices
Artificial intelligence has revolutionized cybersecurity, allowing massive and rapid data analysis to identify threats. On the other hand, IoT (Internet of Things) devices like Alexa or Ring, although useful, represent a new challenge in security, requiring separate networks to minimize risks.
Regulations and Standards
The implementation of regulations like HIPAA and the ISO 27001 standard, along with data protection standards, are fundamental to ensuring security and corporate accountability.
The Importance of Awareness and Preparedness
The future of corporate cybersecurity focuses on the intensive implementation of artificial intelligence and the maintenance of strict norms and procedures. However, the most crucial element remains the human factor: the awareness and preparedness of cybersecurity professionals. As Oscar Lugo points out, “sloppy administrators pay dearly.” Meticulousness and systematization in the application of patches and updates are vital to prevent attacks and protect a company’s most valuable assets: its data.
This article is just a summary of Oscar Lugo’s rich and detailed presentation. Cybersecurity is a constantly evolving field, and staying informed and prepared is essential for any company in today’s digital world.
“Alright, welcome. I wanted to thank Millennia Atlantic University for the opportunity and the presentation. This is about cybersecurity in business, that is, how to secure your data. What’s the most important thing? Your data, which are sensitive depends on the nature of the business. So, cybersecurity tells us a bit about how this technology has become an essential part of our lives because we all live with security.
Now, every time you go to the bank and make a transaction, the bank asks you, to please, to give your fingerprints, to send a text with a number they just sent you. Part of what we’re going to see is that cybersecurity, if well implemented, is not only about hackers, nerds like me who mess everything up with firewalls and everything else but also about educating the end user, because the end user, unknowingly, has a lot of power in their hands.
Because a lost or exposed end-user password, or one that can be hacked, is where the problems start. It is estimated that cybercrime will cost 8 trillion dollars in 2023. That’s roughly what malicious actors are expected to capitalize on in 2020 alone. Three in cybercrime, 4.35 million dollars is what it costs a large company for a ‘breach’.
That is, when they are attacked and breached, it doesn’t mean they spend 4 million on equipment and professionals, but rather it’s roughly the total cost of what it means to lose business or operations, payroll, all those kinds of things, on average. We’re talking about companies with more than 10,000 users.
So it’s 4.35 million and 277 business days. This is roughly a year and a half. That’s how long it takes to contain that attack 100%, and it is estimated that 33 million records will be stolen this year. Last year it was 27 million. It is estimated that this year there will be 33 trillion, or 33 billion records, for companies to counter this.
The first thing they started to do was implement Siri Security Insurance, that is, an insurance policy against these attacks and episodes. But what happens? They became so common that insurance companies began to demand that companies do certain things to, well, not end up paying 8 trillion dollars a year. In 1971, the first virus emerged. Right?
This virus was a program that, at that time rudimentarily, could multiply without user interaction. That was the first virus and the first time they realized the possibility of executing code remotely on other systems. In 1983, they realized that a lot of people are playing with this, that is, it is spreading like a virus.
So, they coined the term ‘computer virus’. In 1988, they discovered the first worm, the Morris Worm. A worm is a program made up of several parts, which assemble to execute code and perform an action, in this case, a harmful action because it tries to breach the system.
The innovative thing about this was that the modules or the code were decentralized. So, the first time they realize that they can centralize attacks from various sites is in the early 90s. That’s when all those viruses that downloaded movies, photos, songs, etc., started, and suddenly, when you opened them, a bunch of pop-ups appeared and the computer locked up. What happens then?
They are viruses. Those macro polymorphisms, because they are called macro viruses, are the ones that execute, for example, small routines like Excel macros, but they do it in the Windows operating system, in DOS. The polymorphic ones are viruses that camouflage themselves, changing the last or first bits of each of those programs, as happened in 1999 and 2000.
This virus, Melissa, is a virus that, therefore, I mention here because it was the first mass-distribution virus. On the computer screen, it appeared as a little doll, and when you activated it, the computer ‘died’. It was the first to do that. And in 2003 came the one that destroyed everyone, the famous ILOVEYOU virus. You received an email with the subject ‘ILOVEYOU’ and, upon executing the attached program, goodbye.
“This virus affected more than 40 million people worldwide. Kevin Mitnick was the first famous hacker in the United States, and he demonstrated that to extract information from a remote computer system, you don’t need a computer. Let’s see what Kevin Mitnick did. Everyone here remembers, well, Maxi, maybe you don’t, but the cell phone was the Motorola.
He clicked ‘start’ and stole the blueprints of that phone. What he did was search through Motorola’s building trash, stole a phone book, and, sitting at his house, called Andy’s boss. It turns out that when he called, a temporary employee answered, and she ended up uploading the blueprints.
She, from her computer at Motorola, uploaded the blueprints to an anonymous FTP server and stole them. Of course, later the NSA captured him and imprisoned him for 15 years, but he demonstrated that he carried out the biggest theft of that time without touching a single key.
That’s why social engineering is the most powerful tool hackers have. We move from the ILOVEYOU virus to 2007, to the first ransomware attacks. Now let’s go to the newer ones, which are a bit more complex. Conficker was the first to use that attack modality, where it encrypted your files and, upon waking up, you found a lock on them. What happened here?
It was very rudimentary ransomware. When they managed to break the key, Conficker ended because everyone could decrypt their files and eliminate the virus. Another important one was Stuxnet, a worm that infected a nuclear plant in the United States.
It was an industrial automation program that became a virus, endangering several nuclear reactors around the world. Well, the other case I was mentioning is from 2013, the first PPP, which involves Target. In this case, Target had an outsourced provider, Terra F company, which serviced their air conditioners and had Avast antivirus free. Target sent them service orders and, with these, codes to enter Target’s network so they could make service reports if they connected with the network in Turkey.
What happens? Hackers hacked Z F, got in there, and through that remote connection, entered Target. Ok, so they stayed calm in Target, learning, and observing how Target did business, and what their infrastructure was. And one day they managed to access one of the keys of one of Target’s network administrators because the guy had more than 160 days without changing his key.
So they started to brute force it. The Bradford key means brute force, where they start with an attack. Imagine a giant file with a bunch of possibilities calculated by a computer and they start testing one after another, until the key yields. And with that administrator key, they started to systematically attack all the servers where Target stored credit card data.
They hacked all that information and told Target: “We have all this, what are we going to do?”. So, Target, as usual, kept quiet, didn’t tell anyone, and hired another cybersecurity company saying: “Look, we have this problem, what can we do?”. The company told them: “Ah, don’t worry, nothing happens, buy Symantec. With that, you destroy everything”. And indeed, Norton eliminated some of the malicious code they had put on the servers, and the guys said: “It’s ready”. But one of the analysts said: “Look, I don’t think it’s ready. I’m going to leave a report on what I think should be done later”. The company’s people told him: “This guy is exhausted, go away, give me my money, please”.
Nothing happened, they went to sleep peacefully. And eight months later, they published in one of the forums more than 300,000 credit card records and user names of Target. What was the result of all this? Remember the 8 trillion dollars. Well, it resulted in a lady in the United States saying: “Well, but if I’m trusting these people with my truthful information and they cloned my credit card and took the money and the bank gave it back to me, I don’t care, I’m going to sue you because you didn’t comply”. And that small lawsuit turned into a lawsuit that Target later settled in an out-of-court settlement.
It was never known how much it was, but it was a lawsuit of more than 400 million dollars. Remember? In 2020-2021 we had the most recent attack, the Pipeline, which left us without gasoline for a while and even affected us here in Florida. That was a software attack where they hijacked the servers and asked for a ransom, but the affected parties said they wouldn’t pay, and that they don’t negotiate with terrorists. In the end, they had to pay anyway.
This attack, like those of Microsoft Exchange and SolarWinds, was very serious. Microsoft realized it after six months. And when they realized it, they thought it was a secure attack, something unforeseen for them. But it wasn’t like that. The attacker, the APT, told them: ‘No, we hacked you six months ago and this is everything we’ve done’. That affected more than 90% of the servers I had the opportunity to assist; all were compromised by that attack. And another important one, which they kept secret for much longer, was SolarWinds.
SolarWinds is a suite of applications responsible for the complete monitoring of the entire network of applications for Windows, an application used by the United States government and the Ministry of Defense. Hacking a single account meant hacking more than 95% of the large companies in the United States that used that application.
Do you know what a company does now to mitigate all these threats? Well, you have to design your security infrastructure like an onion, in layers. Manufacturers start to create applications, and integrated firewalls, capable of having access rules and threat detection.
So that’s what’s called Next-Generation Firewall. That’s how technologies start to evolve. Another important thing is the emergence of incident response teams within companies, independent teams in charge of managing incidents, such as the lack of patch application.
Where are your processes and procedures for dealing with all these things? All these issues start to arise that I know to this day they hate us and detest us, but you have to change your key every 45 days. It can’t be the same as the last time. And that has a reason to be.
It’s not that we’re sick and we like it, it has to do with social engineering. Yes, because when they want to target a specific person, they start investigating them for that. That’s why technologies like two-factor authentication and multifactorial LMF authentication start. When you’re going to enter your key, at least personally, anything that has a key and has MF, I have it configured. So, if I lose the authenticator, I can’t even read my email.
Following a bit more, let’s talk about the regulations and standards I was telling you about, that the United States government has today so companies have a bit of responsibility in this. Remember that whoever makes the rules, cheats, but at least there’s something. The first one that was made was HIPAA, which is the health insurance and accountability law. It’s a law where all of us who live here know that all your medical data is classified and that if any doctor, physician, or medical institution makes it possible for your data to be commercialized to the public, they are free. That’s why there’s the GDPR (General Data Protection Regulation), which is like the umbrella law. Where is all that? What are all those data regulations and responsibilities called? And the ISO 27001 standard, which regulates how you should start protecting data.
A bit of the emerging technologies we have are authentication and cloud security, and the most important of these are two things: artificial intelligence and how it’s taking control of cybersecurity. And the other is IoT (Internet of Things) devices, like your fridge, Ring, Alexa, etc. Artificial intelligence has revolutionized cybersecurity because we are human and computers are machines. They think faster. Imagine, then, the Internet stores more information. The application of artificial intelligence has allowed us to analyze all that massively and can give you a report and tell you: ‘This is wrong, this is weird. Look here. What’s happening with this? You’re missing here. So it’s like having an army of people in a single box with the Internet.
It’s very important that you all know this here. This applies both to a house and to a company of 300 million people. Please, have IoT devices on a separate network from your normal network. I mean, create a separate network for Alexa, for the TV, for all those things, another wifi network and another where I go to the bank, where I talk to my people and all the things, because it’s a rudimentary but necessary measure to separate those two traffics. The thing about IoT is that they are proprietary devices over which you have zero control. You have no idea if Alexa is sucking up all the traffic and sending it who knows where.
Well, this is the conclusion. We’ve already seen it more or less, but here’s a very important one I wanted to talk to you about, which is the case of Cambridge Analytica. Yes, that was in the elections. There we see that there is no value paid for your information. They didn’t pay for that Facebook information, but it was equally a cyberattack because the people from Cambridge Analytica, through Facebook, obtained the information of all users in the United States and were able to influence the voting in favor of one of the two political parties.
What is the future of cybersecurity in business? Well, I think the future is going to be the very intensive implementation of artificial intelligence and always continue with the issue of standards, procedures, documentation, and remediation to change the key. All that is always going to continue. To conclude, the most important thing is to use your common sense. Please, find yourself a good cybersecurity professional, because it’s very important. Lazy administrators pay dearly. The most important thing is that you have a meticulous, systematic person who applies patches, and updates, and is aware of everything because manufacturers spend a lot of money and time releasing updates and new versions precisely to mitigate all this that is happening. Unfortunately, the people who are hacked and suffer all that bunch of things is because they had old and neglected technology.”