Cyber attacks: ‘The bad guys are constantly at it’

In August 2012, an administrative staffer in South Carolina’s Department of Revenue clicked on a link in what turned out to be a malicious email. With that one stroke of the keyboard, an international hacker was able to infiltrate the state’s computers and get access to 3.6 million Social Security numbers and nearly 387,000 credit and debit card numbers.

To cover the cost of that huge breach, South Carolina had to take out a $20 million loan.

That was just one of the cyber horror stories offered by Erik Avakian, the chief information security officer for the Commonwealth of Pennsylvania, at the 2015 Cybersecurity Summit held Wednesday at Lehigh’s Rauch Business Center.

Avakian and a panel of information security experts tried to impress upon the audience of about 100 students, faculty and others the enormity of problem. Lehigh's Business Information Systems Club hosted the summit presented by the Greater Lehigh Valley Chapter of the Association of Information Technology Professionals.

Avakian talked about cyber attacks on Sony, Target, the IRS and the emerging threat of hacker assaults that will target power grids and other critical infrastructure.

“The bad guys are constantly at it, 24-7,” Avakian said. “JP Morgan is a company that has 2,000 people dedicated to cyber security. They have spent $250 million dedicated to cyber security. They did everything right, and they still got hacked.”

To guard against such attacks and to limit the damage when they happen, Avakian advised frequent training of employees in cyber security best practices and testing them to make sure it’s effective. Computer users need to employ different passwords and companies can use encryption and take a layered approach to data “so there are different controls at all levels,” he said.  It’s also important that vendors who deal with companies or institutions practice good cyber security, he said.  

Keith Hartranft, Lehigh’s chief information security officer, said data breaches such as the one in South Carolina are made worse because the state wasn’t following its own data retention policies that required it to routinely dispose of old data. 

Avakian agreed, saying, “Sometimes convenience wins over security.”

Robert Lautsch, vice president and chief information security officer for Rite Aid Corporation, said a lot of data breaches nationwide are occurring internally in workplaces. His company is striving to ensure that each employee only has access to the data their job requires.

Because of the acceleration of cyber attacks in recent years, the job outlook for those in the information security field in exploding.

Florindo Gallicchio, director of information security for OPTIV, the largest privately held cyber security company in North America, said his company is looking to hire 400 people immediately and another 600 next year. He urged students to practice networking so they find out about positions as they open up.

“A career in information security is absolutely the way to go if you’re interested in it,” he said.

Avakian agreed, adding that the state offers internships in information security. “This is such a great field to be in because there’s so much opportunity,” he said. “If you like to multi-task, this is the job for you.”

Plus, the victories, when they come, are sweet. David Finkelstein, information security manager for St. Luke’s University Health Network, told of how his counterpart at Boston Children’s Hospital read on a blog that the hackers known as Anonymous were planning a cyber attack on the hospital. The hospital’s information security department was able to put in place safeguards that thwarted the attack.

Following the forum, Avakian and Gallicchio offered some tips to help individuals improve their own information security.

• Use strong passwords of at least eight characters or more that employ upper and lower case letters, numbers and symbols and use different passwords for different accounts.
• Never click on a link. Copy and paste the link into a search engine. Links can contain viruses.
• Never use your Social Security number as an identification number.
• Install commercial anti-virus and anti-malware software.
• If you are prompted by your software system to update the system, do it.
• Encrypt your wireless network.

Thiep Pham, president of the Greater Lehigh Valley Chapter of the Association of Information Technology Professionals, acted as facilitator. Chitra Nayar, a lecturer in management at Lehigh, is advisor to Lehigh’s Business Information Systems Club, and John Kalafut, is club president.  

Story by Margie Peterson

If this story interests you, please click here to learn about Lehigh's new Data X initiative, which focuses on strengthening Lehigh's research and teaching capacity in computer and data science across multiple disciplines.