If a stranger walked up to you and asked for your first name, would you give it to them? Probably. How about first name, last name, and your date of birth? Maybe. But would you dare hand over your name, date of birth, and social security number? The answer seems obvious -- of course you wouldn’t -- but cybersecurity experts warn that’s exactly what a lot of people are willing to give up to complete strangers in the digital world just for the asking.
A group of cybersecurity experts from law enforcement and industry gathered at Lehigh University’s Iacocca Hall on October 4 for lectures and a panel discussion on cyber threats and trends, cybercrime prevention, best practices to minimize risk, and how education plays a critical role in keeping consumer and organizational data safe from prying eyes.
“It’s all about getting people to think ‘What reason am I being asked for that information?’ said Rich Stoneberg, chief information security officer at Netizen. “If there isn’t a good reason, don’t give it out.”
Chuck White, a principal founder and creator of Fornetix, an advanced encryption key management firm, said the role and responsibility of end users in preventing cyberattacks cannot be understated. "All the technical controls we use to protect consumers' data won't help if they click on a link and it causes a system to cough up all the keys.”
Organizations need to make education a priority, according to Brad Rightmyer, networking and security practice manager at IntegraONE. “The problem of social engineering persists and it’s ultimately the user’s responsibility to be skeptical and ask questions,” he said. “Once you get trust, you get everything.”
Prior to the panel discussion, Forsyte IT Solutions cloud engineer Wesley Blackwell traced the evolution of phishing and other types of threats, and described multi-layered approaches to securing sensitive data, stressing that hardening systems against cyberattacks through technology only goes so far. Blackwell explained that “locking the front door” and running antivirus software were still no match for the 2017 Emotet virus that struck the City of Allentown when a municipal employee clicked a malicious link in an email, unleashing damage to vital systems that ultimately cost the city over $1M to remediate.
Though considered a relatively new economy, cybercrime is quite lucrative. Stoneberg noted that international cybercrime now produces a GDP larger than that of some countries. “It’s no longer the kid hacker in his mom’s basement,” he said. “They don’t have to write their own code. They can go on the darknet and purchase it.” The trick to reducing risk, he said, is to make yourself and your organization an unprofitable target for information and identity theft so that bad actors go elsewhere.
Guest speaker Brian Kearns, a detective with the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), described the state’s task force approach to cybersecurity training and outreach with an emphasis on prevention. Through its Regional Operations Intelligence Center (ROIC), the state coordinates threat intelligence-gathering in the same way they tackle gangs, border violence, narcotics, homicides and terrorism, partnering with the Office of Homeland Security, postal inspectors, secret service, state security analysts, and others. In what Kearns called “virtual overwatch,” the state collects raw data in real time from blogs, social media, Google searches, and the dark web. ”We’re looking to see what the chatter is, what are the new vulnerabilities,” he said.
The ROIC team routinely meets with municipal employees, health professionals, and even senior citizen groups to share best practices and techniques for understanding vulnerabilities and preventing cyberattacks. The key to getting the word out and people taking advice, Kearns said, is to “make information easily available, digestible, and distributable.”
Moderator Colin Foley, Lehigh’s interim chief information security officer, asked the panel how best to train students and employees about threats and risks to data and computer systems.
Stoneberg suggests having what he calls a “healthy paranoia” about threats, stressing to end users that even if they think there’s nothing valuable on their computers, “their identity and reputation have value,” and allowing their accounts to be compromised can open the door to bad guys getting at the credentials of someone else.
Kearns cautioned that users will always want to find a way around security rules to do what they need to accomplish and it’s important they understand the risks. “People are your biggest vulnerability,” he said. “Cybersecurity is everyone’s responsibility.”
The event was co-sponsored by the Lehigh Valley Association of Independent Colleges (LVAIC) and Library and Technology Services as part of Cyber Security Awareness Month programming throughout the month of October.
Photos by Dana Yurgosky