Cyber crime has become an increasing priority for the Federal Bureau of Investigation.
Richard T. Jacobs, assistant special agent in charge for the FBI, spoke at length during a seminar hosted by the Securities Industry and Financial Markets Association in New York on Tuesday about cybersecurity threats and how firms can better protect themselves.
“Cyber has been one of the most challenging environments for me to operate in, and because of that complexity and level of challenge, our director has made cyber a priority for the FBI,” Jacobs says.
Jacobs, who has been in the bureau for close to 17 years, supervised a high-profile securities fraud team, which successfully handled the investigations of Bernard L. Madoff and Galleon Group.
In 2014, he helped establish the Financial Cyber Crimes Task Force, a multi-agency initiative operated out of the FBI’s field office in New York that targets financially motivated cyber-criminals and technology-based fraud schemes. This task force was one of 56 that the FBI established in field offices nationwide as part of the Next Generation Cyber Initiative, which focuses on combating the growing threat of cyber crime.
Jacobs believes it’s a whole nation’s responsibility to defend against cyber-adversaries, which is why he stresses the importance of collaboration between the private sector and the FBI.
“I realize that for many of you one of the first calls you’ll make is a third-party security and forensic company — obviously they’re very good at what they do,” he says. “Once you’ve sat at the table and determined what your next step is going to be, we should be one of the first phone calls where we can talk about what we think should be done and how we can work with you.”
Before a breach in cybersecurity even happens, there are things that can be done to better protect a company’s security. Here are four tips gathered from Jacobs’ recent speech in New York:
1. Be aware of the four different type of attackers.
The FBI’s first goal when investigating a cyberattack is to try to attribute the perpetrator. The FBI categorizes attackers as either “state-sponsored,” “criminal,” “hacktivists” or “insiders.”
State-sponsored actors are groups that are acting on behalf of a foreign power to cause harm or gain political, economic or military advantage, Jacobs says.
“They do that either by stealing sensitive information they can use in the future or engaging in something more destructive – deleting your data, as we saw in the Sony case and many others; conducting denial-of-service attacks that make your networks basically inoperable; and we’re also seeing an increase in cyberterrorism.”
Meanwhile, someone who would be considered a criminal actor is typically motivated by profit, Jacobs says.
“Many of these criminal groups are equally as sophisticated, if not more sophisticated, than some of the nation-states out there,” he adds. “Because of that, many of these criminal actors are actually recruited by foreign governments to help them with their operations. So the lines between the two are not very clear. If we investigate a breach and it’s a very sophisticated criminal actor it may give the appearance of a nation-state. Sometimes it takes a lot more research to determine: Is this breach criminal or is it national security?”
Meanwhile, “hacktivists” are individuals who hack in order to send a political message, Jacobs says.
“They’re not looking for profit,” he adds. “They’re looking to harm a particular industry, expose a particular company or simply get their message out. Most of the hacktivists are not terribly sophisticated.”
They engage in low-level attacks, like a “simple” malicious website or doxing. Doxing is when someone searches for and publishes private or identifying information about a person (often high-profile like an executive or a government, military or law enforcement official) on the Internet, usually on a criminal forum.
The most common type of breach comes from an unintentional insider. There are two kinds of insiders, according to Jacobs.
“One is the malicious insider who intends to cause harm and has access to your resources and the other is the unintentional insider who just does something silly,” he says. “They open up an email they shouldn’t open up. They click on an attachment, a website they shouldn’t and now they’ve affected your network. That happens quite often.”
2. Make sure your employees are aware.
Employees are “the weakest link in your security chain,” Jacobs says, adding that employees and personnel are a “very big problem to manage.”
“How do you stop an employee from doing something stupid?” Jacobs said. “Awareness and training, it helps. That’s probably the best you’re going to be able to do, but at the end of the day if a very skilled and well-crafted spear-phishing email comes their way, there’s a good possibility someone is going to open it.”
Jacobs suggests the importance of having regular training and awareness programs for employees at least once a year so employees know what cyberattacks could happen and how they should react.
This training should also include social media, he says.
“A lot of info that is posted on social media can be valuable information about your company,” Jacobs explains. “So, if I am the director of IT at your company, and I have a Facebook page or I have a LinkedIn page, I might mention that I am the director of IT for this company and I specialize in these four protocols, types of software, types of hardware, what-have-you.”
This type of information, he says, would give an adversary some understanding what exists on a company’s network and what might be vulnerable.
“Oftentimes, if too much information is provided by an employee about a company on social networking pages that will be used against you,” Jacobs says.
3. Assess your vulnerabilities, and conduct regular risk assessments.
“What data does my company hold? And of that data, which data is more valuable than others? And of the assets I have, where does that data sit?” Jacobs explains. “That’s your starting point in determining what your vulnerabilities are and what you should spend more focus and money to harden and address.”
Once a company’s vulnerabilities are determined, a company should conduct a risk assessment to determine whether the level of risk is warranted on that particular data or asset.
Jacobs says a company should ask, “What is the impact if this particular asset or this particular data were breached?”
The risk of a potential attack may appear high, he adds, but the data at risk may not be particularly important to the firm.
“Let’s say it’s information on the year-end Christmas party. If that got out would it be that serious to the company? Probably not,” Jacobs says. “So, you would look at the impact and if the impact was low you probably don’t want to spend a lot of time on it.”
Risk assessments should be done by a company’s IT department on a regular basis, and Jacobs also suggests that a company’s vulnerabilities should be assessed at a “very granular level” on a regular basis.
4. Protect yourself by doing these things.
Jacobs had several suggestions for how companies can better protect themselves.
He says every employee should have on their desktop a legal banner that says, “You have no expectation of privacy on this network.” This helps protect a company from a lawsuit.
“If you don’t have that [legal banner] and something happens and you turn that data over to someone you may open yourself up for a lawsuit,” Jacobs says. “I’m not a lawyer but I’ve seen it happen.”
Jacobs also suggests “acceptable use agreements” for employees to sign that would help establish that “there are certain things you’re allowed to do, certain things you’re not allowed to do and at any point in time we can dump your computer and find out what’s on it.”
In addition to these agreements, Jacobs says, companies should also have corporate policies in place — and enforced.
“The financial sector is probably better at this than most others, but you need to have corporate-level policies that are distributed [and] signed if possible by your personnel,” he says. “The important thing here is, it’s not just an administrative exercise. They need to be enforced.”
Jacobs has seen organizations that lack corporate policies – letting individuals do whatever they want – and, later on, the firm wonders why there was a breach.
“Those policies are critical to set the tone for the organization, but if they don’t see enforcement they probably will not be complied with,” Jacobs says. “Make sure you’ve got a good foundation with your corporate policies, people are reading them, signing them, complying with them and there are penalties for those that don’t.”
Introducing ALM’s cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.