There is no such thing as a computer network that has not been hacked or compromised, a leading expert said on Nevada Newsmakers.
“The experts today say there are only two types of computer networks,” said Ira Victor, digital forensic analyst for DiscoveryTechnician.com. “Those are networks that have been compromised and the owners of those networks know where they have been compromised, how far and what data; and networks that have been compromised and the owners don’t know where the compromises are and how far they have gone in and what data.
“We are at that point and with the experts, that is pretty much the consensus on that opinion,” Victor said Monday. “All networks are compromised and it’s just how much you know about it and how much you don’t.”
Businesses and other entities with computer networks may not be aware of the hack but can still be compromised, Victor added.
“They do other types of techniques that are exploiting the networks but they keep a low profile so that the people that are running the business or working the business have no idea,” he said.
Firewalls and other computer security services are not security blankets for computer systems, Victor said.
“So anti-virus (programs) and firewalls, you want to have them but they only offer very minimal protection,” he said. “They do not keep the bad guys out of your network.”
Victor, who has testified about cybersecurity at the Nevada Legislature, said the state of Nevada (and many businesses) can’t afford to secure every bit of information in their systems. So those entities should concentrate on what is the most important data that needs protection.
“The first thing I would suggest for the state (of Nevada) is that the state needs to have an inventory of what information they have and rank it in terms of the most valuable information and start concentrating their resources on protecting the most valuable information,” Victor said. “Guess what? That is a recommendation I have for all businesses and all organizations.
“If the bad guys are in your network — and they are — and if they are there persistently — and many times they are — then it is often not cost-effective to protect everything, every little shred of information and every single communication in your network. So we need to rank them and say, ‘What is our most valuable asset? What are our crown jewels? And then, concentrate our resources on protecting our most valuable assets.”
Business and government don’t earmark a lot of money toward cybersecurity, Victor said.
“We’re not going to get a lot of money for information security,” he said. “Let’s just be realistic about this. It is the same as in business. So you’ve got to concentrate your energy on the crown jewels — the most valuable information — and acknowledge that is what you are going to do.”
“Information Technology,” or IT, is not the same as information security, Victor said.
Culturally, the people in IT are taught to deliver services on time and on budget.
“The cyber criminals are breaking into networks with such frequency and such ease that they don’t always exploit that network right away,” Victor said. “So if we have less than $10,000 to spend, we figure out a way … so we’ve got to ‘stand up’ those systems, as we like to say, and deploy them and do the best we can with the $10,000 we have over the next three years. That is the culture of IT.
“In information security, we look at risk, our culture is about risk,” he said. “What is the data we have? What are the risks? How do we mitigate those risks?
“And then we go to our decision-makers and say, ‘Here are the risks. Here are the liabilities. If you want (to) protect that data, here are the steps that need to be taken.’”
When government agencies or businesses try to protect all their cyber information, that is a good thing for the “bad guys,” Victor said.
“There is a laundry list of valuable information that organizations have,” Victor said. “And they are not doing enough to protect it. Now some of it has to do with economics. It’s expensive. That is why we’ve got to concentrate our efforts and say, ‘Hey, these are our most valuable information assets and we’re going to protect them and really do a strong effort to do so. And we are not going to stop the cyber criminals until we do that. I mean, bad guys are having a field day because we’re saying, ‘Well, all of our information is valuable, and then none of it gets well protected, or not enough of it gets well protected.”
Ray Hagar is a journalist for the “Nevada Newsmakers.” More information on the public affairs broadcast program, podcast and website is available nevadanewsmakers.com