My colleague Jason Krause has been writing about technology since around 1995, starting with the now-defunct BYTE magazine. He remembers covering such great, forgotten controversies as the Great Browser Wars of the late 90s, the Y2K bug, and, who can forget, the Furby.
One topic that was fresh in the late 90s but hasn’t gone away is computer hacking. Back in 1998, Jason wrote his first long article about cybersecurity and, at that time, it was still a somewhat novel concept. Sure, Matthew Broderick had hacked the Pentagon in 1983’s War Games, but the first real, major, internet-based hacking didn’t happen until the Morris Worm in 1988.
In the September 28, 1998 issue of The Industry Standard, another obsolete publication, he wrote a story called “You’ve Been Hacked” following a spectacular breach of The New York Times.
Today, Jason and I wanted to see how state-of-the-art technologies and cybercriminal activities have advanced since then. That’s why we've collaborated to write this story to explain what has and hasn’t changed in the world of cybersecurity in the last two decades — a then-and-now approach. I've been a systems engineer, network administrator, and vCIO since 1994, and Jason has been reporting on technology for almost as long, so we've seen firsthand how cybercrime has evolved.
Build a Firewall
What Jason said in '98: A firewall installed and maintained by an outside vendor can cost as much as $10,000; it can also be built with free software available on the internet. Building a firewall, even a freeware firewall, demands a knowledgeable staff, many hours of labor, and a comprehensive security policy that details what types of traffic and visitor access is permitted on your site.
What I say today: A traditional firewall by itself is no longer sufficient as the only tool to protect a network. Managed services are key to any firewall being effective as the dynamic nature of threats and risks is ever changing. In addition, new software tools are available to protect individual computers along with awareness training for your employees.
Plug All Holes
What Jason said in '98: Be aware that operating systems used on web servers come with unnecessary and unsecured features, such as sendmail, printing, and FTP. “It’s like owning a house with a bunch of open doorways you don’t even know about,” says Adam Block, director of product development for PC World.
What I say today: Using risk assessment software to identify threats and vulnerabilities is a critical step to managing today’s risk. The complex nature of today’s vulnerabilities demands that each device on a network be monitored for compliance with risk management strategies.
Use Encryption
What Jason said in '98: Make passwords, credit card information, and confidential information difficult or impossible for hackers to reach. Ecommerce encryption is not expensive to deploy. A digital certificate from a company like Verisign costs several hundred dollars, not including an annual licensing fee.
Using certificates, sites can protect personal data and credit card information while it travels from the customer’s browser to a company’s server. Once on a server, a network administrator should move information to a private server as soon as possible to prevent theft. If hackers gain access to passwords, they could watch all unencrypted information that moves between private and public servers.
What I say today: These are still valid concerns, although cybersecurity has evolved. Website encryption is still vitally important, but it is a separate topic from password practices, and we know that computer criminals are looking to take advantage of poor password practices.
Devise an Early Warning System
What Jason said in '98: Web administrators swear by a number of freeware products that can help detect an attack. These software packages block any traffic that appears malicious or clandestine and are most effective in stopping automated hacker tools that probe networks for weaknesses. “You can’t just buy something out of a box, press a few buttons, and have a secure website,” warns Bill Heiser, manager of systems engineering at Wired Digital. “You always need to have the latest patches, operating systems, and services.”
What I say today: Similar to web servers twenty years ago, Windows servers and desktops today need appropriate tools to detect malicious activities and respond accordingly. This is more than just employing antivirus software. Newer, more advanced tools today analyze the behavior of these systems and can detect ransomware, unauthorized users, unauthorized data transfers, and other types of malicious activity. Of course, making sure the latest patches and security updates are in place is still just as important.
Secure Your Servers
What Jason said in '98: Brian Fellows, a senior network engineer, is more fearful of internal hackers than those who enter from the outside. “These days, companies have any number of consultants, contractors, and corporate partners coming through their offices,” he says. “The only way to contain security risks internally is to put access control policies in place and to put vital information on separate, tightly controlled servers.” No matter how stringent your network defenses are, it won’t do any good if someone can walk into a building and get physical access.
What I say today: Critical data is now available anywhere with cloud technology, but internal threats remain one of the most vulnerable points for any data system. Internal threats to data loss may include Shadow IT, accidental deletion of data, mobile technology being lost or stolen, and unsuspecting users who fall victim to phishing scams. Planning for how data is stored, reviewing the tools to protect it, and making sure you have use policies in place are all needed to help reduce the risk of securing data from internal threats.
Hire an Outside Expert
What Jason said in '98: Unless you can hire a full-time security expert, you’ll need a trusted, outside expert to audit your systems,” says Jon Udell, a well-known computer programming blogger. “Most small startups just don’t have the manpower to troubleshoot a system when they’re trying to get off the ground."
Once a hack is discovered, don’t panic. Many hackers are only in it for the sport. Some hackers will leave a message bragging about how easily they hacked into your server or offer their services to plug the same security holes they exploited. “I hate to admit it, but there’s no silver bullet for taking out hackers,” says Udell. “The problem is like chaos theory. There’s an incredible amount of seemingly random internet traffic out there, and you’ve got to decipher which is suspicious and which is normal.”
What I say today: The problem we face today is the lack of available security experts — no single company can solely take on data security by themselves. Utilizing managed IT ensures you are working with a provider that has made investments in security expertise and can make that available through economies of scale. A virtual Chief Information Officer (vCIO) can work with you to implement risk mitigation plans and software tools and offer the resources needed to mitigate the cybersecurity risks we face today — and tomorrow.
We’ve come a long way in twenty years. Unfortunately, so have cybercriminals. In 1998, a lone hacker caused an incredible nuisance when he hacked The New York Times. However, cybercriminals today have become adept at stealing, extorting money, and causing millions of dollars in damages, not just creating a public embarrassment. The good news is, more sophisticated tools and practices help head off these criminals — when properly used.
If you’re concerned about your potential vulnerabilities, connect with the Managed IT cybersecurity team at Elevity.
About the Co-Author
Jason Krause has been a technology writer for more than 20 years, beginning his career in Silicon Valley as an editor and reporter for technology magazines. He is now the Marketing Content Writer for the Troyka-TC.