President Obama has been sounding the alarm recently about the threat of cyberterrorism and cyberwarfare. At a recent fundraiser, he said that the White House is bracing for a possible “doomsday scenario” where hackers crash our banking system, wipe out the identities of millions of people through a breach of government systems and disrupt the delivery of power through an attack on our power grid. One can only speculate as to why the president would bring attention to this “doomsday scenario” now, in the midst of headlines filled with news of Ebola, ISIS and tensions in Ukraine and elsewhere, but there is ample evidence that cyberterrorism and cyberwarfare is a current reality, not a future threat. Take the recent attack on J.P. Morgan, for example.
More than 83 million customers of J.P. Morgan had personally identifiable information stolen last summer. The bank has been quick to point out that no account numbers or Social Security numbers were part of the breach and that no accounts have been affected. What this points to are attacks down the road with more malicious goals in mind. We have all probably received “phishing” emails where the bad guys try to get us to click on a link to change our password or divulge sensitive information. The term “phishing” is a play on the word “fishing.” While fishing in the Ozarks might yield a trophy bass for mounting or a good mess of crappie for a fish fry, the goal of “phishing” online is to get the target to click on a link or divulge sensitive information. Phishing scams are becoming more sophisticated all the time. Cybercrooks have moved beyond simple email scams to using text messaging and phone calls to try to deceive their victims. My wife received a call from the “customer service” department of our bank here in the Ozarks, some time back, asking for account information to verify account ownership. Quick thinking on her part (she is a very smart lady), and the sense that something just didn’t feel right about the call, led her to hang up on the caller and immediately call the customer service department of our bank. Sure enough, the bank had been the victim of a “phishing” scheme involving phone calls like the one she described.
In thinking about these attacks and others, we have to remember that the goal of terrorism is not to win a military victory but rather to instill fear (terror) in the lives of those who they perceive to be their enemies. We have been blessed in the United States (and even more so here in the Ozarks) to live lives relatively unscathed by the daily terrors faced by many around the world. The freedom to worship freely, travel relatively worry-free and conduct the business of our daily lives without the fear of attack has become something that many of us take for granted. We can continue to enjoy that quality of life, even in the midst of the global chaos, by being mindful of how we conduct our affairs, especially online. This does not mean that we live in fear, rather that we live with awareness. Monitor your online accounts, particularly your financial accounts. Report suspicious activity immediately, whether it be a “phishing” email as described above, a text message asking you to click on a link or an unexpected phone call asking for personal information.
The simple act of you reporting these incidents provides security teams with the information they need to respond. Security teams are in a steady-state loop of preparing for and identifying the next incident. Once they are able to do that, they can contain the incident, eradicate the threat and move on to recovery and lessons learned. You are a key piece of that puzzle.
This article appeared in the January 2, 2015 issue of the Springfield News-Leader. It is available online here.
Shannon McMurtrey, Ph.D., is director of Missouri State University’s master’s program in cybersecurity, as well as program director for the master’s in computer information systems in the department of computer information systems. Email: shannonmcmurtrey@missouristate.edu