Nortel investigator: 'We need a Fort Knox mentality about security'
A former Nortel security adviser says he spent years trying to track down hackers who had infiltrated the company, one of Research Triangle Park's largest employers at the time. He even asked his bosses to bring in the FBI, he says, but his warnings weren't taken seriously enough.
Posted — UpdatedNow, Brian Shields is using what he learned from Nortel’s 2004 hacking and eventual demise to warn others about how easily secrets can be stolen. He often speaks to security groups and has appeared on CNBC, the BBC and other international media outlets.
“Hackers are what brought Nortel down,” he said. “It ought to be very scary to every company in this country that has any concern over the info they have in their networks.”
Nortel’s hackers were discovered in 2004 when an employee noticed what looked like an executive trying to download his documents. As it turned out, the hackers had stolen seven executive passwords and had been deep in the system for an unknown period of time.
“It all looked legit, and you would not have suspected that anything was wrong,” Shields said. “We spent a lot of time trying to figure out how our CEO’s account and a senior vice president’s account were compromised, and we couldn’t figure it out.”
What he does know is that one security lapse caused Nortel, a telecommunications giant with about 9,000 employees, to collapse. Shields says he suspects the hackers were Chinese because a Chinese competitor suddenly started offering cheaper products and services that erased Nortel's income.
“There’s no doubt in my mind that this was going to Chinese competitors, because all of the sudden they are on the market and winning everything,” he said.
The key to understanding the phenomenon of hacking, especially in China, is understanding cultural differences, cyber security experts say. In China, many see hacking as being patriotic. Hackers are treated like celebrities and many believe information should be in the public domain. Chinese officials say they are cracking down, though, and recently added computer crimes to criminal law.
A private security group recently traced a number of attacks to a 12-story high rise in Shanghai.
“When you don’t win the multi-billion contract because you have someone underselling with cut-throat prices, you’re not going to win,” Shields said.
Like any other break-in, Shields says he thinks hacked networks should be treated like a crime scene. Otherwise, company secrets, plans and conversations can vanish, virtually undetected.
“I want to speak out. I want to get the word out that things can be done. We need a Fort Knox mentality about security,” he said.
Retired FBI agent Greg Baker has helped RTP companies deal with cyber threats and says everyone should be concerned, especially “if your retirement plan is tied to one of those 401ks.”
Companies with proprietary intellectual property, formulas or convertible assets, such as credit card or financial data are large targets. If these companies are in litigation, then their lawyers are targets, too.
The top two risks are lost laptops with sensitive data that is not encrypted, and untrained staff opening email attachments with hostile code. Companies should encrypt sensitive information that is stored at the company or while it is being transmitted across the Internet. All staff members need to be trained at least annually on how to protect information under their care and control.
While traveling, it is best to only take new laptops with no company data and to use web-based email using SSL protections. Look for the lock on the browser window and use the SSL connection whenever possible when sending your logon information. Some people set up a new email account and use it just for a short time, maybe only one trip, in case it is compromised. Always change account passwords to systems that you access internationally in case your logon was intercepted.
Training is an excellent start to creating an environment that protects sensitive information. Having an external expert review your security procedures is also a best practice. Reviewing logs on servers for bad activity is critical to a security program's success. Have a written incident response plan in case of an incident before one occurs. Policy, policy, policy, written and communicated with staff is critical, and a low-cost best practice.
People are the weakest link in security. The firewalls are a necessary technical control, but like doors in your home or business, the hackers will look for other ways of entry, even being invited in by your employees who have not been properly trained to understand the risks to your sensitive information.
• Credits
Copyright 2024 by Capitol Broadcasting Company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.