Cyber defence starts at company's reception, former hackers say

15 July 2016

Companies should enact cyber defence technology but some former hackers say strengthening the “human firewall” is a far more robust way to mitigate attacks.

Penetration testers (people who test a company’s security for a fee) say they can break into any company, anywhere. Given enough time and resources, no target is safe. That doesn’t mean security is unattainable, though, and there are simple steps companies can take to mitigate the chances of a breach.

A lesson from the testers is to teach staff about information security. An aware staff member can be the difference between a company being an easy steal or scaring the hacker off, rather like a Pitbull. After all, hackers are as lazy as everyone else and prefer the low-hanging fruit.

Infamous but reformed hacker Kevin Mitnick is now a well-known penetration tester and educator. He was one of the first civilians to use computers for nefarious purposes in the days of the early internet. He is now the chief hacking officer for US-based KnowBe4, a security awareness training company helping staff to avoid the psychology tricks used by cyber-attackers. KnowBe4 must be doing something right. It registered consecutive growth for a record 12 straight quarters, working out as 1600% growth from the second quarter of 2014 to the second quarter of 2016, according to company records. Mr Mitnick says business is booming for both the “black hat” hackers – whose ransomware attacks alone are worth an estimated $US100 billion per year – but also for the “white hat” hackers.

“In the beginning, people hacked as a hobby. But today the trend has completely changed.

“Some are hacktivists with a political message while others are tied to criminal organisations and are essentially businesspeople with an entire supply chain for cyber-attacks. “Then there are the good hackers, people like myself and others who try to find vulnerabilities in security devices, web applications and network servers to educate our clients about security holes to prevent future exploitation,” says Mr Mitnick.

Certainly, black hat hackers would hope to recruit a company systems administrator. Those positions normally hold all the keys to all the digital doors, and often have access to a variety of email accounts and other systems of interest to those conducting corporate espionage. That said, to a competent hacker any staff member could be recruited to help carry out a cyber-attack. The ultimate responsibility for security should certainly stop at the board level but Mr Mitnick says that’s not an excuse to avoid encouraging and training everyone from reception to IT to act as individual points of defence for the entire organisation. Relying on technology solely will not protect a company, he says.

“There is no such thing as complete security. But it’s important to understand how criminals think. It’s true that almost nothing will deter hacktivists. However, criminals are looking for the low-hanging fruit and do respond to disincentives.

“They do a cost/benefit analysis about how much time and energy it will require when engaging a target to make a profit.

“The only thing that would deter them will be if the cost of an attack is higher than the profits they will make. If it’s too high, they’ll go on to the next guy.”

Another semi-reformed white hat hacker, Joerg Buss, now working in a similar role at New Zealand-based Origin IT as its chief information officer, offers some key ideas on how to change staff mind-set towards becoming more security conscious.

His thoughts are gathered directly from his many years of success trying to break into companies – both as a white hat and black hat hacker.

“Humans are group animals. They like to be with others. So, if most of the staff can be convinced, the few remaining ambivalent others will probably follow the crowd. It’s the same thing that happens when someone influential gets a new, trendy haircut. Suddenly everyone’s cutting their hair with the same style.

“Threatening their jobs for non-compliance won’t work. I prefer positive incentives. So if someone comes up with a good idea, they might get $50 or a voucher. I have four children. Fear and force don’t work as motivation. But giving them something or pointing out reasons is much better. So that’s what I’ve tried to implement in New Zealand,” says Mr Buss.

Join us once a month in The Common Room and find out what's happening now and what's coming next in the world's most exciting industry.