Inside the mind of a hacker
Understanding why cyber criminals want to attack your business should be a key component of your security strategy
Falling victim to a cyber attack is alarmingly expensive. According to the latest research by IBM Security, the average cost of a data breach across UK businesses increased from $3.68 million (£2.8 million) in 2018 to $3.88 million (£2.95 million) in 2019, which is the sixth-highest cost globally.
With growing threats, the cybersecurity of your business needs to be robust, integrated and comprehensive. As the cyber threat landscape is extensive and diverse, understanding why your business is being targeted is vital. With these insights, you can create a bespoke defence.
Also, as large enterprises have expanded their security parameters, this has strengthened their defences. The result is hackers have switched to targeting smaller businesses and the number of attacks is growing. According to business consultants and insurance brokers Gallagher, nearly a quarter (24%) of SMBs reported a crisis event last year, up from just 5% the previous year.
James Plouffe, a strategic technologist at MobileIron and former technical consultant to TV show Mr Robot, tells IT Pro: “The nature of the hacker has been one of constant evolution and, to some extent, hackers have always been able to remain ahead of technology. In recent years, the advancement and uptake of cloud computing have eroded the traditional network perimeter, providing hackers with an ever-increasing number of access points to enterprise resources to exploit. The standard equipment used to secure the traditional network perimeter, such as gateways and firewalls, are no longer fit for purpose.”
The mind of a hacker is filled with technical knowledge and skill. However, much of a hacker’s toolkit is a deep understanding of the cognitive weaknesses we all have when using technology.
Tricking people into revealing passwords by gaining their trust is a tried and tested way to gain access to your company’s systems. These kinds of vulnerabilities are the most worrying for businesses, as often, the human component of their enterprises can’t be controlled in the same way that anti-malware software, for instance, can. Here, developing a multi-layered approach to security will help your business defend against a hacker attack.
Black hat, white hat
Monetary gains are the primary motivation for hackers working today. Organised criminal gangs have expanded over the last few years, reflected in the growing instances of cyberattacks. Hackers are, though, also driven by a psychological need to pit their minds against the security of large networks, just to see how far they can penetrate these systems.
White hat hackers, meanwhile, are helping businesses locate bugs and other flaws in the code they are creating. Members of the ''bug hunting'' community of hackers can earn more than $500,000 a year, spotting issues within systems before malicious hackers can exploit these vulnerabilities.
Explaining the motivation of hackers today, an ex-hacker who now performs penetration testing for Rapid7 who asked to remain anonymous tells IT Pro: “Many ethical hackers are like-minded and often are driven by many of the following reason beyond financial gain. For the most part, malicious hackers are primarily driven by financial gain. This is because of the challenge hacking poses; being able to manipulate the technology to bypass security controls, or make the technology do something it was never intended to be used for.
“Another driver for ethical hackers is being able to help make security better by discovering the failures and working with vendors to make it better. By working with vendors, ethical hackers are also learning about new technologies and how they operate. This helps grow their skill set, allowing them to accomplish fame and notoriety amongst cybersecurity vendors and hackers alike.”
Often, hacking is not just a brute force attack on a system. The human component of security is often where vulnerabilities are located. Is hacking now more about social engineering than innate technical expertise?
“The human factor is often the weak point, and social engineering is the typical tool to take advantage of that weak point,” he explains. “Social engineering often does not require any advanced technical skills and is the quickest and easiest method to compromise an organisation. Although with proper training and education, this weak point can be reduced but not eliminated. However, if training is combined with solid incident detection and response (IDR) solutions, organisations can greatly reduce the risk and impact of these types of attacks.”
As businesses adopt technologies including the Internet of Things (IoT) and 5G, how can they protect themselves from hackers? “New advances in technology are always going to be at our doorsteps. So, these edge networks are no different – the same concerns will be just around the corner with our next steps forward.
“That being said, like all technology, we must continue to fight the battle by leveraging the best security practices, and by continuing to focus on industry accepted encryption and proper endpoint security. Although we may need to rethink how we do some of these in general, for the most part, I think ethical hackers can help us discover and make those decisions.”
Safe and secure?
As your business continues to digitise, the threat landscape expands. Technologies, including 5G and IoT, will deliver new security challenges your business must meet. Hackers are ready and waiting to exploit any security flaws in these burgeoning technologies.
Robert Schifreen, a well-known former hacker turned security awareness trainer, tells IT Pro: "IoT is already a problem, and it's going to get worse. Every vendor wants their product to be internet-enabled, and to work straight out of the box, so they rush them out the door with inadequate security — little or no authentication, default passwords, and so on.
“There was a casino in Las Vegas whose network got hacked via the thermostat in its fish tank! In a few years, every central heating boiler, every light bulb, every traffic light, every fridge, every car is going to have an IP address. But car companies are putting a lot of money into security, and they're petrified of the negative PR impact that hackers could cause.”
The Hollywood variety of hacker hunched over a keyboard in a dimly lit room is an aspect of security penetration. However, it's clear that the human component of your business is its weakest link when securing your systems.
“About 70-90% of all successful malicious hacking happens because of social engineering,” explains Roger A. Grimes, author of Hacking the Hacker. “So, it’s by far the biggest threat out of all types of hacking. But technical attacks play a role in 20-40% of all hacks as well. Hacking by social engineering is so easy to do that most white hat penetration testers I know don't want to use it as it's too easy and too boring.”
If your company’s systems are open to attack, what practical steps can you take to mitigate these risks? Kevin Curran, a senior member of the IEEE and professor of cyber security at Ulster University, advises: “The first line of defence to stop many attacks is to educate employees about the dangers of clicking on links. However, only a fraction will listen and learn. It generally takes making a mistake for people to learn, yet this means it can already be too late.
“There is a new movement where security teams send phishing emails containing fake malware to their employees, which when activated simply leads them to a site telling them about their mistake and educating them on the dangers of what they did. Education is crucial.”
MobileIron's James Plouffe adds: “To future-proof their organisation against hackers, businesses should look to implement a zero-trust security architecture. It assumes the worst – that everything, both inside and out of an organisation's perimeter is compromised. It, therefore, enforces a ‘never trust, always verify' approach requiring anyone and anything attempting to connect to an organisation's network to be authenticated and authorised. It is a direct reflection of the post-perimeter environment we find ourselves in today and is the only way organisations can future-proof their protection from hackers.
Hackers represent a clear and present danger to your business. The reasons they want to break into your company's systems are manifold, but whatever the hacker’s motivation, organisations need to take practical action today to protect their systems.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now