Media coverage of large scale hacking incidents, popular fiction and recent movie blockbusters are capturing a wide audience. Growing interest in this genre suggests people are becoming aware of the cyber threat, but the belief ‘it won’t happen to me’ is arguably still common.
However, before we attempt to change the minds of potential victims, we must first explore the profile of a hacker. Coincidentally, my social network enabled me to call upon a friend, an application developer for a London-based investment management firm, who kindly agreed to be interviewed on the subject.
Tell me a little bit about what your role involves
I’m responsible for building systems to share and manage proprietary trading data across offices in Hong Kong, London and New York. My career began at 15, when I landed my first job identifying and securing vulnerabilities in websites; having come across a security hole whilst browsing the internet, I emailed the company to not only let them know they had a problem but also how to fix it.
Have you any facts and figures to put your company’s cyber vulnerabilities into context?
Absolutely, in the last hour we’ve been scanned for vulnerabilities 3000 times and have had 30 denial-of-service attacks.
What do you believe motivates people to hack?
There are three motivational themes for a hacker: curiosity, freedom and money. Curious probably describes the largest group of hackers who generally fit under the ‘script-kiddies’ category. These individuals trawl the internet for available exploits in newsgroups and websites to see whether they can hack into random computers around the internet. This is usually done for fun, to impress friends and to learn the basics of computer security.
Hacktivists hold the belief that all information should be completely free and entirely accessible. This group may have a political agenda where their goal is to vandalise systems to make a statement. It’s difficult to categorise money as it doesn’t necessarily speak to the mind-set of the hacker. However there are many reasons someone would pay a hacker, for example, to obtain money fraudulently, to steal bank account information, or to modify computer data.
Could you explain the types of defences necessary to prevent hackers gaining access to a company’s network?
From a computer standpoint, the major defence is to keep all applications and operating systems up-to-date and to expose as little as possible to the internet using firewalls.
Where does the human factor come into your organisation’s security defences?
The human aspect of information security is always going to be the weakest link by far. From the social standpoint, we don’t face as many risks as many larger corporations. Everyone knows everyone else so employees are habitually vigilant if they see or speak to someone they are not familiar with. However, in a larger corporation this is potentially a much larger problem. Social engineers pose the largest threat.
Imagine someone calls you saying they are in the IT department and require your password to fix a technical issue; there are not many people would naturally challenge a request like that from the IT department. A criminal targeting a company with 5000 employees whose IT is outsourced to another country need do little more than pretend they are based in IT to gain access to thousands of passwords.
Can you explain how these sorts of activities apply to the lives of the general public?
The media focuses its attention on the technological aspect in computer security, which on one hand means these processes are kept up-to-date, but on the other, it doesn’t help to change the public’s perception of online security as someone else’s responsibility.
Just today I made a call to my mobile phone provider and the only information they required to prove my identity was my name, mobile number and date of birth. Almost everyone I’m connected to on Facebook has access to this information and upon providing these three pieces of data, I was able to do more or less anything including changing contract and getting a new SIM card sent to any address I specified.
The security procedures when calling many other large service providers aren’t any more advanced, either. This problem has arisen because just a few years ago, birthdays and addresses were only known by close friends and family who could generally be trusted. Security procedures were built around that assumption and since then, haven’t been sufficiently updated to cope with the overwhelming presence of Facebook and the information it provides.
The security of online banking has improved and most banks now use a challenge response system in the form of card readers to authenticate the account holder. There’s no real attack for this, and it has thus far eliminated the possibility of card-not-present fraud on banking sites.
Are media depictions of hacking incidents and current films such as The Girl with the Dragon Tattoo helping to raise awareness of the cyber threat?
Despite how hacking is generally portrayed in films, 99 per cent of it is not done in a dark room using nothing but a computer. The image of hackers as extremely intelligent individuals exploiting loopholes in operating systems promotes fear amongst the public that there’s nothing they can do to protect themselves.
In fact, people have a great deal of power to avoid becoming a victim. Firstly, don’t publish all the answers to your ‘secret questions’ on Facebook, and don’t give away information over the phone to anyone you don’t know or trust.
In my opinion, the glamorisation of hackers in films is distorting awareness of the cyber threat when in fact, the public have most of the power when it comes to protecting themselves.
As security continues to play a more strategic role in business, this gripping insight gives a clear indication that employee awareness must be treated as a priority. Technical security processes are starting to improve at a more efficient pace in response to new trends in cybercrime, but the human factor plays a vital role in strengthening both the individual’s and organisations’ defences against the cyber threat.