INTERVIEWS
Getting Ahead of the Hacker Jake Davis (aka Topiary), former Hacktivist turned security consultant and speaker, is all about understanding the psychologies of hacking, and educating the next generation of technology experts. Modern Insurance spoke to him about cyber protection against the modern hacker.
Q A
As cyber-attacks and business hacking continues to grow, what drives hackers – is it the challenge and kudos, or financially driven?
Most hackers are ethical, and veer on the side of defending the average user. Those doing it for challenge and kudos usually aren’t out to hurt anyone. However, financially motivated criminals are a completely different story. To them, the hacking of companies and extraction of funds is merely part of a wider ecosystem, which often extends beyond hacking itself. You may be targeted opportunistically with a specific set of exploits, and it’s often the case that the attacker will have no idea who you are or what you do.
Q A
For those that do suffer a cyber-attack, is there an attraction for hackers to revisit the same company?
Large companies tend to face a serious problem with their asset management. Professional pentesters usually end up finding some obscure weakness in a complex network of many moving parts that the company itself doesn’t even fully comprehend. For those with criminal intent, it’s often not very difficult to exploit this repeatedly. They don’t need to rely on a hacking operation that’s sophisticated or well-funded, they just assume the target has a poor understanding of its own internal structure and run circles around them. It’s something I have said for many years: if a hacker can perform a light scan of your public-facing internet presence and know it better than you, you have a serious problem. Investing in people, rather than checking security boxes, is the solution.
12
|
MODERN
INSURANCE
Q A
Does utilising an increased amount of smart tech / IoT and holding big data make insurance companies more appealing to be hacked?
If you’re a large entity full of IoT devices and smart tech that hasn’t properly thought about security, you’re probably going to get hacked. It’s worse than just being a juicy target - you will be hacked by accident, simply as a result of exploits being sprayed wherever possible. Criminal hackers will target a specific vulnerability in a specific IoT device and automate the use of that exploit against every potential victim in the world, hoping to hit home with a reasonable percentage of them before the exploit is no longer viable. These operations are conducted in bulk and scoop up the low hanging fruit. So, companies, who assume they’ve been specifically targeted, are often surprised to learn they were hit by a big hacker net that wasn’t really looking for any specific fish.
Q A
Are those companies navigating a Merger and Acquisition more vulnerable? If so, what can be done to reduce this risk?
If we take a step back and imagine network vulnerability as a whole, we can think of new nodes adding exponential risk to every other node. A lack of synergy between nodes results in weak links that are then abused. It’s very important when joining any two systems together - even if they’re both already secure on their own - that no new vulnerability is introduced into the ‘immune system’ during the merge. If you’re in a position of acquiring a
