Getting Ahead of the Hacker

Jake Davis (aka Topiary), former Hacktivist turned security consultant and speaker, is all about understanding the psychologies of hacking, and educating the next generation of technology experts. Modern Insurance spoke to him about cyber protection against the modern hacker.

QAs cyber-attacks and business hacking continues to grow, what drives hackers – is it the challenge and kudos, or financially driven? A Most hackers are ethical, and veer on the side of defending the average user. Those doing it for challenge and kudos usually aren’t out to hurt anyone. However, financially motivated criminals are a completely different story. To them, the hacking of companies and extraction of funds is merely part of a wider ecosystem, which often extends beyond hacking itself. You may be targeted opportunistically with a specific set of exploits, and it’s often the case that the attacker will have no idea who you are or what you do.

QFor those that do suffer a cyber-attack, is there an attraction for hackers to revisit the same company? A Large companies tend to face a serious problem with their asset management. Professional pentesters usually end up finding some obscure weakness in a complex network of many moving parts that the company itself doesn’t even fully comprehend. For those with criminal intent, it’s often not very difficult to exploit this repeatedly. They don’t need to rely on a hacking operation that’s sophisticated or well-funded, they just assume the target has a poor understanding of its own internal structure and run circles around them. It’s something I have said for many years: if a hacker can perform a light scan of your public-facing internet presence and know it better than you, you have a serious problem. Investing in people, rather than checking security boxes, is the solution.

QDoes utilising an increased amount of smart tech / IoT and holding big data make insurance companies more appealing to be hacked? A If you’re a large entity full of IoT devices and smart tech that hasn’t properly thought about security, you’re probably going to get hacked. It’s worse than just being a juicy target - you will be hacked by accident, simply as a result of exploits being sprayed wherever possible. Criminal hackers will target a specific vulnerability in a specific IoT device and automate the use of that exploit against every potential victim in the world, hoping to hit home with a reasonable percentage of them before the exploit is no longer viable. These operations are conducted in bulk and scoop up the low hanging fruit. So, companies, who assume they’ve been specifically targeted, are often surprised to learn they were hit by a big hacker net that wasn’t really looking for any specific fish.

QAre those companies navigating a Merger and Acquisition more vulnerable? If so, what can be done to reduce this risk? A If we take a step back and imagine network vulnerability as a whole, we can think of new nodes adding exponential risk to every other node. A lack of synergy between nodes results in weak links that are then abused. It’s very important when joining any two systems together - even if they’re both already secure on their own - that no new vulnerability is introduced into the ‘immune system’ during the merge. If you’re in a position of acquiring a

smaller company that has lesser security than you, perhaps allow time for proper auditing before adopting their code repositories and architecture. The worst case scenario is a small start-up has been backdoored by a sneaky hacker, and you’ve now inherited that problem without realising. It’s Christmas Day for the hacker as they’ve now scored a huge new target by just waiting patiently.

QAs 2020 will see further adoptions / advancements in AI and autonomous vehicles, does this actually create increased opportunities to hackers – is the once relied on human element to grant access to systems no longer required? A Humans will always be the number one weakness of most attacks, including in the world of AI. If we imagine an autonomous war vehicle that makes targeting decisions for the user, a poisoning of that system (known as an adversarial neural network) relies on the human target having some sort of established trust in the AI. So really, we’re talking about abusing the link between the human mind and the AI by making people do something that is not in their best interest. That being said, arbitrarily making a device “smart” is not a good idea. We live in an age where internet-connected door handles can be remotely hijacked by scanning huge IP ranges. Not only do we need to stop, we need to roll back. AI is absolutely brilliant for science, medicine and overseeing entire networks - but it should not be implemented without critically thinking about both security and ethics.

QChat bots are now becoming a common place app/facility for most companies; do you think we will see bots becoming a new target for hackers? A Bots have been a target of hackers for years. In the early days of company chatbots, misconfigurations could be abused in bizarre ways to expose private parts of a network that the bot was connected to. There are vulnerabilities surrounding bots exposing other customers’ information with the right set of commands, and extra caution is required when you implement a bot that allows file upload. It’s certainly a valid attack vector and should be properly audited and secured, just like all other parts of your network.

QWhat impact will 5G have on cyber-attacks? And how can companies adapt accordingly? A 5G is a mixed bag when it comes to security. It renders many common cellular attacks useless, but allows a more fluid attack surface. What we’re talking about here is allowing already vulnerable pieces of equipment to connect to each other faster, and therefore be more easily targeted. So, it’s not the architecture of 5G itself that’s the problem, more the fact that critical national infrastructure will now be more interconnected. The EU has conducted a coordinated risk assessment of this, but I’m sure, like all new developments in technology, it will result in some new and interesting hacks.

QIs it truly unrealistic to ever get ahead of the hackers? A A defender has to win every time; an attacker just has to win once. It’s unrealistic to aim for a magical world in which you’re unhackable - it’s impossible. What people need to do is accept that hacking may occur and attempt to drastically reduce the chance of it happening, and be prepared for optimal damage control should it occur. Ask yourself: do we have backups? Is our sensitive data properly encrypted? Are our systems up to date and regularly audited? Do we have the right individuals applying critical thinking to our security 365 days a year? If you can solve these problems, you’re already ahead of 95% of everyone else.

QWhat should be the priority when it comes to distributing investment / protecting assets? What is the strongest defence against cybercrime? A Let’s use ransomware as an example of asset/monetary theft. If you’re a company that holds sensitive information, you need to make sure that you know where it is, in what form it’s held in, and where its backups are located. That sounds like obvious advice, but I constantly hear; “oh yes, we’ve got that covered!”, and then the ransomware hits and the company is toast. You can’t have single points of failure. So many companies do, and that’s why ransomware is so profitable: victims pay the ransom because they have no other choice. Now, when we’re talking about the security of your customers’ information, you need to make sure you’re encrypting their personal information (especially passwords) properly! I advise every CEO that’s reading this to immediately call up their security team and ask exactly what methods are being used to encrypt user data. If the answer doesn’t include a comprehensive rundown of the algorithms and design principles that have gone into making sure your customers are secure - including a threat model of the worst case scenario of a database being leaked - something is seriously wrong.

QWhen building a defence against cybercrime, what failures and weaknesses do you continue to see repeated? A Too many large companies see security as a checkbox that must be ticked to meet regulatory standards, and an annoyance that is occasionally dealt with once or twice per year. This isn’t good enough. It’s also, in certain GDPR cases, seen as criminally negligent. Security is something that needs to be constantly on someone’s mind and always moving forward. That’s why hiring dedicated experts is key. As the leader of a large entity, whether it be the private or public sector, you need to be able to organise yourself in such a way that means you have staff constantly evolving your defences and staying on top of emerging threats. Even sending your developers to hacker conferences for a different perspective is a good idea! There are many branches of high level, extremely complex IT-related careers that never actually overlap with security, and converging these methods of thinking is an excellent move. Q How often should companies be testing their own vulnerabilities and should this be conducted internally or externally? What are your own findings / experience of this? A Companies should thoroughly test any new software/ hardware before it goes live. Running a scan four times a year for generic bugs and reporting 0% vulnerabilities looks good on paper but is a sure-fire way to eventually get blindsided and hacked. If you’re large enough, you should have an internal team tasked with analysing potential threats every day as your company scales. That doesn’t mean you should invest millions into the latest threat intelligence snake oil products and call it a day - cover all your bases by first performing external audits, then bringing talent inhouse. If you’re a smaller company, bug bounty programs are a great way to get started at a cheaper cost, and you may end up finding unexpected talent along the way.

Jake Davis is a Hacker and Security Expert.

We blend Technology with ‘Experts’ to create a market leading motor claims propositions. Our core services include Advanced Triage, Digital Engineering and Forensic Investigations. We blend Technology with ‘Experts’ to create a market leading motor claims propositions. Our core services include Advanced Triage, Digital Engineering and Forensic Investigations. A white labelled web app to capture customer images which are then interrogated to allow highly accurate advanced triage for any claim. A white labelled web app to capture customer images which are then interrogated to allow highly accurate advanced triage for any claim. Seamlessly blending Technology with Human Intelligence to technically engineer 100% of motor claims without compromise. . Seamlessly blending Technology with Human Intelligence to technically engineer 100% of motor claims without compromise. . Specialist investigators with the bespoke expertise to determine causation, capture forensic information, provide detailed reporting and secure documented evidence. Specialist investigators with the bespoke expertise to determine causation, capture forensic information, provide detailed reporting and secure documented evidence.