Why Every Business Should Hack Itself First, Before Someone Else Does
The proliferation of the Internet has fundamentally changed so much about the way we live our daily lives, not least because it has put access to millions of people and things right at our fingertips. From healthcare to commerce, public services and beyond, being connected has enriched our quality of life like never before. But it’s also exposed businesses and consumers alike to unprecedented levels of risk. Threats are no longer posed solely by those countries or cybercriminal networks with the financial means to carry out attacks. This both raises the stakes and levels the playing field for attackers and defenders. Many threat intelligence analysts agree that 2015 will see an uptick in state-sponsored cyber activity*, as smaller countries realise that, for a relatively small return, they can punch well above their weight on the world stage. In short, it is no longer necessarily an expensive undertaking to launch damaging attacks against our governments and corporations.
The barriers to entry are lower than they’ve ever been. Underground markets sell automated attack toolkits that do not require deep technical experience for anything from information-stealing malware, to DDoS services; bulletproof hosting to online hacking tutorial courses. Whether the end goal is to gain geopolitical advantage, economic espionage or denial of service, the bad guys are certainly capable of relentlessly targeting your organisation.
Now many doom-mongers warn that this state of affairs will eventually lead to some kind of catastrophic Internet outage. I’m less sure. It’s more likely that if we allow the black hats to thrive unchecked then the public will simply begin to trust – and therefore use – the Internet less.
This might not sound particularly dramatic, but it could have a crippling effect on commerce, on healthcare, banking, and the provision of government services. Technology innovation would slowly grind to a halt.
So what do we do? Unfortunately, more laws will not do the trick. The Internet is transnational. This means there will always be some countries where online criminals can escape scrutiny, and there will always be state-sponsored operatives to whom the authorities turn a blind eye.
The US recently indicted five PLA soldiers because they were deemed to have been directly attacking the commercial interests of US firms, rather than committing traditional cyber espionage focused on stealing state-secrets. It was in the end little more than a symbolic gesture. The truth is that no CEO can expect their government to step in to protect their interests. Regimes like Russia, China and an increasing number of smaller states gearing up their own capabilities will continue to quietly condone such attacks if it’s in their interests. The conventional rules of warfare no longer apply in cyberspace. Extradition remains nearly impossible and attribution even harder: there are simply too many ways to obfuscate the trail of digital crumbs leading back to an attacker.
The bottom line is this: UK business leaders must understand that when it comes to cybersecurity, you’re on your own.
So how do we fight back? Well, there’s no silver bullet – there can’t be for something as broad and complex as Internet security. But it is time to realise that the best form of defence is attack. That’s why I founded WhiteHat Security back in 2001. We – and others like us – specialise in testing the defences of businesses so they can better understand where their cyber weaknesses lie, and then take steps to remediate. You’d be amazed at how easy they can be to crack. And these are major organisations; some of the biggest and best-known brands in the world, responsible for billions of customers. If you haven’t been hacked yet, you’re not looking hard enough.
It’s what I like to call a “Hack Yourself First” approach and it’s the first step towards effective self-defence. Having been shown how easy it is to infiltrate their networks, steal customer data and IP or disrupt key systems, these firms can then take steps to do something about it. Unfortunately, many others prefer to stay in the dark; hoping and praying they’ll be ok.
But luck is not a security strategy.
Businesses must call on the experts to hack their systems to test for weaknesses, and the more that do this, the better. It’ll help secure customer and corporate information and maintain public confidence in the Internet, which is vital to its continued success. But as an industry we also need to teach more people how to hack. You might think this sounds crazy, but it’s quite the opposite. The more people understand how the bad guys think and act, the better our national security and economic wellbeing.
The white hat community has forever been on the back foot, reacting to a seemingly more agile, unpredictable enemy. With a “Hack Yourself First” approach businesses can finally start taking the fight to the bad guys for a change. It’s been a long time coming.
By Jeremiah Grossman, WhiteHat Security