An interview by Hiscox with interim.team CISO Phil Cracknell
Cybercrime can and probably will be used as a tool to compromise the financial infrastructure of entire countries, says cyber-security specialist Phil Cracknell.
From business protection to cyber wars, Phil gives us his insight into the future of hacking and how we’re all more at risk than we realise.
What’s probably most concerning about all of this, is that small businesses play a crucial part in many major cybercrime plots. They’re easier to hack than the big corporations, and they’re usually connected to larger supply chains giving hackers a way in to the top.
It’s time to look at the bigger picture with cyber security
Yet, when it comes to what’s motivating hackers, it’s not all about money – although it can often be traced back to that. If you’re stealing the recipe for the next wonder drug or the designs for a Grand Prix team’s car, you’re clearly motivated by money. The same goes for music and films. The Sony hack in 2014 is a good example of that.
But then you’ve got your cyber wars, which are taking place every day. People are hacking governments to steal information and secrets in the same way we have spies and double agents.
I just came from a ten-month assignment at a train company in the UK, who are going ahead with plans to move all of their signalling to the train cabins instead of a central signalling centre. So if two trains need to stop for another to pass by, the three of them will negotiate between them who gets to go first. Bring a cybercriminal with a vicious motive and the ability to hack these trains into the equation, and you’ve got a very dangerous situation.
It will take a catastrophic event to lead to reform
My prediction for the future of hacking is that there’ll be a massive event that’ll lead to loss of life. Several terrorist plots involving cybercrime have already undoubtedly been foiled, and it’s only a matter of time before one takes hold. They might be very simple or they might be very elaborate. For example, there have been blackouts in North America and Ukraine over the past few years. These are cyber-attacks against the critical national infrastructure, which is why governments are investing so much in cyber defence. They’re considering it as one of the top threats now. If you can take over a drone, you’ve got control – it doesn’t matter about the size of armies because they rely on communication and intelligence. If you can control that, you can send them in the wrong direction to essentially shoot each other.
There’s still a widespread disregard for cyber security because it’s not in peoples’ faces yet. But an event like this would lead to major reform.
There’s an ecosystem of hackers and we need to be wary of them all
There are many ‘smaller time’ hackers that do it more for the kudos it gives them in their network rather than aiming to carry out organised crime. But they’re still dangerous. These opportunistic hackers are often groomed by other, more serious hackers who’ll tell them to attack a certain IP address. And the smaller-time hackers will do it because they believe they’re doing a valuable job in taking down a bad organisation or similar. There’s a bit of a ‘we’re going to take over the world’ attitude. And while these small attacks are taking place there’ll be a much bigger one happening in the background. We refer to this as ‘noise’ – it’s people rattling the door handle, but in real terms.
Small businesses aren’t immune to cyber threats
SMEs need to remember that even though they’re small in size, if they’re part of a larger supply chain, they’re still vulnerable. Anyone that supplies to trains, buses, planes, energy companies or any other organisation considered critical to the national infrastructure could provide a way for hackers to get into where they want to be. The last four biggest hacks in the world – Sony, AT&T, eBay and Target – were able to happen because of a third party supplier being compromised. And if enough small businesses were attacked it could threaten our country’s entire financial infrastructure.
It’s also become quite common for smaller businesses to be targeted with ransomware, which is a type of malicious software that blocks access to a computer system or encrypts files on it. It’s used to demand money from people and only when they’ve paid up can they have their files back.
Most big organisations would be able to repel a ransomware attack but that’s not the case for smaller ones. They find themselves with encrypted files and unable to run their business, meaning the only real option is to pay the money.
Seek external help to keep your business secure
If you own a small business you probably don’t need to employ a security expert full time, but it’s wise to seek external help to guide you and check that you’re secure on a regular basis. It’s a good idea to seek specialist help and contract a Chief Information Security Officer (CISO). They’ll help you with things like patching, which is a method used to fix known vulnerabilities in computer systems – often used by hackers as a way in.
It’s also important to get the culture within your business right. Training your staff to spot an attack is key because relying on technology is often not enough. For example, at a basic level all staff should be aware of what spam emails and fake webpages look like. Plus, while anti-virus and firewall programs can detect viruses and system vulnerabilities, you can’t rely on them to protect you against cyber-criminals actually tricking you in person, otherwise known as ‘social engineering’. Getting a professional in to deliver a training session for your staff is a good way to make sure they’re clued up on this.
Social engineering is a very common method of getting credentials
Imagine the scenario. A British Telecoms (BT) engineer turns up in full uniform at your business premises. They claim that your main phone line is down due to a problem in the area. You check the line – it’s dead. Your customers can’t get through to you and you’re losing money by the minute. How likely are you to let the engineers get on with their job and fix things? You’re probably just grateful there’s someone there to help. But what if they weren’t real engineers? Hackers have been known to create crises for businesses, like cutting their phone line, only to turn up and ‘save the day’ a few minutes later. What they’re really doing is getting potentially unlimited access to the business’s network. This is a classic example of social engineering.
There only needs to be a few key things in place for people to fall for this kind of activity. For example, a hacker may ring up a company and speak to one member of staff to get hold of some seemingly harmless information. They’d then ring back on another line and speak to someone else, using this information to convince that person that they’re legitimate. Having a few details to hand such as employees’ names and dates of birth means people are much more likely to trust them.
This is a very common way of stealing credentials and plays a big role in large-scale hacks. In most of the major hacking scandals to have taken place, there will have been an element of social engineering to obtain information. Sometimes this takes place electronically, known as phishing. So a hacker will create a fake web page that looks like it’s legitimate, which will ask a user to change their password.
Always be vigilant when giving out your details
To avoid being socially engineered, always be wary of who you’re giving details to, whether it’s on the phone, in person or online. If you receive an email with a link in it asking you to change your password for something like Facebook, don’t follow it. Instead, manually type the Facebook URL address into your browser and see if the website asks you to change your password that way. It’s important to never follow the link because it could either take you to a fake web page or allow something like ransomware to be downloaded onto your computer.
Cyber insurance is going to change the world
Hacking activity is spread far and wide, and is being used for multiple different purposes across the globe, some of them very sinister. But it’s not all doom and gloom. This is why I think cyber insurance is going to change the world. I genuinely believe that if you’re a small business owner, cyber security should be up there at the top of your list of priorities. It’s not an optional extra, just like business insurance isn’t. And when you look at the bigger picture, you can see why.