Part 2: This Is a Cyber War. Your White Hat Won’t Save You

Cyberattacks are no longer just the apocalyptic stuff a security expert’s nightmares are made of. They’ve become too prolific and damaging to ignore, and for most people they’re now part of a grim everyday reality along with mass shootings and climate change. For many the Internet is nothing more than an anarchical no-go zone ruled by marauding cybercriminals who leave chaos and fear in their wake. But there is a silver lining.

While it may seem like we’re fighting a losing battle, there is hope. Perhaps all we need is a new, more sophisticated approach to cybersecurity. As the first part of this trilogy showcased, the rules of this game have changed and those that don’t adapt will find themselves hacked sooner or later. After all the threat landscape is such that it’s cheaper to carry out a cyber attack than it is to defend oneself. Welcome to what may be mistaken as the cyber gangster’s paradise where it seems easier to leave your passwords at the door than it is to fight.

In this part of the trilogy we’ll explore why we owe it to ourselves to find a creative way to fight against this scourge of cyber attacks. Because technology alone is insufficient to provide the advanced cybersecurity we so desperately need. We’ll also consider the issue from the white hat hacker’s perspective who may be able to shine a light on why we’re losing this battle and, more importantly, what we should be doing differently.

Are white hats here to save the day?

White hat hackers are a relatively new addition to the cyber ecosystem, but they provide valuable insight into how cyber attacks have evolved. Shay Priel, CyberInt CTO & co-founder who has an extensive background in offensive security, explained that when he was a child there weren’t any white hat hackers. “I don’t remember any “white hat hackers”, there were only HACKERS. Cybersecurity was not popular those days and we didn’t have any “hack me challenges” or CTFs to practice on. So if you wanted to practice you would go hacking. And so, choosing the target would be the differentiating factor. Some would choose to target offensive sites (like Natzi promoting organizations), while others would go for a more lucrative target” he explained. The rules have changed since then, and white hat hackers have become a necessary evil.

The modern threat landscape is such that we constantly need to be looking for creative ways to defend ourselves against these threats. And that’s where white hat hackers come in. Priel pointed out that contrary to what many think, the cybersecurity industry is still in its infancy, and there is plenty of room for growth and innovative solutions. “The time has changed and the industry offerings should change as well. In a world where everything is controlled by computers, you want to be in control, and that’s not the case today,” he added.

Priel admitted that we are currently losing the battle against cyber attacks, but stressed that there is still a lot we can do to win the war. He emphasized that this is the time for white hat hackers and cybersecurity organizations to collaborate by sharing information about cyber attacks in real-time. The way he sees it, it could also be useful to create more bug bounties as a way of encouraging hackers to use their skills for good. While this is a win-win solution for both hackers and the security industry, most white hackers are only too aware that true collaboration and reliable real-time intelligence will take time to establish. Such change can only come about by understanding what makes black hatters tick.

Most white hat hackers understand the allure of malicious hacking. From the promise of easy money to the appeal of adopting an anonymous online persona, black hat hacking can be hard to resist. Priel pointed out that there will always be hackers looking to cause damage. It’s up to white hat hackers to develop comprehensive security solutions to face these threats head-on. He emphasized the need for multi-layered security which targets threats from several angles. While not even this is 100% cyber attack proof, it’s pretty close.

He explained: “We all make mistakes… a programmer will make a mistake and the outcome is a software vulnerability; a sysadmin will make a mistake and you have a network vulnerability. Every mistake has consequences,  so we will never achieve perfect security. But, the more layers you have the greater the level of security, and the probability of getting hacked is minimized.”

White hat hackers, like Priel, are not here to save the day. But they are a powerful reminder that malicious hackers aren’t going anywhere anytime soon. We need to accept that, and ensure we adopt our security strategy accordingly. But it’s not just up to white hat hackers to keep us safe. CSIOs, security experts and others who work tirelessly to defend the Internet also play an integral role in fight against cyber attacks.

Why is the Internet so difficult to defend?

The complexity of modern information systems infrastructure makes it particularly vulnerable, and we’re beginning to see increasingly aggressive and well-organized attacks. According to a recent study, the biggest threats facing information systems include vulnerable web applications, out of date security patches, a failure to encrypt PCs and other sensitive data and weak passwords.

One of the best ways to deal with this is to focus on cyber hygiene. This includes ensuring operating systems and applications are updated, and have the latest security patches installed. System administrators also need to ensure that operating systems are configured in such a way that they automatically shut down any attack vectors that have been compromised. By investing in cyber hygiene, security experts can create information system architecture which can easily bounce back after an attack.

Connectivity in a here, there and everywhere world

Ubiquitous computing is another factor which contributes to an organization’s vulnerability. This refers to having a variety of devices constantly connected and available online. Some estimates suggest that by 2020 there will be at least 50 billion devices connected to the Internet. From smartwatches and printers to the simplest smartphone, connected devices open us up to a world of convenience but could prove to be a security expert’s Black Swan. The terrifying reality is that most of these devices have little or outdated security, and trying to secure them all would be nothing short of nightmarish.

These devices extend an organization’s attack surface exponentially. Not only do they provide hackers with an easy entry point into the device’s internal network, but they’re also the perfect hiding place for malicious code. This gives hackers a permanent backdoor and easy access into the network where unbeknown to the user they can wreck havoc. A study conducted by Hewlett-Packard last year found that 70% of these devices are likely to get hacked or compromised in some way. This is a wake-up call, and reminder that the more devices we connect to the Internet the more risk we face. It’s simply unavoidable.

This has considerable implications for many organizations with a bring your own device (BYOD) policy. A survey conducted by Gartner found that employees show scant concern for security even in companies with a BYOD strategy in place. The best way to combat such complacency is for companies to focus on cybersecurity awareness. This is one of the most effective ways to ensure that security becomes a company-wide concern. Recent research conducted by Cyberint found that comprehensive cybersecurity requires considerable employee buy-in, particularly at an executive level. It’s insufficient to rely on IT security alone to keep an organization safe.  

Technology only goes so far … and that isn’t far enough

An increasing  number of security experts understand that technology is limited, flawed and can only provide so much protection. While sophisticated technology can help lessen the blow of a cyber attack, it’s by no means a full-proof solution. All it takes is for a hacker to identify one weak spot and most, if not all, security efforts and cybersecurity technology, will be rendered futile.

Technology is not the knight in shining armor many in the cybersecurity community have been waiting for. Even with the most cutting-edge technology, a network can still be vulnerable to attack. Because let’s face it, there’s no accounting for the what ifs and unpredictable eventualities. For many organizations it’s employees who are the weakest link, and end up compromising the company’s security in some way.

If we stand any chance of winning the war on cyber attacks, now is the time to get smart about cybersecurity. As the first two parts of this trilogy highlight, we can no longer rely on technology alone to save us. But if there is no such thing as perfect security, how can we adapt our strategy to lessen the blow of the inevitable cyber attack? The final part of the this trilogy will get to the bottom of this, and will hopefully provide some light at the end of this gloomy tunnel.