Understanding the Hacker

Security4 minutes readOct 13th, 2011

Many of you, like me, will be aware of the online conference organisation TED (Technology, Education and Design). The conferences are first class, easily digestible and recently featured a journalist – Misha Glenny – who was been speaking about cyber crime and how law enforcement and especially organisations online are fairly useless at stopping it or preventing it.

Mr. Glenny, it will come as no surprise, is subliminally promoting his book DarkMarket: Cyberthieves, Cybercops and You (available online and in all good book shops!), which is a particularly good read but is, I would say, unrepresentative of the broad expanse of cyber crime and hacking. He starts his TED show with “Anonymous” and finishes it with a plea for organisations to “Hire a Hacker” (many apparently who suffer from medical conditions – autism for instance) if they want to be safe from constant online attack.  This unconventional hiring tactic is reminiscent of the UK’s Prime Minister’s suggested answer to social unrest; “Hug a Hoodie”. I’m afraid hackers get little sympathy from me.  Mr. Glenny’s analysis, sadly, over-simplifies a more complex cyber landscape.

But Mr. Glenny does make some more apt and pertinent points which are worth taking note of.  For instance he divides the corporate world into two: organisations that know they have been hacked and those corporations who do not. I was reminded, when I heard this, of the Head of UK’s signals intelligence organisation – GCHQ – who made a speech last year where he said that – and I paraphrase – if you are an organisation that has dependencies online, then you have been intruded electronically whether you know it or not. The intrusion is rarely an act of technical brilliance by a hacker; more likely a result of social engineering where someone in your organisation (targeted through a social media profile) gives away key information, such as logon details. And these intruders are not loners with autism, but organised crime seeking information of value – be that intellectual property or credit card details or bank account numbers. And they won’t just break in and leave, they will remain there, siphoning off information at a rate that goes unnoticed by firewalls and intrusion detection software.

The Head of GCHQ – Iain Lobban – also said that good practice will protect against about 80% of the attacks. The remaining 20% are highly sophisticated with a variety of very specific targets. They will exploit unknown (to everyone else) vulnerabilities in software (known as Zero Day) and it needs more than just conventional protective measures to stop them. Hence, today, organisations need to be much more aware of several features of their business:

  • their online dependency (it will change at a tempo that will both surprise and bewilder the CEO);
  • the value of the information they use and consider their own and how well it is protected (is it encrypted for instance);
  • the flow of information around, in and out of the organisation (especially out);
  • who works for them (in a way that they can be comprehensively authenticated both in the real world – coming into the building – and in the logical world – logging on), and;
  • their forensic preparedness for the inevitable incident that measures like this will result in because they will protect.

And if you are dynamically protected in this way and your competition isn’t, guess who the market is going to do business with?

Mr. Glenny makes some great points and, fair enough, has seen the cyber crime challenge from the perspective of the perpetrators. Seen from the perspective of the potential victims, one can only echo Captain Jean Luc Picard, “Shields Up!”

If you would like to view Misha Glenny’s TED video, it can be viewed on this link: Hire the hackers!

Tags-   CyberSecurity Hacker Security Technology Education and Design