A panel of cybersecurity experts at Wednesday’s Web Summit warned that recent hacker attacks such as those of Ashley Madison and TalkTalk are “the tip of a teeny, tiny iceberg” and that the cyber equivalent of 9/11 could happen and is “a very real danger”.
Dermot Williams, managing director of security firm Threatscape, reminded the audience the recent TalkTalk hack was followed by a statement revealing that it was a very sophisticated attack, something that “almost made us feel sorry for them” until it emerged that a solitary 16-year-old was arrested.
TalkTalk got hacked because “it wasn’t paying enough attention to its cybersecurity,” claimed Evgeny Chereshnev, vice-president of global consumer marketing forKaspersky Lab.
However, Chereshnev was not implying that this was a trivial attack. He said that anyone with a relatively high IQ can find guidebooks out there on the web that act as a colour-by-numbers guide to hacking into various security systems.
“It’s getting to be a bigger and bigger threat landscape out there,” said Rami Essaid, co-founder and chief executive of bot-blocking service Distil Networks.
“It’s one company versus an infinite amount of expert knowledge and hackers. Security must be part of a company’s core infrastructure because we [security firms] alone aren’t enough to stop all threats out there.”
Essaid gave the example of a recent case where an actual how-to guide was published for getting into a particular company’s secure network (he didn’t mention the company). This guide was simple enough that plenty of people could follow it. It included steps for exploiting vulnerabilities and even social engineering, in other words, ringing up a tech helpline and tricking the operator into giving you private information.
“You don’t want to be the corporation that’s easiest to get into,” said Todd Simpson, chief strategy officer for AVG Technologies, to which Chereshnev added that one of the most common reactions he gets from a big company, when he tells these stories, is “dead eyes”.
“It’s like they’re not understanding that this is real. We can save a lot of companies data and money but it’s not our call,” he said.
The conversation strayed into bounty programmes, the act of offering big money to hackers that can get past a security system. There are the bad guys out there, explained Williams, including an organisation that recently offered a large sum to anyone who could find vulnerabilities in Apple’s iOS 9.
Companies can retaliate or perhaps prevent these paid-for attacks by putting out a bounty to a “white hat” hacker to find any weaknesses in their network or computer system before the bad guys get there.
Tesla recently did this when it visited hacker conference Defcon: hackers found weaknesses in the software, Tesla stumped up and the next morning Tesla was able to update their software based on this, explained Simpson.