× Business BUSINESS MOTORING SHIPPING & LOGISTICS DR PESA FINANCIAL STANDARD Digital News Videos Health & Science Lifestyle Opinion Education Columnists Moi Cabinets Arts & Culture Fact Check Podcasts E-Paper Lifestyle & Entertainment Nairobian Entertainment Eve Woman Travelog TV Stations KTN Home KTN News BTV KTN Farmers TV Radio Stations Radio Maisha Spice FM Vybez Radio Enterprise VAS E-Learning Digger Classified Jobs Games Crosswords Sudoku The Standard Group Corporate Contact Us Rate Card Vacancies DCX O.M Portal Corporate Email RMS

Are ethical hackers key to rescuing vulnerable firms?

By George Nyingiro | Jun 10th 2014 | 3 min read
By George Nyingiro | June 10th 2014

There is need for law to tame to size hackers who spend their days trying to worm their way into clients’ computer systems, to see how vulnerable they are to cyber-criminals, spies and other nefarious attacks. Crooks and spooks are still finding gaps in digital armour too.

As more business shifts online, hackers have plenty of targets to aim at. In 2013 it was estimated that cybercrime costs the world $113 billion (Sh9.944 trillion) a year and the number of victims at 378 million.

The effects of a hacking attack can be devastating for a company’s reputation and its bottom line. At the end of last year, giant American retailer, Target, was hit by hackers who swiped the details of credit and debit cards held by 40 million of its customers. This was done by placing malicious software on thousands of the registers in its stores.

 In total, intruders gained access to 70 million records that contained partial names and e-mail and postal addresses of customers. Target’s catastrophic breach may come to be seen as the digital equivalent of BP’s disastrous Deepwater Horizon oil spill. The retailer faces a whopping bill for cleaning up the mess the massive data leak has caused.

Jefferies, an investment bank, estimates that it may have to pay up to $1.1 billion (Sh96 billion) to the payment-card industry because of the breach. Target is also spending a fortune on such things as free identity-theft insurance for customers. Since Edward Snowden’s leaks about the NSA’s activities, much ink has been spilled about the threat to cyber-security from rogue employees.

Unknown intruders

Yet most breaches are still caused by outsiders. And businesses are struggling to match the wiles of the unknown intruders trying to pinch their data. It is evident that the financial-services firms are in a “street fight” with hackers. The threat posed by determined cyber-invaders explains why companies that offer to mimic them and test the vulnerabilities of clients’ systems—a practice known as “penetration testing”—are in demand. Some businesses, such as banks and outfits handling electronic payments, are required by regulators or industry bodies to conduct regular “pentests”.

Others hire pen testers because they think outsiders may spot things that internal security teams miss. You tend to get tunnel vision in-house. A popular trick used by hackers alike is to send fake “phishing” e-mails, which seem to come from legitimate sources and ask a firm’s employees to enter their usernames and passwords.  About a fifth of employees who receive these e-mails are fooled by them.

Once inside a network, a hacker takes an average of four hours to take control of it. Critics of pentesting say cheap software that automatically scans for vulnerabilities in a firm’s systems can automate much of the work pentesters do. They also claim that tests can create a false sense of security inside companies.

However, firms often make big changes to their systems between pentests, which can accidentally create new vulnerabilities. Moreover, some pentesters may simply lack the skills and ruthlessness to spot weaknesses that cyber-crooks will find. Executives who have used pentesters acknowledge that clients should choose them carefully, and call them back whenever big changes are made to computer systems. But they reject the notion that they can be replaced with software. They’re not just testing security tools, but also exploiting vulnerabilities to probe deeper inside companies’ systems.

To convince skeptical clients that their systems are vulnerable, ethical hackers can show videos of its hackers breaking into them, to prove that they really did get in. Some ethical hackers go even further, pinching a confidential document from their clients’ servers and then presenting it to them with a flourish.

Mobile apps

 This makes the threat much more real. When shocked bosses are presented with this sort of evidence, they usually reach for their cheque books fast to fix the problem.

New risks are constantly emerging, notably in the field of mobile apps. Companies are rolling out lots of these, so that their employees can work on tablets and smartphones as they travel. So is anyone safe? To an extent yes, if we invest in ethical hackers.

—Nyingiro is Director of Digital Forensics and Fraud Investigations at Matrix Digital Forensics Ltd. The Views and expressions are his own.

Share this story
How to account for withholding tax from betting and gaming
Taxation of winnings from betting and gaming was reintroduced by the finance bill 2013 and enacted by the Finance Act 2013 of October 24, 2013.
China rejected Kenya's request for Sh32.8b debt moratorium
China is Kenya’s largest bilateral lender with an outstanding debt of Sh692 billion.