Are ethical hackers key to rescuing vulnerable firms?
By George Nyingiro
| Jun 10th 2014 | 3 min read
There is need for law to tame to size hackers who spend their days trying to worm their way into clients’ computer systems, to see how vulnerable they are to cyber-criminals, spies and other nefarious attacks. Crooks and spooks are still finding gaps in digital armour too.
As more business shifts online, hackers have plenty of targets to aim at. In 2013 it was estimated that cybercrime costs the world $113 billion (Sh9.944 trillion) a year and the number of victims at 378 million.
The effects of a hacking attack can be devastating for a company’s reputation and its bottom line. At the end of last year, giant American retailer, Target, was hit by hackers who swiped the details of credit and debit cards held by 40 million of its customers. This was done by placing malicious software on thousands of the registers in its stores.
In total, intruders gained access to 70 million records that contained partial names and e-mail and postal addresses of customers. Target’s catastrophic breach may come to be seen as the digital equivalent of BP’s disastrous Deepwater Horizon oil spill. The retailer faces a whopping bill for cleaning up the mess the massive data leak has caused.
Jefferies, an investment bank, estimates that it may have to pay up to $1.1 billion (Sh96 billion) to the payment-card industry because of the breach. Target is also spending a fortune on such things as free identity-theft insurance for customers. Since Edward Snowden’s leaks about the NSA’s activities, much ink has been spilled about the threat to cyber-security from rogue employees.
Yet most breaches are still caused by outsiders. And businesses are struggling to match the wiles of the unknown intruders trying to pinch their data. It is evident that the financial-services firms are in a “street fight” with hackers. The threat posed by determined cyber-invaders explains why companies that offer to mimic them and test the vulnerabilities of clients’ systems—a practice known as “penetration testing”—are in demand. Some businesses, such as banks and outfits handling electronic payments, are required by regulators or industry bodies to conduct regular “pentests”.
Others hire pen testers because they think outsiders may spot things that internal security teams miss. You tend to get tunnel vision in-house. A popular trick used by hackers alike is to send fake “phishing” e-mails, which seem to come from legitimate sources and ask a firm’s employees to enter their usernames and passwords. About a fifth of employees who receive these e-mails are fooled by them.
Once inside a network, a hacker takes an average of four hours to take control of it. Critics of pentesting say cheap software that automatically scans for vulnerabilities in a firm’s systems can automate much of the work pentesters do. They also claim that tests can create a false sense of security inside companies.
However, firms often make big changes to their systems between pentests, which can accidentally create new vulnerabilities. Moreover, some pentesters may simply lack the skills and ruthlessness to spot weaknesses that cyber-crooks will find. Executives who have used pentesters acknowledge that clients should choose them carefully, and call them back whenever big changes are made to computer systems. But they reject the notion that they can be replaced with software. They’re not just testing security tools, but also exploiting vulnerabilities to probe deeper inside companies’ systems.
To convince skeptical clients that their systems are vulnerable, ethical hackers can show videos of its hackers breaking into them, to prove that they really did get in. Some ethical hackers go even further, pinching a confidential document from their clients’ servers and then presenting it to them with a flourish.
This makes the threat much more real. When shocked bosses are presented with this sort of evidence, they usually reach for their cheque books fast to fix the problem.
New risks are constantly emerging, notably in the field of mobile apps. Companies are rolling out lots of these, so that their employees can work on tablets and smartphones as they travel. So is anyone safe? To an extent yes, if we invest in ethical hackers.
—Nyingiro is Director of Digital Forensics and Fraud Investigations at Matrix Digital Forensics Ltd. The Views and expressions are his own.
Stop overdependence on maize meals, Munya tells Kenyans
By Fred Kagonye
- Cryptocurrency fallacy: There is no easy route to real and lasting wealth
- Car parts manufacturer expects quadruple growth after embargo
- William Ruto pledges two-year turnaround strategy for KQ
- Watchdog flags firms for violating antitrust laws
- Cost of living shoots to the highest since August 2017