Tricks of the trade

By Jason Hart

“Education is going to be vital in strengthening IT security as we move into the future.”
-Jason Hart

I'm often asked exactly what an ethical hacker is. Essentially it's someone who understands how to gain access to a company's systems in order for them to cover the vulnerabilities and other problems within the business prior to someone else finding them. I've worked with some major global organisations, which I cannot name. But ethical hackers can work with any company from an SME business to a large global bank.  All businesses are opening up their networks now, adding remote working solutions and doing more on the web. And this makes them more vulnerable. 

Real hackers come in all shapes and sizes. They are often disgruntled ex-employees or people who are still working within organisations. Or they could be a competitor. Hacking doesn't have to be malicious; people often do it as a challenge. They hack into companies' websites then deface them, effectively putting graffiti onto the websites. In the UK there are thousands of websites that are hacked into in this way.  It's easy to do - even my grandmother could do it. The way of doing it is simply to get hold of someone's username and password. To do that, go onto YouTube and search under 'how to crack someone's username and password' and you get thousands of different videos that are about 10 minutes long.

Social engineering often plays a big part in the hacking process. A good example of this would be, Fred has just started at a new company and has announced this on his LinkedIn page. A hacker could contact Fred and say 'I notice you've just joined the company, I work within the IT security department and I need to confirm you have all the relevant policies and procedures and that you have been given the right URL for your remote access web mail account.' Fred is then asked to disclose the information. A week later the same person contacts Fred and tells him there have been some business continuity issues within the company and tells him to click on a web link to check their login details still work. What has happened is that Fred has been directed to a fake external website and by now the hacker has his username and password through befriending him and gaining his trust. Social engineering is a very old concept but combined with technology it's very powerful.

One of the most important risk factors large organisations have to consider is possible damage to their reputation or brand integrity. People don't put a value on these types of things and it's very hard to do so. But to have a security breach and for that to be on the front page of The Times newspaper the next day means your credibility has gone overnight.  It doesn't matter if you're a small charity or a large global organisation, your reputation is crucial. Part of reputation, credibility and integrity these days is about taking information security seriously.  And unfortunately many people still aren't taking it seriously.

When it comes to guarding against hacking attacks all it's about understanding what the potential risks are. But there are also some other fundamental things people can do. Many have implemented firewalls, anti-virus software and content filtering. But when it comes to protecting passwords they haven't really done anything, and yet they are still opening up their network and businesses to third parties. Being able to control usernames and passwords is vital and having a form of two-factor authentication mitigates a lot of that risk. This enables companies to control who is coming in and out of their business networks.

Two-factor authentication can be used to log into any remote application, online application, and remote working solution or VPN solution.  In any instance when people are getting information externally from the business, they should be using two-factor authentication. This is not a new technology.  CRYPTOCard for instance, has been around for 20 years. However there are now easier and simpler ways to implement it. CRYTOCard software is a service which allows you to solve problems instantly, within minutes without any infrastructure or hardware requirements, removing all the hassles and headaches of implementing a two-factor authentication solution. And it's cheaper than a cup of coffee per month.

We're hearing a great deal about cloud computing these days and the security risks it might entail. The underlying element that secures cloud computing and the ability for an individual to access that cloud computing application, is a username and password.  And if that username and password is not protected using two-factor authentication then certainly the whole credibility of cloud computing falls down because it's wide open.  But for cloud computing you can use two-factor authentication to mitigate the risk. 

If you look at any Fortune 500 company now they have a Chief Security Officer, which is fantastic. The view now is that people are becoming very technical and it's all about the technology solving the problem. But unfortunately technology only solves a very small part of the problem. I think people need to get some real basics in place. For instance usernames and passwords have been around since 1959 and that was a control that was put in place to protect four computers at the time. We now use it to protect every single part of our assets and our IT infrastructure. People don't even go onto the internet now without using anti virus software. So why are we still using a control that came about in 1959 to try to solve millennium issues.

Education is going to be vital in strengthening IT security as we move into the future. We need to start educating people now because they still don't believe the risks. We've got children growing up who, at the age or five or six, are already using computers and seeing the internet as another form of life or reality. Children are given sex education at school so why aren't they given internet education in the same way. The same principles and levels of awareness need to be applied there.

Jason Hart is a former ethical hacker and current CEO of CRYPTOCard.

Most wanted

Three of the world's most notorious computer hackers

Jonathan James aka c0mrade

The first juvenile to serve prison time for hacking, James was sentenced to six months in jail in 2001 at the tender age of 16. His activities included creating a backdoor into the US Department of Defense's Defense Threat Reduction Server and stealing programs worth an estimated US$1.7 million from NASA. James committed suicide in 1998.

Kevin Mitnick aka Condor

The most wanted hacker in US history, Mitnick's varied intrusions sparked an FBI manhunt. From exploiting the Los Angeles bus punch card system to get free rides at the age of 12, Mitnick graduated to phone phreaking and hacking. Things came to a head when he went on a two and half year coast-to-coast hacking spree. He was captured after breaking into computer expert Tsutomu Shimomura's system with Shimomura making it his personal mission to track Mitnick down.

Kevin Poulson aka Dark Dante

Famous for rigging a radio phone in competition to win himself a brand new Porsche, Poulson also devoted a great deal of effort to braking into various US government computer systems. Arrested in 1991, he was sentenced to five years in jail in 1994 as well as being forced to pay US$56,000 in restitution. Proving that there is life after hacking Poulsen is now Senior Editor at Wired News.