Recently, I responded to a linkedIn article about a cyber attack on a cancer center. The person who posted it basically asked the question, why would a hacker go after something like a cancer center or a school? After reading the posts, it seemed to me that there is a lack of understanding as to why and how hackers actually do what they do.
Why Do Hackers Hack?
One of the biggest misconceptions about hacking is that people think that they are not important or that they don’t have anything that hackers want. The issue here is that people don’t understand why people hack. There are three basic reasons why hackers hack and they are: money, politics, espionage, and malice/mischief. Money is perhaps the easiest to understand, hackers want money. You have it… therefore you are a target. Hackers can steal your money in several ways, either by stealing your credit card and bank info, or by installing some sort of ransomware. What is important to understand that since you have money, you are a target.
Hackers also might be interested in your systems to build botnets, which are armies of computers that a hacker controls, which can be used for all kinds of mayhem. Some master hackers build botnets and then rent them out to other nefarious individuals for profit.
If you are affiliated with a hot button issue, hackers also may take interest in your sites. Their goal in this case is not to extort or steal your money, but rather to embarrass you, damage your image, or prevent you from operating. These types of hackers are known as “hactivists” and depending on the cause, sometimes you may agree with their activities. Attacking neo-nazi websites for example. Hacking groups such as Anonymous and others are examples of hackers that hack for political reasons. What I’d add here is that this can change on a dime. An organization may hold views that are “mainstream” and something happens, a board member says something stupid for example, and that can unleash the hacktivists.
My general unscientific observation is that most people believe that this or espionage are the primary motivations for hackers, and thus believe they are not at risk. The fact is that this is not the case. You may not be a target for hactivists, but analysis of most hacking shows that he vast majority is done for money. Thus if you have money, you are at risk.
Another reason that hackers hack is to steal information, otherwise known as espionage. This can be in the form of industrial espionage, or nation-state espionage where nations are attacking adversaries for political reasons. The various alleged Russian cyber attacks against Ukraine or Estonia, or the Israeli cyber attacks against Iranian nuclear facilities are examples of that. Cyber attacks can be a very effective means of waging war because cyber attacks can be surgically targeted, every effective and avoid collateral damage.
Clearly most people are NOT targets for nation-state level hacking, however, if your organization is involved in some sort of providing critical infrastructure, you need to consider yourself a possible target for nation state level espionage. Let me give you a hypothetical example. Let’s say you run an elevator company and have a service which monitors all your elevators in a city. You might think that elevators are not critical to anything, but what happens if miscreants attack your system and cause every elevator in a city to run to the top of a building and not stop? You now have millions of dollars in damage on your hands. (See points 3 and 4)
The final reason people hack is for fun. Now, while you could argue that everyone is at risk from these types of hackers, the flip side is that these kinds of hackers aren’t usually that good, so aren’t as likely to successfully hack anything or actually cause serious damage. Usually that isn’t their goal. In most cases, their goal is to pull a prank, not to cause serious damage. (Now I know someone is going to point out examples to the contrary, but in general, if someone is a really talented hacker, they will make a career out of it which means they are hacking for money… either for the good guys or the bad guys, however you choose to define that.)
Along these lines, is also hackers who do it for the challenge. I recently read an article which said something like more than 65% of hackers do it for the challenge. I couldn’t help but wonder about that statistic. My concern was that while 65% of the hackers may be in it for the challenge, how many are actually successful or have any clue what they’re doing? How many serious hackers would even respond to a survey like that?
Most Attacks are Opportunistic
Now that you understand WHY hackers hack, it is important to understand HOW. This is another area which most people don’t really understand. Let me set the stage… I’ll be talking to someone and I’ll mention that I work in cybersecurity, to which they will ask me something like “What my chance of being hacked? I’m not a celebrity or anything like that. Why would a hacker care about me?” The answer is hackers don’t care about who you are. They want your money. Nothing personal.
Here’s the thing, most hackers are not targeting specific individuals. Hackers are opportunistic and simply looking for vulnerable computers. How do they do that you ask? Well they have automated tools that scour the internet looking for computers with unpatched vulnerabilities. Think Google for hackers. It doesn’t stop there. Once hackers find vulnerable systems, they have automated tools, known as exploits, which will automatically attack a vulnerable system. It doesn’t matter if that system belongs to Bill Gates, a cancer research center, or your neighbor. If is on the internet, it is being scanned and if vulnerabilities are found, you will be attacked. It is not a question of if, only of when.
The key to all this is that you can make yourself a less attractive target, see point 5, but basically keeping your software up to date will make sure that your machines aren’t vulnerable to exploitation. Automated tools only work on vulnerable systems, so patching vulnerabilities as quickly as possible is the best defense against automated attacks.
Any Device Can Let Hackers In
Another key concept which people must understand is that any device you connect to the internet (or even your local home network) is a computer through which hackers can attack. There have been many documented attacks where a hacker has gained access to a network via some insignificant device such as a printer or IoT device. Just as you wouldn’t install all kinds of high tech locks on your front door and leave your back door wide open, it is absolutely essential to secure EVERY SINGLE DEVICE no matter how “insignificant” you think it is. All it takes for a hacker to gain access is one chink in the armor, so don’t give them the chance.
Speaking specifically about IoT devices, it is often very difficult to update the software on embedded devices. After all, when was the last time you updated the firmware on your light switches? For homes this pe
Oh, and don’t forget to change the default passwords.
Does this NEED to be connected?
The trend in the 21st century seems to connect everything to the internet and make it a “smart” device. It is no exaggeration to say that we have smart toothbrushes, smart light switches, smart cars, smart coffee machines and the list goes on. On the one hand, I love technology. To the annoyance of my wife, I have proliferated smart devices throughout our home.
While there are real conveniences to be gained by connecting devices to the internet, there are three very serious issues with doing so: risk of intrusion, loss of data privacy, and risk of device failure. Let’s take a look at these categories. For the risk of intrusion, I would refer to the earlier section about any device can let hackers in. I’m not going to repeat myself here, except to say that it is very important to understand that any device you connect can be an entryway for hackers to other systems, so choose wisely. Likewise, it must be kept up to date with security patches.
When I first got interested in connected (smart) devices, I was very impressed with the convenience and futuristic nature of these devices. After all, how cool is it that you can walk into your home and say “Alexa turn on the lights” and all your lights go on. What you can do with all this technology is really incredible. What isn’t incredible is the loss of privacy that unfortunately results from all these devices. From 2015-2017, I did some research into this topic and came to the unfortunate conclusion that these devices are simply data slurping/surveillance devices. You can read more about this on this site, but consider a connected light switch in your bedroom. If you were to get the data from this switch, you can map out a person’s pattern of life, with surprising accuracy. You can identify when they go on vacations, when they work, religious beliefs, etc. All from a light switch. Some of these devices go even further and report your location, wifi network information etc. To an experienced data scientist, the possibilities are really endless.
Lastly, when connecting devices to a network, people should really consider what would happen if the device in question stopped working completely. I come from a medical family and have heard stories of hospitals being paralyzed when their systems to distribute medication were hacked or crashed. Security researchers have found such vulnerabilities in all kinds of devices ranging from cars to toothbrushes. No device is ever 100% secure or immune from compromise. Consider what would happen if a “smart” medication system was compromised and started distributing incorrect medications to patients.
The bottom line is that before connecting any device to a public network or “smart” device, you should really ask yourself does this device REALLY need to be connected and also have a plan not only if it fails, but if it is compromised. Remember even seemingly insignificant device can create major inconveniences if it is compromised. Imagine what would happen if your lights started flashing uncontrollably, or your self driving car decided you really wanted to go to Pizza Hut instead of Dominos (or whatever). These kinds of attacks can cause serious disruptions in society and even cause deaths.
Keep Your Software Up To Date
One of the easiest way to reduce your vulnerabilities is to keep your devices and software up to date with the latest updates and patches. Despite this being universally recognized as a security essential, it never ceases to amaze me the number of companies who don’t update their machines. Worse are corporate intranet sites which require old web browsers. When I worked at a major bank, there was an internal site that I had to access regularly (I think it was an HR site or something like that) that could only be accessed using Internet Explorer 8. (This was maybe 2 or 3 years ago and MS had long since ended support for IE 8). This was problematic for me firstly because I used a Mac and IE 8 is not available for a Mac. The problem was that it also wasn’t available for many Windows versions either. In the end I had to build a virtual machine with some outdated version of Windows solely in order to access this particular web site. In another instance, when Apple released a new version of Safari, it took almost a year for my company to support it for their VPN login.
Both of these situations are examples of incredible laziness and bad security practices. In both situations, the company itself is actively increasing risk and their attack surface by forcing people to find creative work-arounds in order to do their job. More importantly, it actively forces employees to use out of date, possibly vulnerable software. In the case of the Safari upgrade, Apple makes their beta software available well in advance so there really is no excuse for failing to make the VPN software compatible.
Checkboxes Do Not Guarantee Security
Recently, there’s been a lot of virtual ink spilled by the US government’s efforts to create new standards for cybersecurity. On the one hands, these kinds of standards are good for the clueless as they provide a beginning benchmark from which to build a real cyber security program. On the other hand, is that since it is a government entity creating these standards, the inevitable result will be that the standards will be driven by politics, will become stagnant, will create a lot of arguably unnecessary bureaucracy around certifying company’s security. What this is heading towards is what I call “check the box security” (CTBS).
CTBS makes managers feel good because they have checked the box. Yes of course, all our staff have certifications X, Y and Z, and all our equipment meets specifications A, B and C.
The issue here is that CTBS lulls organizations into a false sense of security and simultaneously creates all kinds of complications so that their security teams spend more time worrying about box checking as opposed to actually securing their infrastructure. The way I see it is that CTBS isn’t necessarily a bad thing, but you shouldn’t confuse it with actual security. It is a good starting place, and if you are serious about security, you should still make sure your cyber security professionals are able to do the things they need to actually secure your organization.
Past Behavior Does Not Guarantee Future Results
My last topic is the notion that the past does not guarantee your future in cyber security. All the time, I hear from people, “Well I’ve never been hacked”. Just because you haven’t been hacked yet, doesn’t mean you won’t. Additionally, just because you were hacked yesterday, doesn’t mean you won’t be hacked tomorrow. Hackers are always out there, trying to steal money, information, and in general wreaking mayhem in any way they can.
You can choose not to be a victim by making yourself an unattractive target. If you are an attractive target, make the hackers’ lives as difficult as possible. You can’t be completely immune from cyber attacks, but you can certainly fight the good fight.