The majority of hackers surveyed in the 2018 “Black Report”claimed they could breach a perimeter and exfiltrate data in less than a day. The results were similar across industries, from telecommunications companies to law firms, federal government, critical infrastructure, and aviation.
Cyber defense can seem like a constant game of whack-a-mole, with security teams trying to keep pace with increasingly sophisticated hackers and other cyber criminals. And everyone is at risk, says Jeff Moss, founder of the Black Hat and Def Con security conferences and a security advisor to the secretary of Homeland Security.
“They’re all at risk, they’re being attacked continually, and they’re all vulnerable,” Moss explains. “I don’t think the news is that Fortune 500 companies are vulnerable. The news is, what are they doing about it and how do they control their risks? “No company can be 100 percent secure.”
While many malicious hackers will go for low-hanging fruit with simple phishing techniques, others are much more creative.
Last year a casino was victim to a breach from a seemingly innocuous source: a connected fish tank. Its sensors were connected to a PC that regulated the tank’s temperature and cleanliness, and after breaching the tank sensors, the attacker moved around the network and stole 10 gigabytes of data.
Separately, British consumer rights group Which? cautioned it was disturbingly easy to hack into connected toys like Furbies– echoing a warning from the FBI.
While there might not be any Furbies in your enterprise, the warnings illustrate the inventive methods hackers can use.
Jennifer Arcuri, co-founder of white-hat consultancy Hacker House, says some of the first actions her firm takes when exploring vulnerabilities for a client are to figure out who might be targeting a business and who the adversaries are.
“Then we look at what vulnerabilities are there,” she says. “By design, all computers are broken.”
Moss agrees. “The internet is full of robots, and they’re checking everybody,” he says. “You need to be prepared to just assume that you’re always under attack, not because you’ve been singled out, just because you’re participating.”
The Hacker’s Perspective
When security teams adopt a hacker mindset, they can develop a more holistic defense strategy that combines people, process, and technology.
“Hackers are very persistent and data driven,” says Arcuri. “Always anticipating how that might be applied to your organization is a good way to think about it from their point of view.”
There’s a lot that industry and law enforcement can learn from the hacker community, says Arcuri. “The information sharing and transparency, understanding how things work, so much of that can be harnessed into better solutions,” says Arcuri.
To learn more about the hacker mindset and how to protect your business, watch the webcast episode, Hackers tell all: Why your organization is a target.