As part of global Cyber Security Awareness Month, UKFast has teamed up with a range of cyber security experts to raise the profile of staying safe online. This week we spoke with Alberto Redi, CEO of Zone-H – whose website provides a platform for hackers to share their handiwork – and partner of Swiss cyber security company Security Lab.
The interview below shares Redi’s insights into future cyber threats and ventures into the mind and motivation of the hacker.
UKFast: How long have you worked in cyber security? How has the online world changed since then?
Alberto Redi: I have been in the cyber security business for 8 years, and running the Swiss company, Security Lab since 2006. In this period the process of turning from ‘hacking-for-fun’ to ‘hacking-for-money’ has been completed.
UKF: We have seen only this week that cyber threats are continually evolving, with the discovery of a new ‘Stuxnet’ style worm targeting European countries; what are the major changes that businesses should expect in the coming year?
AR: The changes in cyber threats going on now are what we predicted nearly 10 years ago; that hacking starts seriously targeting smartphones. Despite the hype, hacking social media is already widespread, so I don’t see this as any bigger threat in the future.
The change that has to be addressed NOW is to increase public awareness first, which will then have an impact on the levels of overall corporate awareness.
Just two or three years ago, for example, it was very uncommon for companies other than Telco or the banks to place any kind of budget on auditing their security. We can see the threats and attacks that happen online everyday in the press, but it’s still not enough to make the public think carefully.
People read news about cyber-attacks and hackers with curiosity, but this still does not alter their awareness level.
Companies can close down as a result of a hack attack, see the SSL certificates hack on Dignotar for a recent example. They can lose a lot of money and more importantly lose their credibility; we just have to look at Sony for a clear example of this.
The Stuxnnet worm, targeting nuclear plants, is expected to mutate to a second version. Is that not enough to make people take notice of the threats out there?
UKF: Cyber threats through social media may be ‘nothing new’ but we are hearing time and again that social media sites are feeding hackers – what is your view?
AR: Without a doubt social media is making hacking easier. Nearly everyone who uses a computer also uses at least one of the social network sites and is using both with a very low level of risk awareness.
Additionally social networks make it very easy to put social engineering strategies in place [tricking people into performing actions or divulging confidential information]. Many people still think that what they see on the screen is essentially real, but people must understand that although it looks exactly the same, occasionally it is not.
UKF: The Zone-H website provides an archive of defaced websites from across the globe – providing a platform for hackers to share their website defacements. The majority of the defacements listed on the site are ‘just-for fun’ small scale hacks by script-kids.
Seeing the continually growing list of hack victims posted every day on Zone-H, it seems that the hacking wave is relentless at the moment. Why do hackers hack?
AR: Well, if you look at the Zone-H statistics it’s clear that the main reasons behind most low-end attacks are “just for fun” or for a “political reason”. In this case we are talking just about defacements, which can be considered as a basic ground school.
The real reason for proper hacking, especially for highly skilled hackers, is money – the strongest motivation in the world.
UKF: Although script-kids are considered to be at the low end of the spectrum, they can still cause a lot of damage to a business’s reputation. Who do you believe is more of a threat, the skilled hacker or the ‘script-kid’?
AR: Script kiddies make a lot of noise and, from time to time, they do cause serious damage. But skilled hackers can go one of two ways. If they don’t take the route of turning into security professionals, they are likely to join criminal organizations and become even more dangerous by going underground so that we no longer hear them coming.
UKF: This year has seen the rise of the hacktivist. They have brought hacking and cyber safety into the spotlight – what are your opinions on LulzSec and Anonymous?
AR: When it comes to hacktivists like Lulzsec and Anonymous, I cannot agree with or condone anyone taking part in illegal activities. However these organizations are highlighting the dangers of cyberspace and increasing the awareness which will hopefully lead to a more secure cyber world in the future.
UKF: Who is most at risk from hackers and cyber threats?
AR: Everyone is at risk and everyone should remember this to help ensure a more secure cyber world. Why are people leaving their homes with locked front doors but surfing the web with an obsolete antivirus and no firewall?
UKF: In an age where cyber threats are evolving so quickly and high-profile hacking attempts are an increasingly regular occurrence, what can businesses do to protect themselves from these hacking attacks?
AR: It’s a difficult question. Security is a holistic process where the human factor is the weakest.
The key areas that businesses should be focussing their cyber security strategies on are awareness, patching, tools and auditing.
UKF: What course of action would you recommend if a business has been hacked?
AR: Basically if a business has been hacked it’s too late. Security is like an insurance policy, you have to think before it happens. The only thing that you can do once you have been hacked is to report the attack and try to fix the problem with well-known security specialists. The do-it-yourself approach in the security world is not a good idea.
UKF: What are your top 5 tips to stay ‘cyber-secure’?
AR: My top five tips are:
- Awareness [know the threats that you are facing]
- Patching [software or updates to fix problems and bugs – including fixing security vulnerabilities]
- Tools [that help the application of a patch]
- Auditing [evaluate the strengths and weaknesses of a cyber security strategy]
- DO NOT do it yourself!