Cyber criminals are becoming more and more sophisticated, but so too are ethical hackers, who can help you to close down vulnerabilities before criminals exploit them.
“Customers are becoming less and less surprised by and more aware of their own security flaws. Customers are also more and more willing to spend money and resources on security. However, we do unfortunately still see customers that do not take security seriously and sweep flaws and risk under the carpet”, explains Aleksander Rasmussen, a security expert at Tietoevry.
Having worked for many years as a security expert and pen-tester, Aleksander knows what he is talking about. He now works at Tietoevry as a security consultant.
Pen testing is the term for the service consisting of an IT security company tasking one of its ethical hackers with attempting to find vulnerabilities and flaws in a customer’s infrastructure and services.
One of the biggest cyber threats you may be exposed to either in your capacity as a private individual or an employee of an organisation is what is known as phishing. Alexander uses an example from Netflix to explain how hackers work:
“You might receive a message containing a fake Netflix log-in image that asks you for your email and password. Given the busy nature of everyday life, it can be easy to click on such an image. If you look closely at the image, you will see that the web address it points to is not Netflix but a fake site set up by some hackers in Brazil, for example.”
In order to stop people from falling into this trap, he recommends that organizations use a two-factor log-in process. In addition, a good security culture in your organization and a healthy degree of skepticism are important. It is important to read who is the sender of the information in your browser to ensure you identify phishing.” He adds that if you are in doubt, contact someone who has expertise in the area.
Aleksander uses a number of methods to get inside customer systems.
There are more and more hackers, and they know what the weakest points of businesses are.
Many hackers succeed by targeting ‘end-of-life’ services, which is to say services for which security updates are no longer offered by their provider. Another typical point they look for is whether insecure passwords or standard passwords that have never been changed are being used.
“Organisations need to pay close attention to obvious vulnerabilities and to close them immediately. The more time goes by, the bigger the risk that attackers will get inside.
You must always ensure your house is secured with a proper lock. The longer you leave your house unlocked, the more risk there is of unwanted visitors”, adds Aleksander.
The most obvious things an ethical hacker checks are whether the company is using services with known vulnerabilities or insecure configurations such as old crypto algorithms and certificates.
A slightly more advanced method is to look for openings in administrative services that are directly exposed to the internet. Examples of this are SSH, TELNET and RDP.
Aleksander Rasmussen says that it is important for him as an ethical hacker to stay ahead of malicious hackers. He knows their methods and ways of thinking.
But there are no magic tricks. Security work is not a question of just throwing everything at an issue when something happens but of hard and targeted work. Organizations need to think holistically about security from a life-cycle perspective and to build security from the very start. In order to stay one step ahead, Aleksander recommends following basic security hygiene such as patching and testing services. It is also important to monitor the current threat situation by following security blogs, podcasts and other sources of news.
It goes without saying and is something that is imprinted on the mind of the ethical hacker: hackers succeed because people fail to follow procedures and make mistakes. Examples include people failing to install updates or patches and people not complying with security procedures. Ethical hackers also test whether it is possible to physically enter a business and thus gain access to critical equipment and technology.
“Create a good security culture internally so that employees never give out their username and password and are careful about downloading software. Awareness-raising activities and knowledge about digital threats and vulnerabilities are important, and managers need to lead by example”, explains Aleksander.
While cloud services have helped make many businesses’ day-to-day activities safer, this must not become a reason to relax, warns Aleksander.
“One challenge with the cloud is not having control over the infrastructure and surrounding services, and third-party container programs are one such example. It is a known issue among hackers that this type of cloud infrastructure can contain vulnerabilities. The same applies to third-party code templates”.
SolarWinds and Kaseya created a lot of concern in 2021, and we should expect more attacks of this type.
“It is important to map all the data that is processed in a system or business process and to have control over how this data is stored.”
Ethical hackers look for vulnerabilities in software, and there are a number of loopholes in software that it is important to close.
Aleksander is of the view that businesses need to monitor and set requirements for software suppliers.