Posted by Josh Townsend on August 30, 2016.
Cybersecurity is often seen as a matter of code and software. Use the right products and keep them up to date, and you can call yourself ‘secure’. But in reality, the greatest threat to security often comes from lack of awareness, and poorly-trained staff are more of a liability than an out of date firewall. In order to understand the importance of awareness over software, we talked to someone who has been involved with computer security since the beginning. Robert Schifreen was once the UK’s most famous hacker. His recent venture into the area of security awareness training aims to help companies protect themselves from today’s threats. ITsecurity.co.uk spoke to Robert from the SecuritySmart offices in Brighton.
Defense naturally falls one step behind offense; attackers are proactive, while defenders are reactive. In the earliest days of hacking, this meant that there wasn’t even a legal process for dealing with hackers. Robert recalls his role in the legal complications and eventual solution:
“Back in 1983, my first job was as an IT journalist. I got into the hacking side of things pretty soon after, for the classic ‘because it was there’ reason I guess. I was arrested in March 1985, so it was all quite a while ago. At the time there was no law against hacking, so I was charged with forgery under the premise that typing in someone else’s password was like forging their signature. After a lot of legal arguments and hearings I was finally acquitted in 1987 in the House of Lords, and subsequently the Computer Misuse Act 1990 was passed as the first law against hacking.”
But Robert soon turned away from hacking, working to raise awareness of security threats and how to combat them – cybersecurity’s original poacher turned gamekeeper. A lot has changed in cyberspace over that time, and Robert elaborated on the very earliest issues, and the evolution of hacking’s capabilities and the motivations behind it.
“I’ve been involved in IT security pretty heavily since then. I’ve trained staff at IT companies, investment banks and universities. I’ve done literally hundreds of broadcast interviews (I’m sad enough to keep a list!), and a lot of conferences and seminars. There are two big differences in cyberspace today compared with the 80s, both of which are intrinsically linked: the internet, and the data on it.
“Back in the 80s and 90s, online computers were wired to a landline, so the first thing a hacker had to do was find the right phone number. Once you got the right tone that sounded like a modem, you could then start guessing usernames and passwords. It would cost you the price of a phone call every time you tried to access a system, so the process was long and expensive. Nowadays the internet makes it possible to try millions of systems every few minutes just by picking IP addresses at random and seeing what you find. Then you can begin the reconnaissance process of search for unpatched operating systems, open ports and so on. And some hackers do indeed merely try addresses at random, which answers the ‘why would anyone try to hack us?’ question that many companies ask. There’s a small company in Sussex that sells solar panels, whose web site was defaced by supporters of ISIS for just that reason.
“When I was hacking, I was doing it for fun. Rather like train spotting, but without the anorak or Thermos flask. Once you accessed a system you could do little more than write it down in your notebook of achievements as there was nothing terribly exciting to find. Today there are millions of servers storing huge amounts of sensitive information that cyber criminals can steal. Before, there were very few businesses that existed online at all, let alone in their entirety like they do today. There was little to actually gain from hacking. The potential for profit today means there is a more serious threat than ever, and it keeps getting worse as we continue to shift more of our shopping, dating, banking, working and socialising online.”
But the more things change, the more they stay the same. “It irritates me that some of the mistakes that people were making in the 80s are still being made today,” Robert commented. “On the techie side of things, the same blunders are being made in program code that can make them vulnerable to a security breach. But more importantly, end users are making repeat mistakes such as writing their passwords down on paper and then sticking it to the monitor.”
Add to this the new vulnerabilities that sites like Facebook and Twitter can create for incautious users, and you have quite the security challenge to overcome. “People don’t realise the risk that social media can pose. The more information you give away about yourself on the internet, the easier it is for a hacker to pretend to be you in order to con your friends and colleagues.”
As hacking and data breaches have become more prominent and costly, more and more products and software have emerged to combat it – but this has only served to highlight, through human error, that security cannot be automated. More than any software package, caution and the right attitude are vital to keeping oneself protected. We asked Robert for his thoughts on the relative roles of software and attitude in cybersecurity.
“Security is not a product, but a state of mind or an attitude. Of course you need your antivirus software, firewall and so on, and I wouldn’t want to knock the great products we have available to us. But at the end of the day, emails are easy to spoof. If I send you an email saying ‘I’m from your bank, and please click here to log into your account,’ there isn’t much software that can easily detect that and protect you. It’s a case of being aware and alert. It’s the same thing as if someone gave you a form to sign on the street and said that if you sign it they’ll give you £100. You wouldn’t sign without reading it first. Or, if someone came up to you and said “I’m a friend of yours, can I borrow your car?” you’d think twice about handing them the keys. These things sound ridiculous, but people do the equivalent online all the time.”
This all comes back to awareness. The best protection from data threats, whether for staff, leadership or the end user, comes from education. Robert’s approach to this is more hands-on than theoretical. Dissatisfied with the level of security awareness that companies display in general, as well as the attitude towards compliance, he has made his own security awareness training program – SecuritySmart. “I think it’s important to take advice from an ex-hacker rather than a theorist sometimes;” Robert explained his unique position to see problems in the industry. “I know how hackers think, how obsessive they can be.
“I’ve been doing IT security awareness training for a while for all sorts of businesses and corporations about how to stay on top of ransomware, hackers, fraudsters and so on in the UK, Europe and the States. I wanted to make a scaleable version of myself so that my training could feasibly reach more places.”
The industry is by no means short on training programs, auditing software, compliance checks and security products, but what puts SecuritySmart in a unique position is the history of the man behind it. Having seen both sides of the cybersecurity issues and all the changes they have undergone since the ‘80s, Robert Schifreen can provide a more closely-involved perspective on the current problems the industry faces – and how to overcome them. To understand his perspective on the current shortcomings of security awareness, we asked him to outline some of what SecuritySmart offers.
“It’s amazing how many companies tell me that they only provide security awareness training for staff at their induction, and never repeat the exercise. It might tick the compliance box but it doesn’t actually give you any better security. Dozens of CISOs have told me they don’t like current training because it’s not measurable, so I wanted to tackle that problem too.
“So I made SecuritySmart.co.uk, and we also built our own learning software platform called Ramekin. From the website, companies can sign up for the training which is delivered to their staff weekly by email instead of them having to take time off work to go to courses. It also means there’s no separate learning management system that trainees have to log into and learn to use, which also means no extra usernames and passwords to remember (or forget!). This makes the system really easy to use.
“SecuritySmart is measurable because your dashboard shows you how well your staff are doing with the answers to the multiple choice questions. This gives managers more control over their security as they can then take action to make sure employees who don’t sign up, don’t answer the questions or don’t answer them correctly are dealt with however the company feels most appropriate. This could include sending them to further training sessions, although Ramekin will automatically send out a secondary email with further advice if a trainee gets an answer wrong, so it can be used as the basis of either a primary or complementary security awareness training programme.”
SecuritySmart’s efficacy will be demonstrated by those companies adopting it. The requirements and challenges of cybersecurity are sure to grow and change, as they have been ever since Robert Schifreen’s early hacking days, but with such a wealth of experience and hands-on insight behind it, SecuritySmart will be an interesting program to follow.
There’s more information about Robert’s new service at www.securitysmart.co.uk.Submitted in: Josh Townsend |