Thanks to the widespread availability of connected devices, it's easier now than ever before to buy and sell anything from just about anywhere, be it legal or in many cases, not. Guns, drugs and even hacking services are becoming as easy to buy as our online monthly food shopping.
While some services can be found on the regular Web, those looking for something more serious will inevitably turn to the Dark Web, a place where buyers and sellers can purchase services with full anonymity using crypto-currencies.
Illegal hacking services have increased over recent years, mainly through individuals with a grudge to bear. Experts and lawyers from Norse Corporation believe the Sony attack in 2014 may have been from an ex-employee working with hackers.
While we're focused on the advancement in technology for ourselves and the ease of use to create things like smartphones or apps, the darker realm of technology is also making leaps and bounds. The barrier for hackers to enter our world is getting lower and therefore simpler to enter and disrupt than ever before. A recent report from the Rand Corporation stated, “Greater availability of as-a-service models, point-and-click tools and easy-to-find tutorials makes it easier for technical novices to use what markets have to offer.” Basically, if you give the tools and instructions on how to do something, anyone can do it.
How worried should we be? Well, the threat is growing, as it always has, but the developing complex nature of our online environment is creating an opportunity for hackers to take advantage of.
In a traditional computing model, we normally analyse three sections, the physical environment, the computer hardware and the software for potential gaps or threats. It's fairly straightforward and common for policies, procedures and protections to be considered and put in place for each. In the online, or virtual world, the physical and hardware layers have been engineered to create a pretty robust underlying platform. Naturally this needs protecting and for the most part it is, with well-known and easy to check control. It's the next layer up that's causing the issue. Corporations and providers have created a hugely scalable and interconnected, but massively complex virtual computing environment.
This is where it gets tricky. As the environment gets increasingly complex and hard to protect, it's becoming easier to hack and exploit. As the Rand report points out, increased connectivity can lead to more holes in the system and more points to attack or exploit for those operating in the black markets.
So what can be done to protect our business and personal lives from being affected by someone looking to gain access to our information without approval? The best move to make is to get there first and find out what can be accessed. Ethical hacking has been around for years; I know because it used to be my job. We shouldn't be fearful of running a programme to identify back doors into our own systems or identifying weak points. It's fairly straightforward to do, which is the whole point in doing it. If this was something too tricky, hackers would look elsewhere to make a few easy quid.
One of the most common ways hackers can get in is through public Wi-Fi. Hackers can set up their own network acting as an innocent network for you to use and gain your personal information without you realising. Even if you're not using the device, if it still is Wi-Fi enabled it can be accessed. In the era of Bring Your Own Device, this can be particularly damaging should the device contain sensitive work information.
If it's not something you want to do yourself, employ someone. There are plenty of people and services out there. This doesn't have to be for the entire company or service either. Focus on the areas where you know the most important data resides. The data which you couldn't afford to lose. And if you're not sure what data that is, work it out quickly and then find out how accessible it is or isn't. Inevitably there will be a cost, as with any service, but the investment far outweighs the risk.
Once identified, the first solution to implement is two-factor authentication, having something you have and something you know, for example a credit card being the thing you have and the PIN being the thing you know. With two-factor authentication, you have a device that creates a one-time password while you have a PIN unique to yourself. This helps ensure only you have access to the device and the data within it. Once this is in place, you must focus on protecting your most vital asset, the data. Implementing security protocols like encryption and key management help protect the data, should the inevitable happen and you are breached. Encryption essentially renders the data useless to anyone who is not authorised to access it and this is done through key management. These keys help unlock that encryption so must be kept with the hardware to avoid them being hacked. These protocols aren't expensive and are necessary to protect your data from cyber-criminals.
Attacks don't just result in a loss of data, they can slow down product development or a loss of your IP and almost certainly a hit to your reputation. So while hackers will continue to look and prod for ways to access your data, your best bet is to beat them to it.
Contributed by Jason Hart, CTO, data protection, Gemalto