Developing awareness for the dangers of the digital world

Aug 14, 2019.

The more we depend on the digital world, the more vulnerable we become and the more likely it is that we fall prey to identity theft. We interviewed IT security expert Harald Reisinger and he explained how even security specialists can become victims of cyber attacks.

Your company employs white hat hackers – “good” hackers – to identify weaknesses in customers’ IT systems. How does this work?

Harald Reisinger: Our penetration testers simulate an actual hacker attack, in other words, they try to break into the company’s IT environment. There are three ways of going about this. We attempt to infiltrate the system from outside, we examine how a guest or employee could cause internal damage, and we address the human factor as a vector of attack.

 

How do hackers infiltrate a company’s IT system, and how long does it take them to do it?

Harald Reisinger: They try to exploit any security gaps in applications, the server or underlying databases. A known method of attack is SQL injection. Here the hacker uses certain commands to try to trick the server into giving access to database contents, for example, which a normal user would never be able to see. In contrast to our white hat hackers, however, the “bad boys”, i.e. the black hat hackers, have all the time in world to ply their craft. We, on the other hand, must restrict ourselves to a given window of time. For small audits we need two to four days; larger audits can take up to 30 days.

 

What sort of analyses do you perform in the company you’re auditing?

Harald Reisinger: Within the company itself we are already behind the company’s firewall. Internally, we test the vulnerability of systems; for example, what kind of damage a visitor could do who accesses the company network with his laptop through a port in a meeting room.

 

How do you raise awareness among employees for these problems?

Harald Reisinger: For one thing, we check how secure the passwords are that employees are using. It is important to train employees in the proper behaviour and make them aware of the dangers; for instance, you shouldn’t just click on an e-mail attachment, but should always first check where the e-mail comes from. Another example: in the company parking lot, someone “loses” a USB stick that is labelled “List of 2018 lay-offs”. The likelihood is great that the employee who finds the stick will take it and try to access it on his company laptop. If the USB stick has been fitted out with malware, a virus program can thus unwittingly be introduced into the company.

 

Do employees take IT security seriously enough?

Harald Reisinger: It’s a fact that many think the IT department will keep everything under control and thus underestimate their own responsibility. One of the good things about in-house IT security training courses is that the employees take what they learn and apply it at home and in their personal life. In an ideal case, they will even share what they learn with their son or daughter. Nowadays, any three-year-old can operate a tablet – we have to work to ensure that on a broad basis even the youngest users develop a sense for the dangers of the digital world early on.

 

What kind of companies are the preferred targets for hacker attacks and identity theft?

Harald Reisinger: Ten or fifteen years ago it would have clearly been financial service providers. They are still attractive targets for professional hackers, but in the meantime every segment and industry has become fair game. Companies have had to become more conscious about the dangers in the wake of major instances of data theft and extortion attempts.

 

Do black hat hackers all want to achieve the same thing – to get their hands on money through their attacks?

Harald Reisinger: Initially, hackers were often nerds who just wanted to prove that attacks were possible. In the last five years or so, the “hacker industry” has become very commercial. Most hackers are professional and organised like a business. We expect to see this trend towards professionalising continue. The perpetrators want to attack as many targets as possible with as little effort as possible, and earn money from the sale of data sets or through extortion. In this era of digital currency, money changing hands is no longer a problem. Sometimes hackers target specific companies because they want to publicly expose them by shutting down their systems.

 

What role does identity theft play in cyber crime?

Harald Reisinger: As a phenomenon, this is still regarded as a marginal problem. At present, perpetrators operate by smuggling malware onto a computer through a phishing mail. If I use this computer to do all my personal business – to write e-mails, order goods, do my banking, make doctor’s appointments etc. – the perpetrator is then in a position to use all this information to steal my identity. Identity theft has the potential to become a problem on a massive scale as electronic identification becomes more advanced and we start identifying ourselves by means of an electronic signature or biometric data.

 

How can we protect ourselves effectively against cyber attacks?

Harald Reisinger: To start with, you should always observe the minimum security standards – don’t click on e-mail attachments from unfamiliar sources, perform updates promptly to keep your system up-to-date, use an antivirus software, ideally one that is adaptable and offers protection against new forms of attack. And you shouldn’t just blindly follow every new trend.

 

That means, when in doubt fewer rather than more digital aids?

Harald Reisinger: Yes. Although it seems incredibly practical, I don’t think it’s a good idea to have online banking software on your mobile phone where you can receive the TAN for your transactions by SMS. Home automation, smart loudspeakers – do we really need to go along with all of it? Do I really want my loudspeakers to be able to hear every word uttered in my living room? Lots of things sound great, and, luckily, people in general are open towards technical advances. But we also need to understand the consequences and know when we are opening the door to attackers.

 

How do you conduct yourself in this respect?

 Harald Reisinger: “Paranoid” is the word that probably describes me best. As a rule, people working in our field are especially careful. Still, we can never completely eliminate the possibility of ourselves becoming a victim of a cyber attack. Some fraudulent activities are so well executed that even we specialists have a hard time recognising them.

 

Looking ahead to the future: robotics, the Internet of Things, self-driving cars – what new potential in data misuse are we facing?

Harald Reisinger: All these advances are designed to make our lives easier, but in taking advantage of them we also give up more and more of our control. This creates incredible risk potential. We IT specialists believe that the monitoring of IT systems will become an essential task for preserving the resilience of society. This encompasses three things: the basic product must be secure; protective measures have to be in place to prevent attacks; and monitoring must be done. We refer to this as the “survival triangle”.

About our expert:

Harald Reisinger is CEO of the Austrian monitoring firm RadarServices, which audits companies’ IT security. After earning a technical diploma, he studied business management and founded his first IT security company in 2001.