AH: What is an ‘ethical hacker’?
KM: An ethical hacker is a professional who uses hacking skills and techniques to identify vulnerabilities and weaknesses in computer systems and networks. Unlike hackers who engage in malicious activities, ethical hackers operate within the bounds of the law and have permission from the system owners to conduct their tests.
To draw an analogy, if ethical hackers were in the Star Wars universe, they would be like Jedi knights, while hackers would be like the Sith, with the notable exception that hackers do not normally aim to harm others (to the best of our knowledge). Both ethical hackers and hackers possess similar skills, but the former operate with a higher ethical standard.
Ethical hackers are bound by strict ethical codes and conduct penetration testing with the sole purpose of identifying vulnerabilities and providing solutions to strengthen system security. They work with system owners to identify and address security risks before malicious actors can exploit them. Unlike in popular movies, ethical hacking is a necessary and professional practice that contributes to maintaining the security and integrity of computer systems and networks.
AH: Are cyberattacks common? What are some of the more typical types of attacks?
KM: The frequency of cyberattacks varies depending on the target. If you, for example, write a personal blog documenting the life of your cat or your favourite clothing, then the likelihood of being hacked is relatively low. However, if you operate a business that stores sensitive and valuable information, then you are more susceptible to being targeted by hackers. These cybercriminals seek to steal data such as passwords, credentials and credit card information, which they can sell to make a profit.
But it's not always about financial gain. For instance, in the early stages of the Russo-Ukrainian war, there were large-scale attacks on various entities including media and military institutions. The purpose of these attacks was to disrupt their operations for political reasons. As an example, the hacktivist collective Anonymous was even hailed by many as heroic for their efforts to counter the Russian war effort.
Moving on to the types of attacks, Denial of Service (DoS/DDoS) is a common form of attack where the goal is to crash the target by overwhelming it with a massive amount of requests, rendering the server unresponsive. Another type of attack is Remote Code Execution, which is a holy grail for attackers. This involves running their own code on the server to gain control. The concept of this type of attack is self-explanatory.
AH: Who are the attackers and what do they want?
KM: To begin with, it is important to differentiate between attackers and hackers. I have encountered many people who refer to themselves as hackers, and in today's age, it has become relatively easy to achieve that status to some extent. If you know how to use search engines, you're ready to go. There are various websites available that can provide you with a list of unauthenticated admin pages.
However, I would like to draw a distinction between script kiddies and true hackers. Script kiddies are individuals who lack expertise and rely on pre-existing tools to carry out attacks. True hackers, on the other hand, possess knowledge and expertise in the field of cybersecurity.
I once set a trap for individuals who fall under the category of script kiddies. I created a simple web page with an entire SSH command, including credentials to log in. When an attacker copied this command, a simple JavaScript code changed the clipboard, and when pasted (without hitting enter), it fetched secrets from the attacker's machine. This resulted in a sizeable collection of intercepted data after a few months. I offer a little piece of advice here: avoid blindly copy/pasting anything.
Moving on to the topic of hackers, the stereotypical image of a hacker is that of a person sitting in their basement wearing a hoodie, attempting to steal as much money as possible. However, the motivations for a hacker to attack someone or something may not always be monetary. As mentioned in the previous question, there could be various reasons for an attack, such as a desire for power, recognition or just for the thrill of it.
AH: How can corporates protect themselves? Software, culture, knowledge, insurance, contingency plans, etc.?
KM: In my view, when it comes to ensuring security, there is a little bit of everything that one needs to consider. However, in my opinion, the most crucial aspect is to promote security awareness among employees. Upon examining some of the most notable attacks in history, it becomes clear that many of them were successful owing to the errors committed by employees, such as falling for phishing scams or visiting dubious websites. It may sound harsh, but it is essential to treat your workers as potential threats.
AH: What can we all as private individuals do to protect ourselves?
KM: Let me give you a short list of actions which should be a good start:
- Take more than three seconds when setting your passwords. In the long run, you do not want to lose your data or money simply because your password was "Password123!" Use a password manager, enable 2FA (two-factor authentication) and avoid using the same password for every account.
- Install a reliable antivirus program.
- Regularly create backups.
- Before clicking on any links, think twice and double-check their authenticity.