Protecting Nordea against script kiddies and true hackers

In this interview with Nordea On Your Mind’s Arien Haghshenas (AH), Kamil Medzikowski (KM) describes how the penetration testing team at Nordea uses ethical hacking to identify vulnerabilities and remedy them.

He also highlights how the best defence for corporates against both more and less sophisticated cyber threats is to improve staff's cybersecurity awareness, so that attackers are unable to exploit the human behaviour factor to achieve a breach.

AH: Would you tell us about your background in cybersecurity and hacking?

KM: I have a background in cybersecurity and hacking that started in 2014. Although my journey began with a turbulent start, I learned a valuable lesson from my experiences. At that time, I was working in customer service, and we were having a lazy day, so we decided to do something fun by disrupting our email service. It's worth mentioning that we were the largest Polish email service provider at the time.

I came up with an idea to send a single email with numerous empty attachments, around 700,000 files to be precise. Although I initially planned to send a million files, the server couldn't handle such a request. After I sent the email, I noticed that my account started to be unresponsive. Unfortunately, I didn't know what it meant at that time, so I went about my daily duties. However, shortly afterward, there was a sudden alert that our email service had been hacked. The entire system crashed, and millions of users lost access to their accounts.

Realising my mistake, I owned up to it immediately, and expected to lose my job. However, to my surprise, instead of being dismissed, I received recognition for my actions. This was the first time that I realised that hacking was something I could pursue for the rest of my life, and my passion for it has continued ever since.

AH: How does Nordea work with cybersecurity?

KM: As a large company dealing with sensitive data, Nordea recognises the importance of maintaining robust cybersecurity measures. To ensure the safety and security of all our services and deliveries, we have dedicated teams working in three key areas: prevention, detection and response.

Our prevention efforts include data protection, endpoint security, network security and application security. We also have measures in place for detection, such as red teaming, vulnerability scanning and a security operations centre (SOC). In the event of an incident, we have a dedicated Cyber Security Incident Response Team (CSIRT) to handle the response.

As part of this ecosystem, our penetration testing team plays a crucial role in identifying and addressing vulnerabilities. Our team consists of highly skilled individuals with diverse areas of expertise, such as mobile security, security code reviews and cryptography. This enables us to fill any gaps and ensure that Nordea's cybersecurity measures are always up to date.

Kamil Medzikowski, Senior IT Security Specialist at Nordea.

AH: What is an ‘ethical hacker’?

KM: An ethical hacker is a professional who uses hacking skills and techniques to identify vulnerabilities and weaknesses in computer systems and networks. Unlike hackers who engage in malicious activities, ethical hackers operate within the bounds of the law and have permission from the system owners to conduct their tests.

To draw an analogy, if ethical hackers were in the Star Wars universe, they would be like Jedi knights, while hackers would be like the Sith, with the notable exception that hackers do not normally aim to harm others (to the best of our knowledge). Both ethical hackers and hackers possess similar skills, but the former operate with a higher ethical standard.

Ethical hackers are bound by strict ethical codes and conduct penetration testing with the sole purpose of identifying vulnerabilities and providing solutions to strengthen system security. They work with system owners to identify and address security risks before malicious actors can exploit them. Unlike in popular movies, ethical hacking is a necessary and professional practice that contributes to maintaining the security and integrity of computer systems and networks.

AH: Are cyberattacks common? What are some of the more typical types of attacks?

KM: The frequency of cyberattacks varies depending on the target. If you, for example, write a personal blog documenting the life of your cat or your favourite clothing, then the likelihood of being hacked is relatively low. However, if you operate a business that stores sensitive and valuable information, then you are more susceptible to being targeted by hackers. These cybercriminals seek to steal data such as passwords, credentials and credit card information, which they can sell to make a profit.

But it's not always about financial gain. For instance, in the early stages of the Russo-Ukrainian war, there were large-scale attacks on various entities including media and military institutions. The purpose of these attacks was to disrupt their operations for political reasons. As an example, the hacktivist collective Anonymous was even hailed by many as heroic for their efforts to counter the Russian war effort.

Moving on to the types of attacks, Denial of Service (DoS/DDoS) is a common form of attack where the goal is to crash the target by overwhelming it with a massive amount of requests, rendering the server unresponsive. Another type of attack is Remote Code Execution, which is a holy grail for attackers. This involves running their own code on the server to gain control. The concept of this type of attack is self-explanatory.

AH: Who are the attackers and what do they want?

KM: To begin with, it is important to differentiate between attackers and hackers. I have encountered many people who refer to themselves as hackers, and in today's age, it has become relatively easy to achieve that status to some extent. If you know how to use search engines, you're ready to go. There are various websites available that can provide you with a list of unauthenticated admin pages.

However, I would like to draw a distinction between script kiddies and true hackers. Script kiddies are individuals who lack expertise and rely on pre-existing tools to carry out attacks. True hackers, on the other hand, possess knowledge and expertise in the field of cybersecurity.

I once set a trap for individuals who fall under the category of script kiddies. I created a simple web page with an entire SSH command, including credentials to log in. When an attacker copied this command, a simple JavaScript code changed the clipboard, and when pasted (without hitting enter), it fetched secrets from the attacker's machine. This resulted in a sizeable collection of intercepted data after a few months. I offer a little piece of advice here: avoid blindly copy/pasting anything.

Moving on to the topic of hackers, the stereotypical image of a hacker is that of a person sitting in their basement wearing a hoodie, attempting to steal as much money as possible. However, the motivations for a hacker to attack someone or something may not always be monetary. As mentioned in the previous question, there could be various reasons for an attack, such as a desire for power, recognition or just for the thrill of it.

AH: How can corporates protect themselves? Software, culture, knowledge, insurance, contingency plans, etc.?

KM: In my view, when it comes to ensuring security, there is a little bit of everything that one needs to consider. However, in my opinion, the most crucial aspect is to promote security awareness among employees. Upon examining some of the most notable attacks in history, it becomes clear that many of them were successful owing to the errors committed by employees, such as falling for phishing scams or visiting dubious websites. It may sound harsh, but it is essential to treat your workers as potential threats.

AH: What can we all as private individuals do to protect ourselves?

KM: Let me give you a short list of actions which should be a good start:

- Take more than three seconds when setting your passwords. In the long run, you do not want to lose your data or money simply because your password was "Password123!" Use a password manager, enable 2FA (two-factor authentication) and avoid using the same password for every account.

- Install a reliable antivirus program.

- Regularly create backups.

- Before clicking on any links, think twice and double-check their authenticity.