Learn from hackers to protect against cyber attacks
In this interview, courtesy of the Cyber Security Speakers Agency, hear from the white hat hacker, Keren Elazari. She is a Senior Researcher at the Balvatnik Interdisciplinary Cyber Research Center at Tel Aviv University, where Keren inspires the next generation of digital defenders.
What sparked your interest in cyber security?
I was a very, very curious little girl growing up in sunny Tel Aviv, and I would ask my parents so many questions, but they taught me how to find the answers on my own. So, instead of a bedtime story, I got volumes of the encyclopaedia, and I had to navigate that encyclopaedia on my own.
Then, when we first got access to the internet, they gave me my own computer. I had to teach myself how the internet worked if I was ever to find answers to my many, many questions. Teaching myself how the internet worked was by process of reverse engineering, by looking at how web pages were built and finding flaws that allowed me to enter password-protected websites.
I didn't even know this was part of the world of cybersecurity and hacking. It was through my discovery, through my exploration, through my curiosity that I learned about this incredible world of cybersecurity. And I've been passionate and curious about it ever since.
What are your top three tips for businesses and organisations wanting to protect themselves against cybercrimes?
So, my first lesson for organisations that want to protect themselves from cyber threats is to know where your digital assets are. In so many cases, I see security incidents that happen because the criminals know the network more intimately than the organisation. They understand where all the open holes and vulnerabilities are, they know how to trick your employees into clicking on a link or installing an application.
You need to understand your network. What's your digital footprint? It starts with knowledge; it starts with really being insightful and knowledgeable about your environment because you don't want the criminals to know more about your environment than you do.
My second lesson is that it's not just about the technology. So, it's not just about buying the latest firewall or the best machine learning, like AI-driven network security technology. Trust me, I have designed and built those technologies, and they are great, but that's not the cure-all to cybersecurity threats.
It's a lot about the people. It's about getting people to be part of your digital immune system, because the people that make everyday security decisions, they're your first line of defence. You want to empower them; you want to make them knowledgeable about threats. You want to give them the information and the tools to make better security decisions.
My third lesson is that you need to learn from hackers, because hackers are the early adopters of any new technology. They're incredible innovators. Whether we like it or not, they come up with creative and clever ways to use technology, sometimes against us. So, there's so much we can learn from identifying and studying the techniques that criminals use.
If a business falls victim to ransomware, what is the first thing they should do if financially extorted by hackers?
Ransomware has been perhaps the most innovative and successful form of cybercrime in the last few years, and I forecast that it's only going to grow. It's here to stay. Ransomware operators have innovated in the last 20 months. They've created ransomware as a service, they've created new business lines, new distribution models, new attack techniques.
So, if you're faced with a ransomware incident you need to decide what to do – I'm not going to say pay or don't pay. My advice is to negotiate, because in the negotiations themselves, you can learn a lot about how the attackers got in, what they're after, and what their motivations are.
And this can help law enforcement because the negotiators on behalf of the criminals might drop some information that's valuable. Furthermore, in several cases, we know as a fact that the negotiations help to reduce the amount that was ultimately paid to the criminals.
Now, I'm not necessarily advocating that you should pay ransom, but I would recommend being prepared and have that mindset of ‘what do we do if we're hit with that incident?’ Who's eligible on our behalf, in our business, in our organisation to even conduct this sort of negotiation or relationship? Is it a third-party adviser, a hostage negotiator? Is it your legal counsel or your CTO? This is vital, because it is happening to more and more businesses.