Could You be Hacked by a 15 Year Old?
The first presentation of the second day of Enterprise Mobility Exchange EU saw Dr. Sebastien Broecker, Chief Information Security Officer at DFS Deutsche Flugsicherung, deliver a fascinating presentation about the role of the hacker in today's business environment.
The first virus Broecker discussed was 'Stuxnet.' The malicious computer worm tore through a fifth of Iran's nuclear centrifuges, reportedly as a way for the United States and Israeli governments to learn how Iran enriches its uranium.
For Broecker, threats of this nature are uncommon. "An attack of this nature is unstoppable," he says. "If it came to your company it would destroy everything." He points to other state-sponsored trojans such as the 'Bundestrojaner', as examples of sophisticated viruses.
The list of companies hacked over the past 10 years is extensive. "A number of companies, like Hyatt, Talk Talk and Sony, have been hacked in the last couple of years," says Broecker. While you might expect it would take a very sophisticated attack to breach the walls of an established company like Talk Talk, Broecker states that major companies are being damaged by their lack of basic security protocols. About the Talk Talk hack, he added,"The attack was probably done by a 15-year-old boy, probably by an SQL injection."
Many of the infamous attacks seen on companies like Talk Talk were classified as 'easy to do' by Broecker. "Data shows that 42% of the hacks on major companies were easily done," he says. Take the TV5Monde breach for example. The French broadcaster's systems were infiltrated by ISIS, and were used to show the militant group's propaganda. There was, however, no sophisticated attack. "TV Monde showed the password of the company's YouTube on a paper on the wall live on television," says Broecker. "It was very easy to hack them."
When you also consider that the password was, when translated to English, 'the password of Youtube,' it's clear that there is a lot organisations can do to limit their vulnerabilities. Broecker also suggests that attacks on broadcasting companies are fairly common, but "they don't get the same press because it's not done by a terrorist organisation."
"Bad passwords, SQL injections and slow processes, like running outdated operating systems, are still the most common methods for hackers," says Broecker. When the German parliament was hacked, the criminals were assumed to be professionals, yet Broecker believes, again, that, "that it could have been done by 15 year old boys."
He adds to this by stating: "The German parliament believed that the hack had been done by Russian hacking experts, but with one-third of the PCs (in the German Parliament) running Windows XP, and the main threat coming from a poisonous email and an infected USB stick, it probably wasn't."
With security such a key topic of debate in enterprise mobility, Broecker's presentation delivered some important home-truths. The majority of hacks are preventable with care and updated systems. Also, by improving passwords - and not broadcasting them live on television for the world to see - you also remove another potential vector. Security in today's business landscape is difficult, but Broecker shows companies that the small things can make a big difference.