Ahead of We Fight Fraud Live, Head of Cyber Solomon Gilbert, explains why it's not good enough to just react to cyber attacks – instead you must correct your mindset and adopt more resilient attitudes.
What makes an attack 'common'? The answer to this has changed.
It used to be that common attacks were so because developers didn't implement easy solutions to problems; the capabilities of 'hackers' were still very much out of the public's purview, and our attitudes towards fixing vulnerabilities were pretty basic. Essentially, we were all terrible at our jobs.
Now, ten years down the line, the foundations for a typical attack lie far more within certain behaviours and attitudes than in lousy engineering. While incompetence, lazy development, and refusal to employ best practices still lead to vulnerabilities, the most common attacks are now almost entirely people-centric. No longer can we make free phone calls using Cap'n Crunch whistles; we now must rely on behaviour and human reaction. Most of us, however, are still pretty bad at our jobs.
Needless to say that the futile game of whack-a-mole often played by companies - fixing vulnerabilities as they emerge - does nothing to remedy the underlying behaviours that allow these attacks in the first place. Instead, we must recommend behaviours that stand the test of time. This article isn't: "here are the top ten problems and how to fix them"; it's "here's how to correct your mindset and adopt more resilient attitudes".
Let us first start with you. Yes; you, reading this now. You're a complex, multi-faceted human being with passion, desire, emotion, and responsibility. You're the one who sits on the underground, looks around and wonders how everyone but yourself became a monotonous sheep. You're the one who loves, who feels, and who thinks. Well, I hate to say it, but you're flawed. No, not in that endearing way in which your flaws are positive characteristics wrapped in a self-deprecating light to make you easier to swallow at parties. You're not too much of a perfectionist; you're a lazy, reactionary animal. Need proof? Try popping a balloon without blinking. You have no control over what your brain does and how it reacts in an instant. The fact that we no longer have to be disquieted with being chased by lions is immaterial to our brains, which still act as though danger lurks around every corner. This behaviour is all well and good, but is it relevant? Or is this bizarre tangent just a convoluted way of insulting you? Well, yes to both of those questions.
The problem here is that our reactive brains are quick. They rely on making decisions extremely fast and don't think critically about why. They act now and suffer the consequences later. Our logical brains are slow, methodical, and need time to arrive at a reasoned conclusion. Criminals take advantage of this. Their goal is to engage your reactive, illogical brain because they know that your logical brain might give the game away. Malicious attackers socially engineer situations in which you're forced to think quickly with high stakes and enormous pressure. The goal of this is to hope that your reactive brain gives them the result they need before your logical brain has time to stop you. If you're being pressured into making an unusual decision, allow your rational brain to take control. Step away from the situation for a few seconds and think critically about what is being asked of you. If you're not sure about something, don't do it.
Not only are you reactionary, but you're also phenomenally lazy. No matter how hard we try, we still can't get you to stop using 'password123' as your password for everything. You keep being told to use a secure password, but why? And what is a secure password? Who knows, maybe you use a password like 'J3fFery1!' and think smugly to yourself about how much better you are than everyone. The truth is that most of our ideas for what constitutes a good password are wrong. The best way to manage your passwords is, by a staggering coincidence, to use a password manager. But to understand why all of this is important, we first need to understand how passwords work.
Before passwords are stored in a database, they are converted into a random string called a hash. Two passwords never produce the same hash, and once you have a hash, there's no way of working out what the original password is. When you log in to a site, the site takes the password you submitted, turns it into a hash, then checks it against the hash it already has for your account. If they match, you're logged in. Sometimes, websites get hacked. Those databases get stolen and sold to criminals. Disregarding the fact we have to rely on companies to store our hashes correctly, and that companies such as Adobe don't accidentally make giant crossword puzzles out of our data, we should be relatively secure in the knowledge that people can't find out what our passwords are. Except they can. I can take very long lists of words, turn them into hashes, and compare them with those I have from a database. If they match, I've found the password. If best practices aren't followed in how those passwords are 'hashed', I can do this millions - sometimes billions - of times a second. Once I have these passwords, I can immediately attempt to log in to other accounts under the victim's email address. This technique is called Credential Stuffing.
Password managers take random sequences and save them as unique passwords for each site you visit. That way, if those passwords get leaked, an attacker can't use them for another website. If you don't want to use a password manager, use unique, easy to remember pass-phrases made up of several words, such as CorrectHorseBatteryStaple. Easy to remember, hard to guess!
Your laziness extends to constantly telling the computer to 'remind you later' every time it suggests an update. Stop doing this. Security professionals work very hard to find problems in the systems you use, and when those problems are found, they're fixed. Not updating your systems makes you susceptible to those problems.
Lastly, I might've mentioned that you're lazy. Security policy is there for a reason, and you need to follow it. I want you to be actively engaged and caring about your environment's security, but that involves getting off your bottom and doing something. Don't just tick boxes. Be passionate and informed about your privacy. It behoves you to understand how and why your data - the information that defines you - is handled.
To conclude:
1) When you're under pressure to make a decision, or if you're unsure of something, develop the habit of taking time to cast a sceptical eye over the situation. Doing so may help prevent phishing attacks, invoice fraud, and all other kinds of scams.
2) Don't be lazy. Instead, be informed. Actively maintain a good password policy to keep you safe. Keep your systems up-to-date to prevent vulnerabilities from emerging.
3) Be passionate. Don't just do things because you're told; understand why measures are in place. It will help you, and you can help others.
Solomon Gilbert is the Head of Cyber at We Fight Fraud. He is in charge of We Fight Fraud’s cyber capability. The last bank he broke into took him less than 12 hours. From a very early age, Gilbert has had an avid fascination with puzzles and mystery. This fascination led to his discovery of cyber security. Unfortunately, his curiosity led him to engage in cybercrime in order to challenge himself more and more until his arrest and expulsion from school aged 17. After that, his goal became cyber-crime prevention. He has since worked with the National Crime Agency, Home Office, regional police forces, and private enterprise in order to help them better understand criminal techniques.