Think you know what a hacker looks like? You may be surprised. Not all hackers are “bad actors”, contrary to how Hollywood might portray them.
With help from ethical hacker Daniel Underhay, a Senior Consultant at Aura Information Security and Joshua Alcock, a Security Strategist at Fortinet, here are five insights about hackers you need to know – plus some handy tips to protect yourself and your business online.
1. Not all hackers are “bad guys”
Just like humans in general, hackers can be defined by their intentions.
A black hat hacker has sinister motivations. They often infiltrate a system to retrieve information/data that can be used for their benefit, whether it is to make money, threaten, or manipulate businesses or people. These hackers often lack a moral compass and do not have permission to do what they are doing.
A white hat hacker has positive intent. They hack into systems to identify the gaps in security systems and recognise areas for improvement. They are ethical, and most importantly, have permission to hack. Typically, you’ll see white hat hackers involved if you engage in a penetration test for your business.
As you can imagine, a grey hat hacker sits in the middle. They hack for both personal gain and to identify vulnerability. They may have good intentions but often skip the permission slip. They also attack individual people without understanding the human impact behind their decisions.
2. Phishing is still the low hanging fruit for hackers
While hackers have impressive technical skills, their attack vectors often start with the humble phishing attack. Why? Because humans still present the weak point in most business’s security posture.
Phishing or credential harvesting is when hackers attempt to acquire personal/sensitive information by impersonating someone trustworthy. We’ve all seen those emails. Sometimes they’ll be portrayed as coming from a third party, like a bank; other times, the scammer will impersonate a manager, CEO or even HR department to try and trick an employee to share information or even ask you to purchase things on behalf of the business. You need to listen to your gut instinct; if it doesn’t sound right, it probably isn’t.
Take note:
- If the communication sounds too generic and vague
- Double-check the email domain as it will most likely be incorrect
- Are there any factual mistakes? Scammers more commonly use spell check and attempt to get the grammar right these days but can still get things like names, titles, and straightforward information about your job wrong
Every employee must be up to date with security policies within the company to address data breaches. It’s important to note that phishing isn’t just limited to email – hackers may use social media messaging apps, SMS messages and phone calls to trick you into allowing them access to your corporate systems. Make sure you keep abreast of the latest scams and their delivery methods to stay ahead.
3. Social media ground is the perfect place for hackers to gather intelligence
Social media is a great way for hackers to gauge a person’s tone of voice and style of writing. They then emulate that tone/style in a phishing email to make it appear more legitimate. People often underestimate what they share on social media, and it’s not only the style of writing you should worry about.
Be careful of what you are visually posting whether it’s a boarding pass on your holiday adventure, a Wi-Fi password in the background or a credit card sitting on a table. Hackers look for those tiny details and indiscretions.
4. Hackers are persistent
There is a myth that hackers are easily deterred, and if they get stuck once or twice, they give up. And sometimes, that is true - black hat hackers tend to work swiftly and at scale, looking for easy wins, so even the most basic layers of defence, such as a strong password or MFA, can help prevent you falling victim to a breach. However, for a more important or lucrative target, a hacker might spend weeks or months looking for an entry point.
Just like a white hat hacker stays with an individual or company long enough to discover all the ways in which their data can be breached, a motivated black hat hacker may spend long periods of time waiting for their opportunity. It all boils down to the motivation behind the hack, and how much reward the hacker can extract from a particular target.
5. Getting the basics right goes a long way in protecting you from bad actors
While it’s impossible to 100% prevent a cyber-attack, there are some fairly simple things you can do to make it more difficult for a hacker to infiltrate your data and systems.
As a minimum, your business should be implementing the following;
• Make sure you have good password hygiene or use a password manager; and implement MFA on both work and personal devices.
• Stay up to date with the latest advice. Cert.co.nz has lots of resources for businesses of all sizes, as well as tips on personal cyber safety and the latest scams.
• Be aware of what you are sending/sharing online. Usability and accessibility often pull us in different directions regarding online security.
• Use tools like” 'Have I been pwned", where you can type in your email address and find out if you have been involved in any data breaches. If your account has been compromised, you can take action to change your passwords and check your security.
How individuals protect their data contributes to the overall defence of a business. When it comes to avoiding breaches and decreasing the risk of data theft, understanding hacker behaviour can be incredibly helpful.