Although the year has just started, 2012 is turning out to be an annus horribilis for cyberattacks. Shortly after the New Year, 24 million Zappos customers found out that hackers had accessed their personal information. Popular web hosting service DreamHost found out in mid-January that their users' FTP passwords were stolen. After Megaupload was shut down in late January, thousands of Anonymous users took down the websites of (among others), the Justice Department, the Recording Industry Association of America (RIAA), and the Motion Picture Association of America (MPAA) by using DDoS scripts.
On January 22, WhiteHat Security founder Jeremiah Grossman gave a TEDx speech in Maui about why companies and government agencies need to “hack themselves first.” According to Grossman, the most effective way for enterprise users to protect their systems is by inviting hackers to attack away... and then having the hackers discreetly share their discoveries with the companies. Grossman spoke with Fast Company about how this would work.
FAST COMPANY: What do you mean by "Hack Yourself First"?
JEREMIAH GROSSMAN: Anything and everything connected to the Internet will endure some type of cyber-attack, likely several a day. Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses and the good guys who find and fix them. Hack Yourself First is about winning this race. Hack Yourself First is about building us cyber-offense skills, and focusing these skills inward at ourselves. This is how WhiteHat Security helps protect hundreds of businesses, by providing them an understanding of their hackability online.
Many companies including Google, Microsoft, PayPal, Facebook, Saleforce.com, and Mozilla have also embraced a "Hack Yourself First" mindset. They actually invite anyone who wants to try to and hack their systems, provided they discreetly share with them their findings. Such programs have proved extremely successful. Collectively, they've awarded millions of dollars to "hackers" and security researchers, and resolved thousands of previously unknown issues.
What is wrong with the traditional approach used to deal with cybercrime/cyber-espionage by companies and government?
"Traditional" is a good word to describe the current and ineffective collection of security controls deployed at many organizations, as is "static." What's wrong is static security controls, particularly those baked into compliance mandates, are not focused on improving outcomes, but just making sure you've bought product X, Y, and Z. When you are dealing with a sentient adversary, whose methods are intelligent and adaptive, moving around "best practice" security controls is not difficult for those determined.
Do you see any difference in the way private companies and government react to cybercrime/cyber-espionage?
They are now starting to take the matter of Internet security far more seriously than in years past because the breaches are becoming far more serious. They're understanding now that the attacks are evolving from recreational hacking to organized crime harvesting billions in cash and state-sponsored actions stealing intellectual properly worth far more than the contents of a bank account.
How does self-hacking benefit companies/government?
Corporate and government systems are built with the same technologies that all have basically the same set of security gaps, security gaps that WILL be found by our adversaries. At WhiteHat Security, we can usually find a serious issue within 20 minutes flat. In under 20 minutes we're able to locate digital doorways to take over some or all of their systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system. It is much preferable that we do this work, or companies/government do it for themselves, prior to the bad guy doing so.
What is the biggest myth about self-hacking?
The predominant myth is that by following the conventional security wisdom, buying all the recommended "traditional" security widgets, that a business or government system be safe from hacking. This belief is false. This belief is dangerous. You might be compliant, but you certainly won't be secure. Hack Yourself First shines a light on this fact.
What new trends do you expect to see in cybercrime in 2012?
One word: Escalation.