This friendly hacker is defending our digital immune systemJenny Darmodyon April 13, 2022 at 13:27 Silicon RepublicSilicon Republic

0

The conversation around cybersecurity has no doubt evolved in recent years. Leaders are paying more attention to it as a critical business area and high-profile cyberattacks and growing phishing scams have put it in the spotlight for the wider population.

However, there are still many misconceptions and misunderstandings around cybersecurity, cybercriminals and hackers.

Some may imagine the stereotypical cybercriminal to be, as cybersecurity researcher Jan Carroll previously said, “young lads in hoodies sitting in their bedrooms”.

Furthermore, when people hear the term ‘hacker’, they often associate that with criminal activity, when in actual fact hackers are often the front line of defence when it comes to infosec.

Israeli cybersecurity analyst Keren Elazari describes herself as a proud friendly hacker, opting to move away from terms like white hat and black hat hackers because “the reality is more like 50 shades of grey”.

She also likened friendly hackers to the friendly bacteria in our bodies, which work in harmony to defend us from illness.

“There’s a lot of different types of friendly hackers out there and even though they might not be coordinated in their actions, the impact that they have is an overall positive impact on our security ecosystem, therefore, they have built our digital immune system,” she told SiliconRepublic.com.

‘We can learn quite a lot from the criminal hackers’
– KEREN ELAZARI

Elazari said she has been proud to call herself a hacker ever since she found out what they were in the mid-90s. “For me, that term was never about criminal intent. It was always about the curiosity and the creativity, the passion for technology, that the hacker mindset brings with it.”

The changing threat landscape

One of the biggest changes Elazari has seen in cybersecurity is in recent years is the number of devices that are creating a larger attack surface.

“It’s estimated that within two or three years we’re going to have 10 times more digital devices on planet Earth than human beings,” she said.

“Even if you look around you your home, most of us already have four or five times more digital devices than we have family members and pets. That trend is only going to continue exponentially and that means from an attacker point of view. The attack surface has not just multiplied, it has increased exponentially.”

She added that one of the biggest issues with this is that many consumers don’t know what’s going on inside each of their devices, for example when the last firmware update was on their router. “Most people don’t really perceive the responsibility that they actually have for their digital home.”

Beyond the devices themselves, the technology landscape itself has also erupted. There are new coding languages, new technology, new cloud infrastructure and new concepts.

Elazari said that while these new technologies have many benefits, they also come with their own bag of security problems.

“While the rate of adoption of a lot of these new technologies is getting faster, the rate of adoption for new security paradigms and security tools is not as fast,” she said.

“So we were kind of racing ahead into the future, definitely jumped straight into digital transformation. But the embracing of new security mindsets, or the fast kind of speed that our security mindset needs to be at hasn’t really matched that.”

Stuck in the wrong mindset

Elazari said misconceptions around security and being stuck in old paradigms is slowing down the cybersecurity industry, one of which is that stereotypical image of a hacker or the idea that all hackers are criminals.

“There are more and more friendly hackers every day and they are identifying vulnerabilities, they’re showcasing problems, they’re publishing research, they’re pushing our security forward,” she said.

“We can also learn quite a lot from the criminal hackers. They teach us a lot about innovation. Even if you just look at ransomware, there has been incredible innovations just around ransomware in the delivery vehicles and the business models with the invention of the double extortion ransomware model and the ransomware-as-a-service model.”

Another misconception Elazari is passionate about eradicating is the supposed need for what she deems to be “outdated security concepts”.

“So passwords, for example, which really belong in the 20th century and even then, they were not a very scalable, useful tool to monitor or to manage access to digital services.”

She said the average user now has between 40 and 50 different sets of credentials or passwords to various different services, from each individual device they have in the house to every social media, streaming or shopping platform they have an account for.

“We recycle these because they’re hard to remember, and why are they hard to remember? Because we are continuously told that we have to make them complicated, uppercase, lowercase numbers, special characters, etc,” said Elazari.

“That requirement of password complexity is outdated by at least 10 if not 15 years. I think passwords should be a thing of our past altogether. But if we are to encourage people to have unique passwords, let’s encourage them and enable them to have long passwords or even pass phrases. Pass phrases would be easier to remember, much harder to guess and the more you add to it the more it increases the difficulty for a software or human to crack.”

‘There’s also a change in the mindset that hackers should not be criminalised’
– KEREN ELAZARI

Another outdated thought process that Elazari called out is the idea that having bug bounty programmes will act as a sort of invitation for cybercriminals.

Bug bounty programmes are essentially rewards offered by organisations and software developers to individuals who report bugs, especially those pertaining to security exploits and vulnerabilities.

Elazari said it’s important that organisations realise that bug bounty programmes do not invite cybercriminals to maliciously hack them, mainly because cybercriminals do not wait for an invitation. Luckily, she said this attitude is changing and more bug bounty programmes are popping up.

“It’s a little bit of crowdsourcing, a little bit of open sourcing and really ends up benefiting everybody. It raises the level of security for everybody.”

She also said bug bounty programmes are sometimes a way of finding really great talent within the security space – a potential solution to the critical skills shortage within the industry.

This can often highlight talent that may not have access to the traditional career path of going through university and so it diversifies the expertise. It also gives younger hackers a legitimate route into the security ecosystem.

“When I was growing up as a hacker in the mid-90s, I couldn’t participate in bug bounty programmes and be legitimately rewarded for my actions or even publicly acknowledged by my name for my actions. I had to hide behind the screen and a nickname if I even wanted to get something changed out there in the world. So there’s also a change in the mindset that hackers should not be criminalised.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

The post This friendly hacker is defending our digital immune system appeared first on Silicon Republic.

Leave a Comment