Self-taught hackers rule
Ilio Kolochenko, CEO of High-Tech Bridge, a Swiss information security company, gave the keynote address on governments role in cybersecurity this past Sunday at the Regional cybersecurity Summit in Oman.
Before his speech, he talked with CSO about why self-taught hackers are generally superior to those who go through a formal certification program, and why compliance with cybersecurity standards will remain low unless governments make it very painful to ignore it.
A recent story in The Independent said the UK Governments Communications Headquarters (GCHQ), through approval of certain Masters programs, had created, "the first certified degrees for spies." Is it accurate to call a degree in cybersecurity a degree in spying?
I would say not. Obviously some governments activities may be reasonably called "spying", but we should not forget that national security experts are required to use intrusive techniques to protect the nations interests.
[Should companies hire criminal hackers?]
It is like calling a policeman or a soldier in the army a "killer" because he has a gun. The main thing is to make sure that governments protect citizens and do not abuse their power.
Will the GCHQ initiative raise the level of cybersecurity skills and/or spying?
I do not think classes or a certification will significantly change the cybersecurity situation in the entire country. But, that such a program exists at schools, colleges and universities means that people will understand that it is important.
What do you think the quality of the degrees will be?
Many schools are sponsored by companies, organizations, NGOs that offer various types of certifications in cybersecurity, hacking, and ethical hacking. Some programs are quite good, and some are relatively poor.
A company called EC-Council, which has been around since 2001, became famous because of its program called a CEH (Certified Ethical Hacker) Diploma. It offers a good overview of hacking and information security for those who want to enter IT or infosec, but it is not very advanced. They are doing a good job teaching people how to protect themselves by showing them how they can be hacked.
But personally I am a bit skeptical of them. When they say their program is CEH, its a bit too much. They have been hacked themselves, in recent years. They should change their certification to something different, because when you say I am a CEH, it means much more than they are actually teaching you.
The other problem is that many people just get the diploma to improve their CV. They are learning the answers by heart just to pass. They do not care to become more sophisticated in anti-hacking and security.
Certification is still useful because it assures that a person has skills and capacities, but if the priority is the diploma and skill is something to get later, I dont think this is going to make our security better.
Are there any superior programs for training hackers out there?
One of the best I know that is preparing skilled security experts is called Offensive Security. Its quite small – they teach maybe 15 people every three months. These guys dont compromise on price or other things. They say, "Our price is this and we are going to do what we want. If you do not agree, bye-bye." Most companies doing this are obliged to make sure the customer is satisfied – they will adjust price, adjust timing, but these guys wont.
What does it take to become a good hacker?
If you want to be really good at hacking, you have to work and learn, work and learn – all of your life is spent on the keyboard. Even if a person was, in primary school, an open person who spent time with family and friends at things like barbecues, its a new style of life when hes typing on the keyboard almost every day and night.
This something that changes his psychology and he becomes – if we can say this without being insulting – a bit of an outsider because he prefers the keyboard over talking to people.
[British hackers take down Al-Qaeda websites]
Sometimes I realize myself after doing something for a long time on the PC, it is easier to send email than to give someone a call. Good hackers usually dont appreciate talking to people.
I know some who have sports hobbies like boxing, karate, jujitsu. I know others who enjoy stock market. Most of them enjoy talking to friends or going to restaurants or clubs, but usually the people they are talking to are also from IT. And they are mainly speaking about information security, hacking.
Almost anybody with enough desire and persistence can become a hacker. But it takes motivation, persistence, a desire to learn and 24/7 practice. It can be extremely complicated. At the really high level it is a little bit like Chinese – I dont understand it at all myself. And most of the hackers I know have skills in scientific topics – mathematics, geometry, finance. I dont know many who studied history or geography.
Are self-taught hackers generally better than those with formal training?
Of course. Many very good hackers dont have any diplomas or certifications at all – they simply dont need them. Almost everything you can learn in a "hacker school," or seminar – methodologies, tricks – probably 90% of it is available for free on the Internet, if you have time and desire to read and learn complex texts and code.
People who do their tasks, homework and teamwork during the classes will be fine, but still be a little bit weaker than criminal hackers, who tend not to share the tools they are using with the public.
If the best hackers can train themselves better than they what they could get from a graduate course, is there no real point or value in the GCHQ-certified degree?
The best hackers are too expensive to be hired by governments, or simply dont want to work for governments. If government wants to recruit them, it will take a combination of money, career advancement potential, interesting, meaningful work, and an independent work environment.
Do you think the governments goal, "for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace," will be achievable through an initiative like this?
It wont guarantee it – a certification program is just a very small part of what it would take. The only thing that would make a significant change would be to require every citizen pass a certification in ethical hacking and Infosecurity by 2025.
But thats not feasible. It would be like obliging every citizen to be trained in jujitsu and boxing to fight crime on the street.
If you were advising government intelligence officials on this, what would you tell them?
While brainstorming for my keynote presentation about cybersecurity for government at the Regional Cybersecurity Summit (April 20), I decided that there is a need for a different approach – the government of every country needs to develop better cybersecurity regulations.
[Hackers could be fair game for deadly force, cyberwar experts say]
I think cybersecurity is actually collapsing because hackers are becoming more sophisticated. The problem is that companies dont have the budget, time, skills and desire to spend the money efficiently on it. Either they purchase something that is ultimately worthless, or they purchase something to pass a security certification like PCI – "Heres the paperwork, purchase order is done" – but practically speaking they remain hackable.
You can explain to CEOs that security is important, that its obligatory because the consequences can be huge, and they will say, "Yes, yes, we absolutely agree. Thank you. Bye bye." Nothing will change.
Look at Target. They fired CSO and sued the company in charge of their PCI compliance. Everybody is trying to put responsibility on somebody else – its not our fault. The result is simple – nobody is really in charge of security. Until we have straight, clear and comprehensible regulation by government, dont think companies will do something about security.
I used to agree with people who said that more and more companies becoming victims of hackers can be a good thing, because only then do they start spending and thinking about security. But after conducting several tests, analyses and having discussions with people, I found it becomes even worse than before.
First, the company says, "We have been hacked, so this will never happen again for 10 years. Statistically, we can spend zero on security for the next 10 years." They also try to make the incident as silent as possible, or if it is finally passed to the media, they try to minimize the impact: "All your credit cards were stolen, but dont worry, nothing bad happened."
The only way to make them take it seriously would be to have them hacked every six months, with a story on the front page of every leading newspaper.
The problem now is that companies only do what they are obliged to do. Poor countries like Ukraine, Poland – when Visa comes knocking on their door and says, "Well stop all your transactions if you are not PCI compliant in the next six months," they simply say, "OK, well close everything and switch to MasterCard and well have two years to become compliant."
Visa, of course, says, "Were sorry, take your time." With MasterCard, its exactly the same.
Another problem is that PCI has different levels for compliance depending on how many cards you process. So we saw that large banks in some countries created five or ten smaller companies, so legally theyre not obliged to have the higher level of compliance as an entity that processes 1 million cards – they can look as if each company is only processing 100,000 cards.
Theres even a problem with PCI itself. In 2012 I reported to PCI that their own website had a critical SQL injection vulnerability that would compromise their own web site. They never even responded to me. So Im quite skeptical of them.
[Hackers claim $10,000 prize for breaking into StrongWebmail]
If we really want to change something, government should establish minimum standards for companies of various sizes – for types of software and encryption – things like that.
And the punishment for companies that will not respect the regulations should be much higher than the investment they would have to make to comply. If its about the same, people will not care, but if it costs 10 times more, we can be almost 100% sure that companies will finally start complying.