Keren Elazari is a cybersecurity analyst and senior researcher at the Tel Aviv University Interdisciplinary Cyber Research Center. She focuses on hackers and technology, and their social implications.
Keren believes, just like Neo in The Matrix, that the cybersecurity industry is facing a simple choice.
Keep doing the same things, and thinking the same ways… or take the red pill.
Wake up to a new reality, and learn to think like a hacker.
At the recent Sophos Evolve Cybersecurity summit, Keren delivered an urgent dissection of cybersecurity in the age of COVID-19.
If you missed out, watch the recording and check out our key takeaways below:
A cybercriminal renaissance
Keren shared that the pandemic has created a ‘cybercriminal renaissance’, as highly organized attackers take advantage of the increasingly sophisticated, collaborative nature of the malware ecosystem.
We all remember the flood of malicious emails released by criminals as the world went into lockdown.
Mimicking genuine correspondence from trusted bodies – including the US Department of State and the UK Government – attackers tried to trick readers into parting with personal and financial information, or opening malicious documents. Often these emails were just the first step in a sophisticated, multi-stage attack.
But if cybercrime has thrived during the pandemic, it’s not just because criminals have been able to capitalize on confusion and concern. COVID-19 has also created more potential attack vectors, by effectively dissolving the line between our personal and working lives.
Keren shared the sobering results of a recent survey of remote employees. It found that:
- 77% use insecure, unmanaged personal devices to access corporate systems.
- Nearly all have reused passwords across applications and devices.
- 29% of parents working from home admit to letting other family members use their corporate devices.
In this new world of ‘hybrid work’, personal laptops access corporate networks, corporate devices help educate children, and the old-school cybersecurity perimeter has vanished.
Our ‘personal digital republics’ – the online services, devices, and connectivity options we use as individuals – have become part of the extended enterprise network.
The new cybersecurity reality
For organisations facing up to this complex challenge, Keren shared some practical advice.
In the short term, it would be a very good idea to re-educate your employees on cyberhygiene – including the basics, like using different passwords, and putting up with the extra friction of multi-factor authentication.
Keren also recommended that organisations reflect and prepare. They should ask where effective security controls can be located – and how they can create a future-proof defence strategy that functions at an ecosystem level, not at the level of point solutions.
Finally, Keren urged organisations to look to what she calls the friendly hacker community for a better understanding of the tactics used by their attackers, as well as for support.
Use the hacking community
Today, many leading brands – from Google to GitHub, and Samsung to Starbucks [Editor’s note: and Sophos] – run bug bounty programs, rewarding friendly hackers for finding and reporting security issues.
Since the pandemic began, many bug bounty programs have reported more vulnerability submissions, from more hackers, than ever. As Keren put it, “It turns out that being locked down at home is actually very productive for friendly hackers.”
These friendly hackers already provide an invaluable resource for organizations as diverse as Tesla and The Pentagon. Both challenge top hackers to test their systems, and reward them with ‘challenge coins’ in recognition of their skills.
One friendly hacker, Jack Cable, collected all three of The Pentagon’s challenge coins while still at high school. He now teaches at California’s Stanford University, showing students how to find vulnerabilities, collect bug bounties, and generally be a hacker ‘hero’.
Keren also highlighted how friendly hackers have been performing plenty of heroics during the pandemic – not least by reporting vulnerabilities in French and British COVID-19 apps.
As the cybersecurity industry continues to contend with a serious skills gap, Keren believes friendly hackers are set to play a vital role in its development.
When I go to DEF CON, I don’t see 30,000 criminals. I see 30,000 passionate, creative, clever individuals that can help us build a safer future.
In closing, Keren left us with that simple question, addressed to the cybersecurity industry as a whole:
Is now the time to keep calm and carry on, and continue doing the same things we did last year, or two years ago?
Keren’s own answer?
I think it’s time to step up to the challenge. It’s time to take the red pill, wake up to this new reality, and use the friendly hacker mindset to build our immunity, together.