By Elizabeth Blosfield | August 18, 2021 (Insurance Journal Article Link Below)
Dr. Ondrej Krehel, founder and CEO of LIFARS – a New York City-based incident response and digital forensics firm – says that when hackers enter a company’s system, it can create an environment of “chaos and fear.” “It’s the same like you see in the movies,” he says.
But ethical hacking – sometimes referred to as penetration testing – aims to eliminate some of that chaos and fear and help companies recognize vulnerabilities in their system before a bad actor does. This process involves the intentional hacking of a company’s computer network by a cybersecurity expert to identify areas where security could be increased. “The whole exercise truly just mimics that experience that the company is under attack by some truly evil hackers,” Krehel says.
In other words, ethical hackers are using their skills for good, not evil. Clients will hire a penetration testing firm to attack their company just like a criminal hacker would, and in the process, the ethical hackers will share with clients how they entered the system and work with them on mitigating any issues.
Adam Bixby, a managing director and practice leader of the security testing practice within Aon’s Cyber Solutions group, says this puts companies on much more secure footing in case of a real attack. “And it’s going to be orders of magnitude cheaper to hire a [penetration] testing firm to do it before the bad guys do it,” he says.
Krehel says the most common vulnerability within companies isn’t within technology systems themselves, however. It’s a problem of awareness. “I think the vulnerability truly is that denial of persons or entities that something will happen to them,” he says. “And often, many of these companies have false perceptions of security.”
While many companies do exercise basic cyber hygiene, they sometimes have a hard time elevating that process to a more mature model as cyber attackers become more sophisticated, Krehel says. But entities that don’t believe an attack could happen to them simply because they have basic cybersecurity protocols in place need to think again, he adds. “The reality is that at some point in time, these threat actors are going to focus on that entity, and then they might be successful,” he says. Bixby agrees. “Let’s be honest here, right?” he says. “I mean, whether you’re big or you’re small, you’re going to be a target.” This is where ethical hackers come in to make sure companies are continuously testing and updating their security. “In the end, that doesn’t mean you’re not going to potentially get hacked. Because it is still an iterative process, you need to make sure that you keep enhancing your security,” Bixby says. “You see in the movies when hackers try to break into organizations. We try to mimic those techniques.”
Interestingly, outside of his role at Aon, Bixby also happens to work as a hacking technical consultant for television and movie projects, creating hacks that will be depicted on screen to make sure they appear realistic. He’s worked on projects including Mr. Robot and Ocean’s 8, as well as others, so he knows first-hand how real life cyber incidents can emulate what’s seen on the big screen. “I essentially just created the hacks that they wanted me to do for the movie and for the TV shows,” he says. “I recorded my screens. I copied and pasted all of the input that I added in there, as well as what the outputs of my tools would look like.” He then sent it off to a graphic designer who animated the hacks for each scene.“It’s all realistic,” he says. “I mean, everything we did, or at least I did for those shows, was actual hacks. I wanted to make sure it was as realistic as possible because I take pride in what I do.”
Although ethical hackers like Bixby and Krehel take pride in what they do, cyber criminals are committed to their work as well, and they’re paying a lot of attention to which companies have cyber insurance that will reimburse for ransoms, Krehel says. “Over the last three years when we saw, let’s say, 150, 200 or more major ransomware incidents, we hardly had maybe five, 10 victims that did not have insurance,” he says. “So, definitely threat actors created a market that was based on knowledge that these institutions can pay. They’ve done their due diligence.”
So with all of this in mind, how can companies stay one step ahead? “You want to be the second slowest guy when you’re running away from a lion,” Bixby says. “You don’t want to be the slowest guy. So be, at least at a bare minimum, the second slowest person running away from a lion because they’re going to get the slowest person.” This means making cybersecurity a part of company culture every year, he says. “Like, ‘Hey, we need to buy more pencils and more computers. We also need to buy more security,’” he says. “It should just become part of everyday life for organizations.”
Check out the rest of this episode to see what else Ondrej and Adam have to say, and be sure to check back for new episodes of The Insuring Cyber Podcast published every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.
“At Aviso Insurance, we are proud to serve the many heroic professionals in our healthcare community.”
Aviso Insurance is an independent agency that works for YOU, the medical expert. We have access to nearly all the medical malpractice insurance markets to serve you. Testimonials | Aviso Insurance
Dan Reale, Independent Agent/Owner
Direct Phone: (407) 808-6149, Fax #866-660-1415, or
E-Mail: [email protected]