Ask the Cyber Security Expert: Whats all this I read about cyber attacks?
The Cyber Security Expert is often asked, somewhat unsurprisingly as he insists on walking around in t-shirt and baseball cap both emblazoned with ‘The Cyber Security Expert’ , about cyber attacks, hacking and threats in general. What are they, how do they work, has my fridge been hacked? That sort of thing. Lets lure him out of his Met Office Red Warning proof bunker to see what he has to say.
Is cyber attack a real thing?
Thats a big question. Lets start small. Cyber attack is two words. As is cyber security, cyber threat, cyber jihad and cyber Monday. German might do the compound noun thing. We use a space. Moving on, I don’t like the phrase ‘cyber attack’. Its not helpful and doesn’t describe anything useful. If your house was burgled or graffiti sprayed on a wall would you describe it as a ‘physical attack’?
So, things done on the internet are done by people. People have the same motives online as they do in real life. Some are motivated by the desire to annoy, some to boast to their peers, some to make money and some for other purposes entirely. In the same way you wouldn’t assign a single motive or description to real world malfeasance it is unhelpful to do so when talking about cyber actors (and in this context when I say cyber actor I mean the individuals or group conducting some specific badness).
Talking about cyber criminals makes sense, as does cyber espionage or cyber activism (often abbreviated to ‘hacktivism’). And some things are attacks – a denial of service attack for instance (see our explanation here). But talking generically about cyber attacks is, in my opinion, unhelpful.
So how does the hacking thing work? Is anything safe?
Reading some media reporting, or the press releases of some security companies, you would be forgiven if you thought that under the relentless threat from hacking (or cyber attack as it is probably written) nothing is safe. Even your fridge.
Lets start with some basics. In the old days to make machines work you shovelled coal or engaged the shaft to the windmill and then pulled levers. In the post lever age we progressed to buttons – push to go, push to stop. Now however we use software to control our machines. This is generally a good thing – planes are much safer, the railways no longer rely on a network of signalmen pulling heavy levers and we all have smartphones. However, it stands to reason that if you can control something with software, well, you can control it with software. If a hacker can get access to a software controlled system, they can make it do things. If they can replace the real software with their own software, they might be able to break the machine entirely.
Software has flaws – faced with unexpected inputs, it might behave in unexpected ways. Testing should reduce these flaws, but inevitably in complex software that is produced to a tight profit margin flaws slip through. Common flaws in the kind of software you use everyday include failing to validate user input. For example the contacts page on this website – the people who wrote that expect a user to input a certain kind of data. Letters mainly, perhaps some numbers and symbols in the email address section. They also expected a certain volume of information, probably consistent with a short email. But what if some submitted a million exclamation marks? Or hundreds of images? Badly written software (which is a lot of all written software) can behave unexpectedly when faced with input the developers didn’t expect.
In the security world we call these flaws vulnerabilities. The aim of the hacker is to find a way to exploit these vulnerabilities, and to get the software to fail in ways that are advantageous to them. Sometimes that might just cause a computer to crash, other times it might mean they can get a computer to run their own code (the second of these scenarios is more prized by hackers).
Those are the underlying principles of all successful hacking – exploiting vulnerabilities in software to do something bad.
So thats all there is to it?
Well, not quite. There is another element in most computer systems – the person sat behind the keyboard. It is often easier to persuade users to do something unintentionally malicious than to try and exploit software directly. Plenty of recent, very successful, cyber criminal and espionage campaigns have hinged on convincing targets to open malicious email attachments, or click on links that serve up malicious software.
Hackers have it all their own way then?
Not necessarily. Hacking isn’t Star Trek, despite what you read in the papers. Hackers can’t just adjust the main deflector and suck out your information from orbit (I have gone on about this in other places). To gain access to your systems hackers have to exploit something that is already there – be it software or people. This means the fundamentals (‘not clown fundamentals!‘) of good cyber security are the boring basics – asset management, user training, patching, removal of unnecessary software and so forth. Doing the basics is vital, but often people expect some sort of technological solution that will solve all their security problems (I am happy to sell you one of those, obviously).
Can I trust my fridge?
Perhaps, perhaps not. As more and more devices are connected to the internet the potential attack surface for the cyber jihadist/activist/criminal/spy rises. For now you’re probably safe. But remember the fridge from Ghostbusters. If that happens, don’t call us.
The Cyber Security Expert