source: eweek.com

TORONTO—Cyber-security researcher Keren Elazari came to the SecTor conference here to deliver to the button-down, business crowd a key message: Hackers can help companies improve cyber-security.

Elazari delivered the keynote address on Oct. 2, providing an overview of current cyber-security challenges, including unauthorized cryptocurrency mining, ransomware attacks, SMS phishing, and issues with weak and reused passwords.

"The first lesson that we can learn is that all the digital devices out there have value, and they can and will be used against us," she said.

With unauthorized cryptocurrency mining, also referred to as crypto-jacking, attackers are monetizing whatever they can, injecting code into systems and browsing sessions, according to Elazari.

Another lesson that Elazari preached at SecTor is that organizations need to do a better job with passwords, which are at the root of many data breaches. Passwords are commonly reused, she noted, which is a real problem given the large data breaches in recent years including LinkedIn in 2012. Elazari said the Have I Been Pwned online database, which was created by Australian security researcher Troy Hunt, makes it easy for anyone to see if their email address has been involved in a data breach.

Rather than using passwords, which attackers can crack, Elazari advocates for the use of passphrases, which can be harder to attack while being easier to remember.

Attackers are also increasingly using automation tools, such as the new AutoSploit tool. AutoSploit integrates with the Shodan vulnerability search engine, which can help to identify potential targets, she said. AutoSploit also integrates with the Metasploit penetration testing framework to automatically enable exploits for the vulnerable targets that Shodan finds.

Bring On the Hackers

"Users are on the front line, they make hundreds of security decisions every day, and we have to enable them to be safe," Elazari said. Regular users are not as likely to be as paranoid as security professional and friendly hackers, she added.

Elazari noted that while artificial intelligence and big data can help, ultimately the challenge of cyber-security requires some human intelligence as well. To that end, she suggests that organizations build a strong security culture within their organizations that embraces the hacker mindset, since hackers tinker with things to see if they can break and question how operations work.

 

Embracing hackers also involves bringing hackers into organizations, which can be done through bug bounty programs. With bug bounty programs, hackers are encouraged and awarded to hack systems in an attempt to improve security.

"When I go to DEFCON, the world's largest hacker conference, I don't see 50,000 criminals; I see people that are trying to make things better," she said. "Those are the people we need in our organizations in the future."