With all the innovations in the area of cyber-security — many developed by Israeli start-ups — you’d think that online bank accounts and other “secure” data would be safer than ever. But headlines scream out lurid tales of hackers invading accounts — this time with Russians as the culprits, stealing huge amounts of customer information from top US banks. One could wonder where the security is.
The problem isn’t a lack of security solutions, says Prof. Isaac Ben-Israel, head of the Tel Aviv University Interdisciplinary Cyber Research Center (ICRC) and chairman of the upcoming International Israel Cyber-Security Conference. It’s that the right solutions aren’t always being implemented, and the fact that solutions exist is actually good news.
“The Russians are longtime experts at creative hacking, but in this case the attacks could have been blocked, had the right resources been in place,” Ben-Israel told The Times of Israel. “A threat is theoretical until it is actually carried out, and it’s usually only then that the threat is properly addressed with all the resources that could have prevented it from being carried out in the first place. Events like this are unfortunate but actually have a positive side, because they raise awareness and ensure that people are ready for the next round.”
Although the banks affected by the mass Russian hacking said that the invasion was just one of many they have to deal with – and that no customers lost money – hackers are constantly looking for weaknesses in systems to exploit. Cyber-crime is just one of the issues that will be on the agenda at the conference, set for Tel Aviv on September 14. A host of speakers from Israel and abroad will roll into town to talk cyber. Israel’s contingent will include Prime Minister Benjamin Netanyahu, Defense Minister Moshe Ya’alon, Minister of Finance Yair Lapid, Minister of Science & Technology Yaakov Peri, and former President Shimon Peres.
Visiting guests will include former NSA Director Gen. (Ret.) Keith Alexander, Canadian Minister of Public Safety & Emergency Preparedness Steven Blaney, Assist. Sec. Gen. of Emerging Security Challenges Division at NATO Amb. Sorin Ducaru, Former US Deputy Secretary of Defense Gordon England, Director of the Office of Cyber Security and Information Assurance Cabinet Office UK James Quinault, Coordinator for Cyber Issues at the US State Department Christopher Painter, security expert Eugene Kaspersky, and many others.
It’s a fact that theft accounts for most of the cyber-malfeasance out there, but it’s not the necessarily the greatest threat. The biggest area of concern for cyber-security professionals and governments is securing infrastructure — ensuring that electricity grids, water and gas facilities, and other critical installations are safe. Securing infrastructure isn’t an impossible task. With enough money and effort, “anything can be defended, with systems put in place to make the lives of hackers more difficult,” said Ben-Israel.
Many facilities already have such protective systems installed, and they are far too complicated for the average hacker to easily invade. “Hacking many of the infrastructure defensive systems would require extensive efforts of the type that only a very large organization, like a state, could organize. Fortunately, there are few entities that could pull off a major infrastructure attack on a country — you could count the number on your two hands.”
Most hackers prefer not to work that hard — and in fact, they try to trick their victims into doing most of the work, by sending them e-mails containing links that, when clicked, will install malware into their systems. These phishing attacks (in which hackers “phish” for victims) are the easiest, fastest, and usually most successful method for hackers to steal personal and corporate data. Once malware is installed, hackers can bore a data tunnel into a server and acquire credentials, with which they can steal documents, passwords, messages, and anything else residing on a network.
Even here, there is good news, said Ben-Israel. “If people follow the rules — not clicking on suspicious links, installing security software, changing their passwords regularly, etc. — virtually all phishing attacks could be eliminated.” Unfortunately, that goal is hard to achieve. “It’s hard to follow the rules, and it’s tempting not to follow them,” Ben-Israel noted. “That’s what makes hackers successful, but if you want to beat them, there really is no choice.”