- Being hacked is inevitable, so it’s important to learn how to guard against breaches.
- Mandatory breach notification disclosure became law in February 2018 in Australia.
- Daniel Weis is a speaker at Audit Conference Australia events in March and April.
Ethical hacker Daniel Weis has earned his stripes as one of Australia’s most prominent security experts. As security specialist at Melbourne-based Kiandra IT he gets paid to expose the vulnerabilities in company and government systems.
“The good thing about being an ethical hacker is we still get to do the fun stuff, but with a ‘get out of jail free card’ by having legal documents and agreements between the team and the organisation and partners that we have been engaged to assess,” he tells Acuity.
“I can come up against the toughest organisations with all sorts of security controls, but it can often be easily bypassed just through a well-rounded phishing email or an obvious password, which usually provides me an entry point.”
(Pictured: Daniel Weis)
Handpicked by the EC Council as one of the first 10 people in the world to receive Certified Hacker accreditation, Weis has more than 22 industry qualifications under his belt. Now he assesses the cyber security of companies from small accounting firms to multi-billion dollar global organisations and well-known brands to ensure they don’t become the next hacking scandal ‘headline’.
In short, he advises organisations on how to become more cyber resilient and avoid losing customers because of a security breach. So, who and what are the weakest links that criminal hackers target?
One of Weis’s specialities is social engineering, or ‘the art of deception’. It’s almost undercover spy work. He phishes, or calls a user asking for sensitive information, which they often provide, bypassing all defences. He’s also breached organisations through physical access, by approaching reception dressed as a service guy to investigate an issue, as well as by imitating a legitimate employee.
Types of hackers – the good and the bad
The difference between the good guys and the bad guys is that criminal hackers are mostly motivated by money, says Weis, although revenge is sometimes also a motivator. Some spammers were making $20,000 a day from spam and Viagra emails about 10 years ago, he says.
Weis says there’s a misconception that ethical hackers come straight out of university. However, it took him more than 20 years to become proficient in all aspects of ethical hacking, and now he trains others.
Cyber resilience is being able to ride the storm and come out as unscathed as possible. Our job is to make it harder [for hackers] and to mitigate the risks and effects of a breach
“Hackers are smart, and they continue to get better every day,” Weis says. “They are technically very proficient and comfortable in a range of areas of ICT and have a breadth of experience.”
A culture of honesty
With 4.2 billion-plus records breached last year in the world, being hacked is inevitable. However, Weis says, the important thing is how to prepare for, and respond to, a security breach. In his experience, when a situation is handled with honest communication about what’s occurred and how it will be addressed, customers forgive you and your reputation remains intact.
“Cyber resilience is being able to ride the storm and come out as unscathed as possible,” he says. “Our job is to make it harder and to mitigate the risks and effects of a breach. If the right controls and measures are in place, the hacker won’t get to the sensitive data. We’ll detect it quickly and it won’t affect customers.”
Weis reports that employees are often scared to report having clicked on links and organisations don’t report data breaches fearing a loss of reputation. As a result, this has not given the security industry a whole lot of real data to work with or insight into the actual extent of data breaches.
Mandatory breach notification legislation
However, this will change as a result of the mandatory breach notification legislation that started on 22 February 2018.
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the notifiable data breaches (NDB) scheme. The scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
Individuals must be notified when their personal information is involved in a data breach that is likely to result in serious harm.This notification must include a recommended response to the breach. The Australian Privacy Commissioner must also be notified and fines can apply for failure to comply.
The mandatory data breach notification law responds to public concern about cyber security and the rising number of data breaches. It demonstrates that Australians take cyber security seriously.
Protect yourself from hackers
Despite the inevitability of being hacked, Weis says: “It gets tougher every day to get into company networks.”
Weis also advises reviewing the company’s internet presence. “Are there legacy systems? Are there lots of ways into the network? Are staff trained on cyber security? Are their passwords inadequate? Has a security assessment been performed? Is there a plan to cope with a cyber security breach?”
Education is key to keeping on top of the latest security, techniques and vulnerabilities to minimise the risk of hacking. Five basic precautions should be adopted:
- Trust your intuition, and if it seems too good to be true, it probably is.
- Always stick to well-known sites. Check the URL to make sure it’s secure and the real address.
- Don’t follow links in emails (especially suspect ones).
- Use Edge as your web browser.
- Make sure you have endpoint protection installed on your machines, and of course, use a password manager.