With cybersecurity legislation in the works and e-defence budgets being ramped up, it seems that South African companies finally becoming alert to the threat posed by hackers to their funds, intellectual property, client data and reputation. We spoke to Redshift Cyber Security's Sean Howell, who will be making a presentation during next week's CFO Summit, about developments in the space.
Do you want to be at the leading edge of finance and business? You can't afford to miss out on the opportunity to hear from finance leaders and experts if you want success, inspiration and profitability in 2017! One of the tracks for the first CFO Summit of the year. to be held on 22 February in Sandton, is entitled Technology for tomorrow: Doomsday or opportunity? The truth about cyber crime. Register HERE.
Tell us about your background.
"I studied information systems and economics at Wits - a managerial degree not geaed towards the hacking I do now. My first job was as an IT auditor and involved visiting data centres and other general work. One of our clients enquired about penetration testing and I ended up on the project team. I managed to breach and take over the client's network, almost by accident in hindsight. This spurred my interest and I began studying hacking techniques and how to break systems in a structured way. I had always been interested in tech, but this really got me into gear. Hacking is not always a precise art - you've got to experiment with the technology to try and make it fail in a very specific way that ends up letting you steal money."
How did you come to be involved with cybersecurity?
"I decided to join a cybersecurity consulting company. I joined as a consultant, and ended up running a fairly large team of hackers, shifting from consultancy to teaching. In early 2015, I began thinking about starting my own company. I took the leap and backed myself, buying a laptop and tools with my last pay cheque and reaching out to various SA companies and the contacts I've made over the years. We had a lot of success, securing contracts with a handful of listed companies. We are now a four-man team based in Rosebank, Johannesburg."
What does your work at Redshift entail?
"We have a range of clients, from big banks through to small 10-man teams. Everybody needs to secure themselves against cyberattacks. Our offering is really, at its core, a risk assessment for the connected, modern organisation. There is a lot of uncertainty and mystery around hacking how data breaches actually occur. Our value proposition is that we actually know how to do this. It gives us the ability to simulate a real-world attack in a controlled environment, closely mimicking how an actual hacker would target an organisation in that sector.. We can help executives sleep easier at night by offering the kind of assurance boards are looking for. A big part of what we do is to translate the mystery of hacking into real world business risk and present meaningful solutions to the problem.
"We work both on- and off-site. Sometimes a client wants to know what an attack would look like if it came Russia. We will then use proxy servers in a very specific way, bouncing off servers all over the world. It's not quite what you see in CSI, but the concept is valid. When we conduct external assessments, we attack from the net, but we also do social engineering-style attacks. The latter is where, for example, we go to reception and pretend to have a meeting, or call people in the organisation and extract information by pretending to be the IT department. It's not magic. The most common way into a company is through a poor password. Carelessness is the friend of the hacker."
What are the most challenging and rewarding parts of your work?
"It is rewarding to help defend clients against an attack. A lot of what we do requires an instant response. We like to leave clients in a better position than they were in previously. Starting a company in this economic climate has been the hardest, most rewarding thing I've ever done. I've learnt lot of new skills along the way, covering business management, marketing and sales. It has been a mini MBA of sorts. The least challenging thing is actually breaking into a company and the actual hacking. We have had 100% hit rate so far."
What can the audience expect at the CFO Summit? Are you looking forward to it?
"It is incredibly valuable for me to meet thought leaders in other market sectors. There are so many things that go on across business sectors that affect us and contextualise cybersecurity risk. Knowledge is key and it will be empowering to meet industry leaders and learn about their challenges. I will be speaking about actual attack techniques and how to properly prepare your organisation for this new type of threat. . We're going to cover a lot of ground and it's essentially a tour through the world of hacking, predictions for the future and some practical advice that really makes a huge difference. I'm also going to demonstrate some hacking techniques and what people could do to make my job harder! A big part of what I do try to take the mystery out of cyber-attacks and let the audience make up their own minds."
Are South African companies doing enough in terms of cybersecurity?
"Many South African firms still struggle with cybersecurity and a lot of it has to do with the mandate from government. The US and European governments have a mature approach to cybersecurity. Companies are required to report a breach if it involves critical national infrastructure and there are lots of support structures. We haven't had this in SA, but we are moving in the right direction with the Cybersecurity Bill, which is inspired by our neighbours across the pond. The legislation will provide for protection of critical infrastructure, support for the private sector, awareness around cybersecurity and guidance in event of a breach. My favourite part of the legislation is the clear increase in government effort to make cybersecurity an important part of corporate dealings."
What impact will impending cybersecurity legislation have on the South African corporate environment?
"I hope to see lot more collaboration, dialogue and transparency. We only hear about fraction of attacks because companies tend to sweep things under the carpet for fear of reputational damage. The vast majority are being or have been hacked and just don't know about it. Don't put your head in the sand. I think we are moving towards a society where we can freely share the indicators of an attack and help other organisations in our sector to defend themselves. If we all collectively raise the bar it makes it that much harder to target any once organisation."
How should companies define how much of their resources they should allocate to cyber-security?
"You can spend every cent you have on cybersecurity and still be hacked. The solution is to focus your efforts. The traditional approach is to secure everything, but modern cybersecurity is attacker-centric. Companies should spend money based on realistic attacks that are likely to occur. They need to understand hacker tools and techniques and their specific pathways through the organisation. Understanding the route an attacker would need to take through your systems, people and processes allows you to identify the "doorways" that you know an attacker will eventually need to come through. It's these doorways that are critical and where the focus needs to be. It's the mindset of "we know the attacker is coming this way, let's set a trap", rather than put up a firewall and hope for the best."
What cyber-trends are we likely to see over the coming year or so?
"There is an ongoing escalation in capability of attackers and the Internet is becoming more insecure and more vulnerable to attackers. Tech developments in the name of national security that intentionally make things insecure in order to access terrorist networks, for instance, leave institutions open to counter-attacks. The security industry struggles to keep up with these developments, let alone the organisations that need to defend themselves. My prediction is that we are going to reach a tipping point where we see mass-exploitation of everyone and everything (including internet of things connected devices). I think it's going to require a robust legal, technical and political solution to get this right and that means we all need to be talking more about this issue."
Do you have any cybersecurity tips for executives?
"Don't just spend blindly on cybersecurity. The blanket approach no longer works when trying to prevent sophisticated attacks. Executives need to think like a hacker, asking what is it that would be valuable to an attacker and work backwards from there. It could involve financial incentives, reputational damage, intellectual property or personal customer information. What are we actually trying to prevent here? That is the first question that executives need to answer."
What do you do in your time off?
"I'm a big nerd at heart. I'm a techy, play guitar and read comic books."
