Most CISOs just don't understand the hacker mentality says security chief

N Brown's Mike Koss says CISOs need to spend more time on the front line

When Mike Koss was a script kiddie in the 1990s it was a very different world.

"It was all about the ego, the arrogance, the kudos of being able to say that some high school dropout who gave up school at the age of 15 was able to compromise a system at Berekley University in the US or Stamford or MIT."

These days, a reformed Koss is head of IT security & risk at e-retailer N Brown, but lessons learned as a teenage hacker still inform his work.

"It's always been about seeking out loopholes in the technology and finding a way to leverage that to your own advantage," he said, adding that C-level executives - even most CISOs - will never fully understand the hacker mentality unless they've been there themselves.

"I think at the C-level they're always looking at the GDPR stuff, they're looking at the policies, they're looking at the compliance but they're not looking at it with an attacker's mindset," he said.

Even CISOs - the role you would expect to have a good understanding of the techniques deployed by intruders - may have gaps in their knowledge as a result of being too far from the front line, Koss continued.

"Most CISOs aren't ex-hackers or ex-hands-on technical guys. Your CISO role talks to business around security, they're always in meetings" he explained.

"Most CISOs tend to come up through the business. They might be network guys, they might be a CTO, they might be a COO then they move into the CISO role. Or they might've just done an MBA in a business subject and then take security on and do a CISSP or a CISM qualification. They're very hands-off and they're actually talking business and discussing budgets. They're not looking at what we actually need."

A long game

Like anglers, hackers are patient types, prepared to sit and wait until opportunity bites. The teenage Koss was asked by a friend to take down some photos on a website. That this friend was a model may have provided the motivation in this case...

"It took me six months of trying different things, and I waited until they updated a piece of software which happened to introduce a vulnerability I was aware of into their website, at which point I was then able to get in and do what I needed to do."

The big guys - the crime gangs and state-backed hackers - use similar techniques and are prepared to wait much longer still. Once they're in they often bide their time, strolling around the network for months or even years looking for items of interest or pathways to infiltrate the systems further. Such advanced persistent threats (APTs) are a real and ongoing menace and organisations should assume they've already been breached. But many of the tools that claim to mitigate them aren't up to snuff, Koss claims. He declined to name names.

You've got to test what you buy - Mike Koss

"These APT tools that claim to identify ransomware and all the stuff that's dropped onto your network and the zero-days - you need to test them. We tested them with a couple of virtual machines, and I bypassed every single one of them very easily. And this isn't knowing a lot about how the internals work. So you've got to test what you buy."

Despite the current focus on state actors and well-funded criminal cyber gangs, the threat posed by bedroom hackers who will break into a system for no more reward than the acclaim of their peers should not be discounted.

"Those 15 year old script kiddies browsing the web using Google to find the exploits? They are the guys who compromised TalkTalk. It was a SQL injection. It's a very easy thing to do, you just hit a button."

The fact that a large technological organisation like that can so easily be brought low is a demonstration of the knowledge gap and complacency that characterises many organisations when it comes to cyber security.

In a follow up article to be published soon Mike Koss talks about closing this knowledge gap and the challenge of hiring talented security professionals.

Mike Koss is one of the keynote speakers at Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.