More than a decade following his denial of service attacks on several of the world’s major companies in 2000, Montreal hacker turned security expert Michael Calce– otherwise known as MafiaBoy– says there’s a need for more proactivity in the IT security space.
“You can see the overall motivation change for hackers,” Calce told ChannelBuzz.ca at a recent event hosted by security vendor Check Point Software. “It used to be the exploration of technology, whereas today it’s all about monetization.”
Coupled with the explosion of information being put online, the influx of Web threats isn’t surprising. “The amount of profit to be made in this industry is enormous.”
Today, despite the explosion of Web threats, the IT security space is still often a game of cops and robbers, where IT pros are simply waiting for dangers to emerge. Instead, they should be waiting at the bank, before the threat hits.
For IT professionals, that means educating users and having policies on what Calce says are the top three threats right now, even if they are surprisingly basic.
Social engineering and scam pages are the top threat among consumers and businesses today, according to Calce. “This is definitely the number one issue because people seem to be completely oblivious,” he said, because those threats often come from the user’s own contacts. Solution providers and IT pros need to educate users on what false links look like and companies should even have basic training in place to prevent these kinds of scams, he said.
The next biggest threat is a general lack of security products on PCs, or inactive ones, which often stems from a false sense of security. Again, users often think they’re not being threatened or aren’t taking the threats seriously enough. “Just being online and having an IP address means that you are a target and you will get scammed relatively soon,” he said.
Rounding out the top three threats is insecure passwords, which despite requirements such as using numbers and special characters, are still common. “It’s very important to monitor your passwords,” Calce said. He recognizes that it can be annoying and difficult to remember many passwords, but this is still a major issue that needs to be addressed.
Being proactive also means businesses should build teams to look for threats more thoroughly.
“What they really want to get their hands on is the zero-day exploits,” Calce said. “That’s the key, number one issue.” Those are the most brutal because vendors aren’t aware of them. Having a team constantly searching the most common and popular applications would be a big help, he said.
“A lot of the time it’s left up to the vendor, but I’d like to see some initiative and see some security companies attempt to hack software that exists and basically see if they can find their own exploits,” he said. “If you find the exploit, you can write a patch for it.”