Dr Ian Levy, technical director of the UK’s National Cyber Security Centre, has criticised security companies for “massively” exaggerating hackers’ abilities in order to scare businesses into making purchases.
As BBC News reports, Levy criticised the hyperbolic imagery and language used by security firms when describing threats:
Playing up the threats let security firms establish themselves as the only ones that could defeat hackers with hardware that he likened to a “magic amulet”.
“It’s medieval witchcraft – it’s genuinely medieval witchcraft,” said Dr Levy.
Often, he added, the attacks aimed at firms were not very sophisticated. As an example, he quoted an attack last year on a UK telecommunications firm that used a technique older than the teenager believed to be responsible for the incident.
The telecoms firm being referred to there is TalkTalk which, despite its attempts to convince customers that it had fallen foul of a highly sophisticated attack, had fallen foul of a bog standard SQL injection attack – the type that any decent web programmer learns about on the first day of their secure coding course.
You don’t need to be a state-sponsored hacker to perpetrate an SQL injection attack. Just about any teenager can manage it from their back bedroom with ease.
Similarly, the high profile hack of email accounts belonging to senior figures in the US Democratic party don’t appear to have been that sophisticated either – relying instead a fairly rudimentary phishing email assisted by a victim’s poor password hygiene, and a lack of multi-factor authentication.
Cybercriminals are often not geniuses for a very good reason. They don’t need to be. We make it too easy for them to succeed.
And often it will be a human failing which gives the malicious hacker the opportunity they need to break in and infect computers or steal information.
By the way, Levy seems quite refreshing in his approach, as The Register‘s write-up of his speech makes clear:
In November, the agency published its National Cyber Security Strategy 2016 to 2021 detailing these plans, and Levy suggested people take a read because “for a government strategy review it’s not completely crap.” The NCSC wants to promote “active security” – not active as in attacking but active as in “getting off your arse and doing something.”
You can read the UK Government’s Cyber Security Strategy here.