By Mark Rowland
With cyber security a bigger issue than ever before, firm’s “penetration testing” teams are working to stay one step ahead of the criminals.
For most companies, “air gapping” a computer – disconnecting it from all networks and restricting USB use – is the height of security. But even a completely unconnected machine is not immune to hackers, as delegates of the ICAS Conference will find out on 20 September.
Many companies that deal with highly sensitive information ban smartphones from the vicinity; researchers from Cyber Security Labs at Ben Gurion University hacked an air gapped machine using a smartphone that taps into the radio signals emitted from a computer’s video card. Air gaps have since been hacked using a very basic low-end mobile, electromagnetic waves and a GSM network.
Ethical hacking on the rise
Large accounting firms are increasingly called upon to test cyber security for their clients. PwC, for example, employ a team of ethical hackers who attempt to break into clients’ systems in order to expose their weaknesses. This spans from the very basic attempts, such as leaving a USB memory stick loaded with “safe” malware in the office and monitoring if it gets used, to more sophisticated, which is where air gapped systems come in.
Will Rimington, who heads up PwC’s penetration testing team, explains that the firm is experimenting with ways in which to breach an air gapped computer. The team’s methods predominantly revolve around using light sensors and sound waves to control malware on the machine.
He says: “It will look to all intents and purposes like nobody’s touched it, yet it’s controlled to the touch of a laptop’s light or sound waves, and the ability to actually pass commands from those sorts of media to extract specific bits of data. We’re looking at proof of concept at this stage.”
The PwC penetration testing team is trying to push past the hacking techniques are already in the public domain. By experimenting with new hacking methods, they are able to keep ahead of cyber criminals.
“It would be very easy to become a bit too complacent,” he says. “We had a recent exercise involving phishing emails. We’ve now taught all our people to ignore phishing emails, but therefore it will evolve further and faster, with more intricacies, over the next couple of years.”
See ethical hacking in action…
… and find out more about how you can protect yourself and your business, at the ICAS Conference 2017, “Expect The Unexpected”, in association with Investec Wealth & Investment.
John Shaw, Vice President, Product Management, Enduser Security Group with cyber security specialists Sophos will be leading a must-see interactive session on the threat of digital crime.
This article was originally published in CA magazine.