By Dr Jessica Barker

17 May 2019 - 14:59

HTML code
'State-on-state hacking has been happening for a long time, and it probably always will happen.' Photo ©

Markus Spiske used under licence and adapted from the original.

Dr Jessica Barker is a cyber security expert and co-founder of the cyber security company Cygenta. 

What is a strong password?

A strong password is complicated and long, and you need to have a different password for all of your accounts.

If someone cracks a password for one account, and that password is used elsewhere, then all of those other accounts are compromised.

A strong password is not a dictionary word, and does not use tricks that we think are unique, but aren't. For example, replacing an 'o' with a zero, or replacing an 'i' with the number one.

If you have added numbers to a dictionary word, they will be in a password cracking dictionary and cyber criminals will be able to crack your password easily.

What you need is a random password. You can use what we call a 'passphrase', where you take three random words and string them together.

You can also use a password manager.

What is a password manager?

A password manager is like a vault for your passwords.

You only need to remember one very strong password for the password manager, and the password manager generates random, complicated passwords.

You don't need to remember or even see the rest of the passwords, because the password manager does that for you.

How do you find a password manager, and how do you apply it to your own accounts?

First, do some research. Find reviews of tested password managers online. Then, it's something you install, like an app. 

Many password manager companies charge organisations, but they offer their service free for individuals.

What are your clients' top cyber security concerns?

Outside of passwords and how to manage them, people are also worried about email. They are concerned about clicking on phishing links in emails, and want to know why they are receiving phishing emails.

When data breaches happen at companies like Facebook, LinkedIn and Yahoo, the stolen database can go online. This will often include emails, passwords, security questions, sometimes the content of private messages.

A couple of years later, people might receive spam emails and wonder why they are targeted. This can be due to one of these breaches, if their email address became public on a list available for download on the internet, or was for sale on the dark web.

People also ask me about having security at home, particularly in regard to their children and their use of the internet.

How much expertise do you need to be safe online?

A few basic steps in cyber security can protect you from the majority of the threat:

  • Have a good password and a different password for each account.
  • Set up two-factor authentication. This texts a number to your mobile phone which you must enter alongside your password to get access to your account.
  • Be careful about the links you click in emails.
  • Use a virtual private network (VPN).
  • Use data instead of Wifi in a public place.
  • Update your devices when prompted.

If you follow these steps, you're mitigating most of the risk. 

It might take time for individuals to get started using a password manager and two-factor authentication, but you don't need to be an expert.

How do people and countries share knowledge about cyber security?

A lot of information sharing is based on trust, in networks that are built over time.

Governments and law enforcement agencies regularly share information face-to-face or through online forums.

In industry, chief information security officers often meet to talk about the threats to their organisation, and where they've had success in strengthening their cyber security.

What is said within that group is not repeated or attributed to anyone inside that group. If one person shares information about a phishing email that is going around, people in the group may mention this to external people, but they will not say who they heard it from.

What role can diplomacy play in keeping us safe from state-on-state hacking?

State-on-state hacking has been happening for a long time, and it probably always will happen. 

Cyber crime doesn't operate within country boundaries. In the UK, we're being attacked by cyber criminals from other counties, and this is true for all countries. The international nature of cyber security is important, because we are faced with an international problem when it comes to cyber crime.

If we are able to trace an attack from someone in another country (which can be challenging in itself), then we need a good relationship with law enforcement in that country. With a good relationship, we can identify the attacker, then think about whether they can be apprehended or charged.

What are the different implications for a private individual and a professional organisation when it comes to cyber security?

Private people are more likely to encounter problems with organised criminal activity.

Phishing emails that we receive as individuals can be part of campaigns run by organised criminal gangs. They may seem targeted, but they are usually sent to a large number of people. 

Cyber crime might be carried out by what we call a 'script kiddie'. A script kiddie is not a hacker, and does not have a high level of skill or a lot of experience in hacking. These people go online, download some tools and commands without really knowing what they're doing, and carry out attacks on people.

Organisations are a big target, whether they are small or large.

They can encounter cyber threats from criminal gangs, from script kiddies or from people we call 'hacktivists'. Hacktivists are people doing hacking with an ideological or political motive.

State-on-state hacking also affects organisations. We see nation states carrying out attacks on organisations as a way of causing distrust and destabilisation in a country.

As well as being specifically targeted, organisations can also be caught up in a wider cyber attack. An individual or a group can exploit a vulnerability that they have identified in a system, and those systems might be used by many different corporations.

We saw this with the WannaCry attack in 2017, which exploited a vulnerability in Windows. Anyone using a particular version of Windows became a victim of WannaCry, which was a ransomware worm. Organisations affected included the National Health Service in the UK.

How can people keep themselves safe from targeted cyber attacks?

If you're targeted, and if you're targeted by someone who is determined and has a high level of skill, it is really challenging.

However, people who target you usually start off in the simplest way, whether it's organised criminal activity, a nation state or someone with a grudge. 

They will start by trying to crack your passwords. They might use passwords linked to you in a previous data breach dump. They might send phishing emails with links that, when clicked, will infect your system with malware. 

Can people protect themselves from more personalised attacks, like doxxing (publishing private information about an individual online)?

Doxxing is really challenging. If someone finds personal information about you and puts it online, it's very difficult to take it back.

Limit the amount of your personal information that is online. That's hard, because we have to share a lot of personal information, and so only have so much control over it.

Under the General Data Protection Regulation (GDPR) in the EU, organisations now have a higher level of responsibility and accountability over collecting personal data of anyone in the EU. 

Organisations shouldn't ask for unnecessary personal information. They should store information securely, and they should delete it when they no longer need it.

Individuals should think about what information they are sharing, and challenge organisations that ask for information about them.

How do individuals or companies balance the need for cyber security with the freedom to innovate and communicate that the internet gives us?

People often talk about the balance between security and convenience.

For every person and organisation, it's about understanding your appetite for risk and for innovation. And that will be different for everyone. 

In security, we are trying to recognise that the balance can be a challenge for organisations. There has been a shift in the culture of cyber security, to cooperate and better understand how the business needs to work.

We don't want to be seen as a blocker. That can lead to people in an organisation finding workarounds, or not including security in a project because they're worried the project will be slowed down.

We're also trying to communicate better why security is important.

Organisations need to make quick decisions. But, if people consult security at the start of a project, they can avoid roadblocks at the end. 

Jessica is presenting on cyber security at the upcoming Cheltenham Science Festival.

The Cheltenham Science Festival and British Council are partners in the global science communication competition, FameLab.

Watch the FameLab International Final 2019 live at the Festival, or via live stream on 6 June.

You might also be interested in