We speak with Tom Van de Wiele, a cyber security expert with more than 23 years of experience, hacker and advisor to major companies. . Tom will be a guest speaker at the Masters&Robots 2024 conference, where he will give a talk titled “The future of cyber security in a world driven by artificial intelligence – a hacker’s perspective.”
Joanna Kocik, Digital University: Hello, Tom! I’d like to start by asking about a certain phrase that you often say: “Cybersecurity culture is something that binds an organization together.” Why is it so important?
Tom Van de Wiele: This belief comes from my extensive experience in penetration testing and security incident response. Often companies call us, saying: “Someone is on our network. Can you remove him from there?” In my work, I specialize in eliminating the adversary from high-security systems, and many times I have seen organizations focusing on strengthening their “main entrance” while ignoring other vulnerabilities in their system. When I show them that adequate security is lacking somewhere, there is a sense of failure – such a reaction indicates a low security culture.
Companies don’t understand that being exposed to an attack or security incident is not a “pass or fail” situation. Many elements of cyber security may work well, but there will always be a “hole in the wall,” and that’s where the organization usually focuses. It’s natural, by the way, to get attached to bad experiences. When we start the day by stepping in a puddle, everything further on can already “go wrong.” However, it is worth looking at the issue differently. Just like in a football team or a ship’s crew, a safety culture means doing things beyond mere compliance. It’s important to strive for an organizational culture in which trust is the foundation. Everything in the world is based on trust, but a single cyber-security incident does not immediately mean its erosion.
I have worked with companies that had a strong security culture, even though their product was not related to it. They understood that as partners to other companies, they needed to be better at delivering services in a way that made people want to work with them. So instead of punishing someone for violating the rules or making a mistake, you can explain why something might be a problem. It’s about understanding what happens in the event of a cyber attack and how to detect and respond quickly. Just as with fire safety – sometimes there is no way to prevent a fire. But we can detect it quickly and make sure everyone knows what to do. In this way, we have a clear operating scenario, we use common sense, and at the same time accept our weaknesses. This is the only way – despite safety violations – to maintain a relationship of trust with employees, partners and customers.
Is this that “different way of thinking” about cyber security that you mention?
The key is to make security culture the foundation of the organization. This leads to the adoption of high security standards, which in turn makes other people want to work with us. You don’t have to be like Fort Knox right away – just ask the right questions and go beyond minimum compliance. When people actually comply with safety rules because they want to, not because they’re afraid of not complying, good results immediately follow. And this approach makes a huge difference.
What is the typical reaction of an organization to the news that it may have been hacked?
Sometimes those responsible for security, called Chief Information Security Officers (CISOs) in Scandinavia, feel relieved. They then say: “This is exactly what we expected.” Many times they order security tests because they get conflicting information – they see incidents, but IT vendors assure them that everything is under control. Organizations need evidence in the form of tests to understand the reality of the situation. Usually the cost of such a test is only a fraction of what a real incident or breach would cost.
When we find holes in the system, some CISOs are happy because it confirms their concerns. For example, I break into a building to access a network resource. I see that security reports arriving at the site in 40 minutes, but we really know that two hours have passed. And this shows a failure to follow procedures. In such a situation, the reactions of superiors can range from tacit acceptance to anger. In extreme cases, I have seen people admonished or even fired with immediate effect. This is, of course, an overreaction because we are testing the process, not the people.
Such situations show us whether the organization has a developed safety culture. Cars have bumpers because they sometimes collide with other vehicles. Similarly, companies should prepare for and anticipate incidents that violate their cybersecurity, instead of reacting as if the sky has fallen on their heads. Here the situation is really more complex than the aforementioned “pass or fail” test.
How would you rate our overall level of knowledge about cyber security? Are we getting smarter? Are organizations becoming more aware, or is it getting harder as new threats emerge?
Our awareness has increased significantly, for example in the area of ransomware, which has been around since the 1980s, but companies often focus on avoiding threats rather than improving overall security. A lot of good has come from the introduction of European security standards such as DORA and NIS2, and we’ve also had universal data protection policies for several years. Still, companies see cybersecurity as a cost rather than a potential source of revenue. Many organizations think: “We are not a target, we are not Fort Knox.” And such thinking doesn’t take into account at all how digital attackers operate.
I see a great need to educate companies about what attacks look like, how criminals operate and how to strategically defend against them, without necessarily increasing the budget for cyber protection. It’s all about minimizing where an attack can occur and forcing attackers to make mistakes that we can detect.
In the business world, there’s a big difference between having cyber protection and feeling safe. Some people feel insecure even though they have good security, and vice versa. The media exacerbates this problem by elevating the sensationalism of information over its accuracy, which distorts the way we look at cyber attacks.
People often ask me which antivirus program to choose. I usually advise investing in a good backup solution first. The chance of losing data due to a forgotten laptop or a phone incident is much higher than being a victim of identity theft or a hacker attack. Common sense measures really are sometimes the best.
What is behind most attacks and what is their purpose?
Most attacks are motivated by the desire for profit. Attackers (or threat agents, as we call them in the industry) usually fall into two groups. The first is opportunistic criminals, and the second is organized crime groups. Opportunists simply want to see if they can get something out of an organization. The organized groups, on the other hand, carry out more sophisticated attacks, such as ransomware campaigns combined with phishing and password theft. Theirs is motivated by the desire for profit. On top of that, we still have governments, which have almost unlimited budgets to conduct attacks for strategic purposes.
Most people don’t realize that there is a full ecosystem among threat agents. For example, an attacker who wants to make a few million dollars from an attack needs the right tools to lock down computers and demand ransom. He can buy this software from specialized vendors. Then the attacker needs access to computers, which he gets by buying lists of vulnerable systems from people who scan the Internet for weak passwords and open computers. We call them “initial access brokers.” And now, with the development of AI, an additional layer has been added to the system, making some attacks more sophisticated.
Can you elaborate on this? What new risks or dangers arise from AI?
In short, AI acts as a skill multiplier. It allows people with limited knowledge to perform tasks such as profiling attacks. With AI’s help, they can assess whether it’s worth attacking a company, identify its assets and find related actors to exploit. AI can also write phishing emails in languages that were previously difficult to detect, such as Faroese or Finnish. In addition, some people are offering AI-powered services in the darkest corners of the Internet.
AI is great at automating simple tasks, just as a dishwasher handles routine dishwashing, but some may still require manual scrubbing of more difficult areas. So it is possible to consider AI as an additional work tool, but for the time being it is not yet a revolutionary change.
Does AI help you in your work?
Definitely yes. I use bots in creative ways – to gather information, to analyze data from fake systems to detect new attacks, so-called “honeypots,” or simply for my own projects, such as creating bots that talk to each other.
The cybersecurity industry, meanwhile, is looking to use AI to improve security scanners or detect more complex cases of abuse and intrusion. A standard security scanner might overlook a file named “Passwords,” thinking it’s just a regular file. With the help of AI, the scanner can recognize that “Passwords” may contain passwords. AI enhances existing technology, rather than being a standalone solution.
With all this knowledge, it is easy to become paranoid about cyber security. So how can you maintain a high level of protection without panicking?
The key is to understand what attacks look like and what they cost. You don’t have to completely stop an attack; you just have to make it costly for the attacker.
Figuratively speaking: your fence doesn’t have to be the highest; it just needs to be as high as others. Knowing why you’re getting phishing text messages, why high-resolution Facebook profile pictures are targets for information extraction, and why you shouldn’t make your cell phone number public helps. If you understand these elements, if you know what an attacker needs to succeed, you won’t panic, which, by the way, usually stems from fear of the unknown.
A good way to stay calm may also be to realize that while your opponent may be everywhere, he can’t be everywhere at once. No one is that interested in you! <smile>. Attackers often want to undermine not only you, but also the people in your network of contacts. They operate within budgets and often choose easier, cheaper targets if they can. So it’s all about knowing and understanding the attacks, making informed decisions and making the whole endeavor costly for the attacker.
One last question I have to ask: Where did the banana come from in your hacking kit?
< Laughter> The banana serves two purposes. First, walking around the bank’s headquarters when you shouldn’t be there causes your body and mind to go into “fight or flight” mode – which can be stressful. But when you eat a banana – or eat something in general – your body thinks: “Wait, we’re eating. We need to be relaxed.” So the banana helps you relax.
Second, holding something in your hands – a banana, a newspaper, a file of papers – makes you look less suspicious. People breaking into a company don’t just stand around eating a banana. When you’re eating or holding something in your hands, you give the impression that you’re preoccupied with something, while just standing around with empty hands can quickly become awkward. This is my way of blending in.
Thank you very much. I’m already looking forward to your appearance at Masters&Robots!