Movers & Shakers Interview with the CEO of High-Tech Bridge.Frost & Sullivan - Tuesday, 22th of May, 2012
High-Tech Bridge is a leading European provider of ethical hacking services. Alexander Michael, principal with Frost & Sullivan's ICT practice, recently caught up with Ilia Kolochenko, CEO of High-Tech Bridge, to discuss cyber crime and how to prevent it. Heading High-Tech Bridge since its creation, Ilia previously worked as a security expert and manager, implementing different IT security projects for various financial institutions in Switzerland. Ilia is also a lecturer in the Master's programme at ILCE/HES-SO (Neuchâtel, Switzerland).
Frost & Sullivan (F&S): Ilia, cyber attacks have become highly sophisticated, business-like almost, and it is clear that there are substantial resources behind the attacks. Who are the criminal organisations involved, and do you think it is true that, sometimes, entire countries finance criminal hacking?
Ilia Kolochenko (IK): Well, first of all we should define “criminal hacking.” In some countries, hacking (in its classic meaning) is not even considered a crime. In other countries, judges authorise police use of Trojan horses and hacking techniques to track criminals. Today, more and more information becomes digital, and the value of this information is permanently going up. Eventually, every economic, political, governmental structure starts trying various methodologies to get valuable information. Recent news clearly demonstrates that hacking is becoming a common way to get necessary information for almost everybody, from housewives spying on their husbands, to governments stealing military secrets from their strategic rivals.
F&S: And what exactly are the attacks aiming to accomplish? Is plain sabotage sometimes the aim?
IK: I'd separate targeted and mass attacks. Targeted attacks are usually ordered by a competitor or a rival, and are aimed against a precise target. They are quite complex and expensive to realise; however, they are very successful. Almost any system can be compromised; it is just a question of how much money your opponent is ready to invest. Therefore, if you have a powerful enemy who will not hesitate to use hacking methods to achieve the goal and invest millions in it, the enemy has strong chances of succeeding one day. The only counter-measure here is to make compromising your system as expensive as possible; this is actually the main business of High-Tech Bridge. Mass attacks are less dangerous, as they usually rely on one or several known vulnerabilities (quite often relatively old vulnerabilities). Their efficiency is usually about 10 percent; however, they are targeted against the maximum amount of potential victims. Hackers use mass attacks to gather botnets for further attacks, such as DDoS [Distributed Denial-of-Service, a multitude of compromised systems attacking a single target], sending spam or using computing power for some operations, such as password brute forcing [trying every possible key or password until you succeed]. Quite often, outcomes of mass attacks (such as bots, various databases and confidential information, credit card numbers, banking data) are resold on the black market.
F&S: So, it's a bit like finding a hit man, isn't it? If I need to commission someone to steal data from a competitor, I can hardly look him or her up in the yellow pages. How does it work?
IK: Actually, it is much easier than it seems, at the first glance. But then it gets complicated very quickly. In Google you can find thousands of “hacking” forums and websites that offer cheap and rapid hacking services with 100 percent guarantee. However, usually, at best, you will just lose your money. Such “hackers” can also ask you for a “small bonus” 10 times exceeding the initial payment to “keep professional secrecy” and not to inform the victim by whom the hack was ordered. Sometimes you also face that hackers will get a target from you, succeed in hacking, and, later, when they realise the value of the information they actually got, they simply disappear, reselling the information to another customer who will pay more. Or even sell it to several customers, including you. Therefore, I'd not really recommend playing with virtual hit men; it may turn against you.
F&S: Your company, High-Tech Bridge, fights cyber crime through ethical hacking, essentially by trying to compromise system security the way criminals would. An advantage of ethical hacking is that it detects vulnerabilities that are otherwise overlooked. Can you tell us what those vulnerabilities typically are?
IK: I cannot say that we “fight” cyber crime at High-Tech Bridge, that is a job for governmental agencies, police and some globally recognised organisations such as Online Trust Alliance or IMPACT Alliance, of which we are proud to be members. Our main business is to prevent cyber crime. We're in the business of making systems as hard (and as expensive) as possible to hack for cyber criminals. This is the goal of ethical hacking—to hack the system before cyber criminals do so and prevent it. Talking about vulnerabilities that we detect during penetration testing and security auditing, I can say that we regularly see all possible cases. Default admin passwords and various human errors, typical vulnerabilities caused by unpatched or wronglyconfigured systems, as well as some particular vulnerabilities in in-house and selfdeveloped systems. Chris Rodriguez [Frost & Sullivan network security analyst] has perfectly described all possible vulnerabilities that ethical hacking detects in his recent research titled, “The Importance of Ethical Hacking: Emerging Threats Emphasise Need for Holistic Assessments.”
F&S: The concept “ethical hacker” sort of conjures up images of geeky, long-haired teenagers who spend 20 hours per day in front of a screen. I'm sure that nothing could be further from the truth, but I'd be really curious to hear what kinds of people you actually employ. How does one become an ethical hacker?
IK: It really depends. At High-Tech Bridge, ethical hackers always wear suits and ties and have perfectly combed hairs for any meetings with customers. However, during the daily work at the office, they have no dress code or fixed working hours, as to work efficiently they need to feel relaxed and comfortable. Some prefer to come to work at noon, but they stay till midnight or even later. It is true that hackers are different from business people, as they mainly contact with machines, not humans. But the way hackers are shown in some Hollywood films is an exaggeration. Hackers are ordinary people. They have hobbies, families, kids. For example, our chief security specialist—Mr. Frederic Bourla—is a great expert in his domain. He devotes his free time to his family, like everybody else. He is also a free-fight and black belt Jujitsu trainer. He participated and won many regional and international championships. Additionally, our chief research officer—Mr. Marsel Nizamutdinov—who devotes a significant amount of his time to complex security research (similar to rocket science), is however also fond of exotic animals
F&S: High-Tech Bridge has 10 times as many employees today than it did five years ago, so clearly you must be doing something right. Is your competition primarily other ethical hacking providers or other network security providers?
IK: The ethical hacking market is a relatively new market, and I cannot say that we have much competition in it. There are not many professional ethical hacking companies that offer solid services. However, the limited competition we do have is great and very useful to us, to our competitors, and of course to our customers. Healthy competition drives a business to continuous development and perfection, from which its customers benefit. You try always to be the best, your competitor, too, so every day you offer something better to the market. In the market, there are also many small and medium companies that resell security software and hardware, offer IT support and integration, and also try to sell ethical hacking services. Such companies quite often confuse expert ethical hacking services with automated vulnerability scanning. They are not really able to compete for the business of large customers, who really care about security. They have insufficient technical skills, knowledge base, experience and human resources to handle large projects in the ethical hacking domain. Network security software and hardware providers are partners rather than competitors. They use our services to independently validate the correct installation of their products.
F&S: Trust, I would imagine, is essential to ethical hacking. Your clients do show you their most vulnerable sides. How do you build up and maintain that trust?
IK: Yes, indeed, the trust is one of the most important values in the ethical hacking business. High-Tech Bridge has numerous certificates and legal measures to assure the highest level of trust. However, trust among people is the most important. You cannot trust a certificate if you do not trust the people behind it. Usually trust stems from a small project, during which you prove your professionalism and competence. Later, customers will entrust you with confidential and sensitive projects. At High- Tech Bridge we are proud that our first customer is still a current customer.
F&S: High-Tech Bridge offers both forensics and proactive services. Must the balance between reactive and proactive services change, given the changing threat environment?
IK: Humans will always remain human. During the periods of financial and economic crises, we see a domination of reactive services. During markets recovery, we see a higher demand for proactive services. Ethical hacking is somehow similar to a dentist. If you have plenty of money (and plenty of time) you will probably visit him monthly, and when you face financial hardship, you will probably not visit him until you break a tooth. Today we can see a slight equilibration on the market: Customers come both for proactive and reactive service.
F&S: Finally, Ilia, will you ever put yourself out of business? Can we ever root out cyber crime?
IK: I think I will always stay in business, as I am a person who cannot live without hard work. Regarding the cyber crime elimination … it is a rhetorical question. I don't think that we can ever root out cyber crime, as we cannot root out any other sort of crime. Humans will always stay human and try to exploit all possible types of “easy opportunities” to get rich. There is no system today that can totally prevent humans from committing crime—cyber or any other. Of course we should try to minimise cyber crime. However, if there is extreme poverty in some countries, inequality and unemployment in others, people will continue to commit crime.