Ethical Hacking Interview with Tony Gee Security Consultant

Tony Gee is a Security Consultant at Pen Test Partners which specialises in high-end penetration testing. Gee knows all the ins and outs of hacking into smart technology devices and IoT networks to identify real vulnerabilities.

He says: “Ethical hacking is less cloak and daggers and more legal vulnerability testing for our clients.”

“For broadcasters, cyber security should be a major concern…organisations are implementing smart devices without testing them, they’re opening up their entire content network to a real challenge.”

What does cyber war mean for broadcasters?
Broadcasters are increasingly adopting new technologies to ease workflows and automate processes. The internet of things (IoT) is far bigger than smart kettles and lights, on a consumer side, smart TVs and IPTV have become integrated into everyday life because it is cheaper and convenient.

The smart technology and IPTV integration has incredible benefits but the key to success is implementation in a secure way through trials and testing. Organisations that overlook due diligence put themselves, their assets and client data at risk.

A cyber security breach can be driven from malicious targeted software invasions or hacking groups obtaining sensitive and or valuable information to be held for ransom. The exploitation of media assets from broadcaster networks can lead to significant risks.

Broadcasters store valuable media within its networks and a simple compromise can exploit that content which ultimately has a destructive impact financially and reputationally.

What kind of security breaches commonly occur?
The biggest breach in recent times is certainly the attack on Yahoo which was allegedly performed by nation state hackers who compromised the security of 3.5 billion user names and affiliated passwords. It is certainly the largest breach in history and has helped organisations recognise the importance of cyber security safety.

At a simplistic level, poor passwords and lack of antivirus software are the primary issues. Choosing good passwords is the number one entity to help guard against security breaches. Password managers really can help and I would advise organisations to allow end users to create strong passwords, it means those passwords are secure and efficient.

Often people are reusing the same password across various accounts, if this is compromised it takes a simple network hack to run the same password through different websites. We saw this with Uber, when users had their accounts compromised, they didn’t have their money refunded as Uber classified the breach a direct result of poor password strength.

Failure to keep software and antivirus scans up to date is the other main issue that opens up systems for security breaches. Use adblockers because they’re a good control to help limit viruses from malicious advertisements.

How can firms mitigate against cyber security issues and breaches?
Good security hygiene is fundamental to all organisations and ensuring this knowledge is filtered down to all employees. From a business perspective, investing in cyber security resources and insurance coverage that is a benefit to the entire supply chain of the organisation should be a priority. This helps to offset risk and prevent cyber breaches.

Make sure your staff are aware of cyber security, this can be more difficult in larger organisations but ultimately it will help teams to be more reactive as the staff body are the eyes and ears of the business. Staff training should be a mandatory requirement not from a compliance perspective but from a risk point of view.

Organisations should undertake traditional security testing against web applications and IT infrastructure and seek accreditation against Cyber Essentials and if smart devices are employed check the security reviews and perform security testing.

Companies as a whole should undergo more testing of software and procedures particularly to simulate real world attacks with traditional and new business workflows.

What are the best defence and response techniques?
In addition to general security hygiene and password protection, due diligence is always the best to defence and we are seeing organisations to having a requirement to check technology, staff and software systems before installing and throughout the implementation lifecycle.

Separate from the broadcast network, I would always suggest password managers are used to make the most of strong formats to test the strength of passwords.

One common oversight is the ease of transferring bugs and malware through portable storage devices whilst transferring content. Making sure these devices are approved and IP systems are authorised and used for the purposes required.