Ethical Hacking Course in Delhi from APTRON Delhi's blog

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Reflections Of A Former Hacker: How Leaders Can Protect Their Business From Cyber Threats

Mary Writz is VP of Product Management at ForgeRock, a global leader in digital identity.

Fifteen years ago, I was an ethical hacker, which means that it was my job to assess computer security systems by looking for weaknesses and vulnerabilities. Although technology innovations have rapidly evolved since then, most categories of cybersecurity vulnerabilities surprisingly live on.

OWASP, a consortium that tracks the top 10 cybersecurity risks present at any given time, recently shared that many of the vulnerabilities from 15 years ago still exist in the top 10 list. For example, injection vulnerabilities were ubiquitous when I led a global penetration testing operation years ago. Not only have we yet to eradicate the threat, but injection attacks still rank as one of the top three most common application vulnerabilities. From OWASP’s past findings, this is an alarmingly common story, with several kinds of vulnerabilities still prevalent today, including authentication issues.

As digital transformation and hybrid work-life present new opportunities for attackers, many older threats continue to cause problems for organizations. Business and security leaders should start resolving these problems by considering six key questions as they evaluate their organization’s security preparedness.

More breaches happen than you think because a hacker took advantage of a well-known security flaw. When building out your security posture, focus on the “easy wins” first. Incorporate patch management best practices, deploy multi factor authentication (MFA), filter out common bots and invest in solid inventory-tracking infrastructure and applications. Basic security hygiene impacts a significant percentage of your attack surface, and there are many resources that can help establish a solid baseline to keep your employees and users safe.

Every business has the potential to get hacked, so every organization needs to prepare for worst-case scenarios. It is important to work across IT, security and business leadership teams to establish guidelines and procedures for responding to threats and creating solutions for recovery. Prepare by creating disaster recovery plans and testing them through tabletop exercises, where team members act out and discuss their roles in response to an emergency security situation.

Keep a record of the parts of the technology stack that are critical to your business (your organization’s “crown jewels”), then make sure you build a strategy and road map to give them the strongest possible protection. Finally, make sure to keep your communications plan up to date so you can update your customers and other important stakeholders as quickly as possible.

Hire great security people and invest in their career development. Talent can be hard to find in today’s security landscape, but they are some of your best investments. Seek out sharp, eager people who have an intrinsic motivation to stay on top of the threat landscape, enthusiasm to understand your business and can develop solutions to help avoid threats.

One of the best ways to stay ahead of cyber threats is information sharing, which is key to understanding the latest threats and knowing how and where to look for them. Knowledge goes hand in hand with hiring the right people—invest the time into the right communities, and you’ll quickly learn about emerging threats, effective methods of prevention and new technologies that can help prevent or avoid threats. By staying connected, you can improve your organization’s cybersecurity knowledge so you can act earlier and more efficiently to help thwart attacks before they happen.

If anyone in your C-suite or board of directors doubts how much cybersecurity means for businesses in today’s hybrid work world, it’s time to educate them. Security breaches can cost companies millions of dollars; in 2021, my company’s Consumer Identity Breach Report revealed that an average breach can cost organizations upward of $8.64 million in the United States. But, beyond a dollar amount, a breach can negatively impact your organization’s long-term reputation with your customers. Customer loyalty is invaluable, and damage due to a security issue can be incredibly difficult to repair.

To date, the only time our industry fully eliminated a cyber threat was when the entire web moved to HTTPS, fixing transport layer security. This was a huge win for cybersecurity, and as more major tech companies see the value of shifting away from passwords, we are on the cusp of having an opportunity to kill another category of vulnerability: authentication issues.

Getting away from usernames and passwords and shifting to true passwordless technology has the potential to completely eliminate significant risk categories, such as password phishing and “man-in-the-middle attacks.” The technology exists to eliminate threats to identity today, including FIDO WebAuthn, and emerging technologies such as decentralized identity and digital wallets offer excellent alternatives. So it can be done.

By thoughtfully considering these questions, you can help protect your organization from the vulnerabilities that have caused organizations lost revenue, damaged reputations and many other challenges for nearly two decades.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Criminals Could Make Your Jacuzzi Evil And Fill It With Hot Stinky Goo, Says Hacker

A researcher has discovered a way to hack into smart Jacuzzis with a method that would give cybercriminals the ability to turn hot tubs against their masters.

An ethical hacker at EatonWorks discovered security flaws in the Jacuzzi SmartTub. Billed as a 'smart Jacuzzi', these hot tubs can be controlled with a smartphone, giving their owners the ability to play with settings from afar.

However, Eaton demonstrated that this connectivity also leaves the SmartTubs open to hacking from afar, with potentially mucky results.

Not only was Eaton able to get hold of private information about every single person who owned a hot tub, they also had the ability to revoke someone's ownership and take control of their jacuzzi.

Eaton told Motherboard that this method gave them dangerous power over the hot tubs, to the point where a hacker could permanently destroy them.

"As for remotely controlling tubs, I think the worst you could probably do is turn the heat all the way up and change the filtration cycles.

"Then in a few days you could have a hot, stinky soup. There are no chemicals to control—you have to do that by hand."

They added that "the amount of data I was allowed to see was staggering", but stressed that they did not personally take any action against users.

Could you truly relax in a hot tub if you knew a dastardly cybercriminal was controlling it?

Eaton tried to inform Jacuzzi about the vulnerability back in December, and finally went public with their findings this week.

Jacuzzi has since issued security patches to try and solve the security issues, which should hopefully prevent any hot tub owners from being attacked by hackers.

Eaton says that the exploits he used to get into the SmartTub have now been secured as a result.