Hacking or penetration testing is an art. It takes skill, creativity, spontaneity, determination. One doesn’t just wake up one day and say I’m going to be a pen tester, go get a job and be wildly successful. It takes years of hard work to understand how infrastructure, applications, data and people form a cohesive system.
It takes someone with...ahh who am I kidding. All it really takes to be a successful hacker or penetration tester is the ability to be friendly, act like you belong and simply ask for access to a system. Case in point. At Pratum our team of consultants has successfully completed several social engineering attacks for clients recently.
Getting access to a secured facility, not just one but two and three layers deep, was as easy as holding the door for a nice woman who brought bagels in for her co-workers and simply had her hands full. Or, you can walk in, greet the receptionist, and proceed to step on the elevator with everyone else until you find a secure floor you like. From there it’s a simple as finding an open conference room and jacking into the trusted network to hack it from the soft gooey center.
My point is this. Hacking takes a lot of time and skill, unless your organization has users who are too trusting. User who invite attackers in and give them the keys to the kingdom make it so easy even unskilled hackers will be able to bring your organization to its knees.
Companies must train their workers to be suspicious of unrecognized faces in secure areas. Someone that is good at social engineering is going to look like they belong. They may event startup conversations, join in a potluck or ask for directions. Looking for the person lurking in the shadows doesn’t work. They’re not hiding there. They’re hiding in plain sight. Yes it might upset your company culture if people start asking too many questions to those they don’t recognize. But which would you rather have, a company that needs some help adjusting to a different culture or a company that has to fight for revenue after a social engineering attack? And here’s a crazy idea, getting to know strangers at our place of work might actually be a good thing. Who’d have thought?
After years of being thought of as a mere annoyance, data security is finally getting some attention in board rooms of the world's largest companies. According to the 12th annual Law and the Boardroom Study by Corporate Board Member and FTI Consulting, data security is the number one legal concern. The study shows 48% of corporate directors and 55% of general counsel rate data security as their biggest area of risk and concern. This is double the rate from 2008.
While it is easy to say something is your top fear or concern, it's not always as easy to address it. Will corporate cultures change? Will funding magically appear to address the issues at hand? Will shareholders tolerate a hit on profits in order to reduce risk? Only time will tell. At least the conversations will be getting more time on the agenda and the people who can actually make a difference will be listening. It's a start.
A recent survey completed on behalf of The Hartford shows that small business in general still doesn't do much in terms of information security and privacy. There is still a "It won't happen to us." mentality in the small business community. This is despite evidence from sources such as the Verizon Data Breach Report that shows small business are increasingly being targeted in cyberspace.
Here are three reasons why small business are often targeted.
They Are Easy Targets - With minimal security in place breaking in is easy. Most crime is about opportunity. If you make that opportunity low risk and not difficult, you've written an open invitation to be hacked. Regardless of if you think you have anything of value. I guarantee you do have something of value. The simple processing power of your computers is of value to a botnet.
Little Chance of Being Caught - Without proper security in place there can be little to monitor and evaluate if a breach has occurred. Look at it this way. A barn in the country with no telephone lines, no lights or electricity for an alarm system would be a low risk target for those worried about being caught. If attackers know you're not monitoring for suspicious activity they become very interested. And if they are successful but nothing changes, they'll be back. Over and over and over and over again.
You Have What They Want - Sensitive customer information such as names, ages, birthdates, social security numbers, account numbers, credit card numbers, medial histories are typical fodder for data thieves. But wait, there's more. Private company information such as salaries, customer lists, intellectual property, R&D documents and source code are just as popular. Even if you have none of this, hackers still need one thing you do have. Computers. They need your processing power and internet bandwidth to sustain their hacker networks. They can take control of your systems and use them whenever they want.
What should small business do then? The first is to implement basic security practices. Talk to your IT providers, use free government resources, have a conversation with a security consultant, listen to a webinar. Taking the first step is key. Knowledge is power. You may find that reducing your risk to a more acceptable level is a lot less expensive that you think. Being unprepared for and unable to thwart a cyber attack could cost you your business. Doesn't that justify at least an hour of your time ?