Monday, September 24, 2018
With this in mind, we conducted an exclusive interview with an "ethical hacker"—an information security expert who, with companies' permission, attempts to penetrate systems to assess them for vulnerabilities that could be exploited by malicious hackers. Here, from our question-and-answer session, is what companies need to know about hacking.
Q: What methods do hackers use in order to compromise organizations' systems?
A: Social engineering and phishing are the most common; it is far easier than looking for network vulnerabilities when the objective is to infiltrate a company's system. In some cases, hackers engage in social engineering and phishing by sending a mass email to a group of employees, asking them to click on a link to a page where they will provide information that will allow them entrée into a company's system. But more commonly and for the same purpose, they will use information found elsewhere—on social media sites like Facebook, Instagram, and Twitter—to create tailored emails for tailored phishing attacks. People tend to open these emails more readily because they appear to come from a legitimate source—a source whose information hackers have found utilizing social media. In both situations, hackers will create a sense of fear and urgency, using phrases such as "Can you look at ___?" or "Help me by clicking this link."
Hackers also use the fear and urgency ploy in social engineering that happens on the telephone. Here, they use information found on business cards, LinkedIn, and other social media to contact an employee of the targeted company and pose as another employee or as a manager looking for assistance in accessing the organization's website or system. They often ask what the employee can see on his or her end or what he or she is working on in a bid for "help" in accessing the system.
Then, there is the "phishing in the middle" attack. To carry it out, hackers create a fake email from an outside entity—one that does not look like the phishing emails described above—and send it to an individual at a targeted company—the "middleman," so to speak Clicking a link in that email generates a mass phishing email to other employees of the company that appears to come from the "middleman," but is really hackers' entrée to the company's system.
Another method harnessed by hackers to infiltrate companies' systems involves the use of a fake email that directs employees to a "mandatory online security training" course. Once the course is completed, employees are directed to a survey about the course or to install a program to certify that they have taken it; these are intended to "grab" employees' credentials so that the hacker in question can get into the system.
Other phishing schemes include the sending of emails informing employees that their credentials have been changed or that new stock or benefits packages are available, and requesting that they click on a link to view their updated domain name and password or the new benefits. Doing so places employees' credentials directly under hackers' noses.
Q: How do hackers leverage Facebook, Instagram, and other social media to achieve their goals?
A: Hackers use Facebook, Instagram, and other social media to obtain a raft of personal information they can use to target employees, as well as to tailor phishing emails to particular individuals. They also rely on social media, especially Instagram, to find pictures that give them more insight into their targets—for example, what they like to do in their spare time, what type of pets they have, and even images of targets' badges. Additionally, social media is a good source of pictures of companies. From there, hackers can find out a lot about companies, specifically the types of systems they use and the way their facilities are laid out. It makes it easier for them to plan virtual and physical infiltrations.
Q: What are the specific things hackers look for on social media?
A: In addition to photographs, hackers look for workplace information, names of friends and business connections, telephone numbers, email addresses, birthdays, anniversaries, names of family members, details of activities and group affiliations—anything that can be used to get them an "in" in the schemes described above. On LinkedIn, specifically, they try to find the chain of command within the companies they are targeting, so that an email from a "manager" or superior looks legitimate.
Q: For hackers, what is the lowest-hanging "fruit" hackers try to pick, that they may not have thought of?
A: Any information that is posted on social media profiles is it, because as described above, it can so easily be used to give hackers an advantage. This includes birthdays, anniversaries, kids' names, kids' birthdays, and pets' names, as well as the work-related information found on LinkedIn. Companies cannot always tell employees what they can and cannot post—they can ask that their name not be on employees' Facebook page, but probably cannot say anything about revealing birthdays. However, they can suggest using caution.
Q: How do hackers gain credibility with the people with whom they are communicating?
A: It is easy. Just the way I described above, they scour social media, like LinkedIn, to find out whom the person they are targeting works. Then they refer to that person in the conversation. For example, if they have found out that an employee's manager is named Bill, and they want to get into a company's system, they will write in an email, "I work with Bill. Can you please check this link for me?" Or, they will see into which department an employee's responsibilities fall and find out on social media who is in charge of that department, and use his or her name in the communication.
Q: What about physically infiltrating a facility? What common methods of infiltration typically work?
A: Hackers always look and act like they belong. For example, if they are walking into a facility's lobby, they just follow the crowd, without hesitating and looking straight ahead. If there is some type of physical security in place—like a door or entryway that can only be opened by swiping a card or badge—they will go through with someone else. This is easy, because most people are polite and will hold a door, and it even works at government agencies and big companies that have not put an extra measure in place, such as looking at IDs up close.
It's important to point out that requiring employees to wear ID badges at all times isn't foolproof. Hackers are very good at making counterfeit badges, which they can easily do by using images of employee badges posted on social media. All that is necessary is to swap out the employee's name for their own name.
Q: What techniques do hackers use when speaking in person with a company receptionist or employee?
A: They try to create a rapport with the person, possibly using the information they have found on social media. For example, they will try to talk about sports if they have seen on social media that the person enjoys sports. This helps them gain the person's trust and get him or her to do what they want, whether it's providing physical access to a company's system, revealing a password, or something else.
Hackers may also attempt to generate a sense of urgency or fear, in the same way, they do on the telephone. In this case, they will pose as an employee from another office, or as an outside service person, and say they need help accessing the company's system or something of the kind.
Q: What is the easiest method used by hackers to infiltrate a data center?
A: Hacker would act as a technician would, gaining physical access by saying they are from a computer company and are there to check the temperature in the data center, or to look at connections to secondary equipment—any nonsense that references equipment and sounds real. If asked, they will use a false company name, usually one that includes a reference to technology, such as "Tech Serve." This strategy works 99 percent of the time.
Q: What are some of the simplest things companies can do to foil hackers, but may not think of doing?
A: Proper security awareness training is critical in preventing data breaches. Teach employees what malicious emails and phishing attacks look like and things to look for, such as obvious grammatical errors and misspellings or mentions of association with other employees or managers whose name they do not recognize. Instruct them not to click on any links.
Setting company password safety practices are also important. Passwords should be a good 10 to 12 characters long, with a mix of upper- and lower-case letters, numbers, and special characters. They should never contain the company's name or the season (e.g., "fall 2018"). If employees are choosing their own passwords, instruct them not to use information that can be found on social media (such as a birthday, anniversary, or pet's name) and should not be there in the first place. The more employees companies have, the more difficult it will be to ensure proper security awareness training, but it is a must anyway.
Ensuring that employees have access only to the data they need to do their jobs is important, too, so be certain to segment data into silos that cannot be "touched" except by employees who require it. Employees in the marketing department, for example, should not be able to access the personnel database.
Q: What should companies do first if they know or suspect that a data breach is occurring or about to occur?
A: If it is a remote breach, start to unplug all the systems and report the suspicions or occurrence to security. Try to find out who received a suspicious email and who clicked on it, and isolate it before it spreads. If credentials have been phished and it is impossible to detect who clicked a suspicious link, it may be a best practice to reset everyone's credentials immediately. Whatever the situation, it is imperative to work very quickly.
If it is a physical infiltration, ask the person who he or she is and why they are there. Follow them around. When in doubt, ask them to leave.