Every discussion of cybersecurity descends, sooner or later, into a fog of words that only people who are cybersecurity experts understand. They can talk all day about cross-site scripting, SQL injection and buffer overflow vulnerabilities – and decision-makers will be none the wiser.
What’s missing is a shared understanding of – not what the bad guys are doing – but how they go about their work. When you understand how hackers work, decisions about what to defend and how best to defend it get easier.
Some of the hacker’s work is highly automated. Cybercriminals use tools such as Shodan – a search engine for web-connected devices – to scan the web and generate an extensive overview of everything from webservers to security cameras, webcams and printers.
For a 2018 study, security firm Cybereason set up a fake server known as a “honeypot” to log everything done to it by digital intruders. They created a company name, generated staff identities and simulated network traffic. It took only two hours from the moment the server went online for it be discovered by an automated “bot” that set about taking it over. Fifteen minutes later, the bot used several known vulnerabilities to scan the simulated network, steal and dump credentials for other vulnerable (if fake) machines connected to the network, and create new user accounts that would have provided complete access to the real thing.
It’s a scary picture of automated combat. But as any cybersecurity expert will tell you, the biggest risks you face comes not from robotic attack but from people who have painstakingly honed the skills needed to break into your digital domain and find your valuables. Here are three of the most common approaches that hackers take to identifying a target, finding its vulnerable points and launching an attack.
We have all had personal experience of phishing scams: the Nigerian prince or non-existent relative who offers you an absurd amount of money if only you will turn over your credit card information. Most are not very sophisticated, but they count on volume to make up what they lack in originality. Let’s say a phishing email goes to one million recipients, which is not difficult with the right technology. If just one-tenth of one percent of people fall for it and are duped out of an average of US$1,000 each, that’s a $100,000 windfall.
Hackers targeting a company are just as relentless but put far more effort into the work, whether they are getting paid to break into the network, plan to sell assets they discover there or to hold up the company for ransom to get its files back. A motivated hacker may spend months researching a target and preparing an approach before striking.
Hackers start by researching companies online, based on an article they read, a website they visited or a even sign on a building. From Google, LinkedIn, Facebook and other sources, it is relatively easy to identify people in the company and learn how they are related.
Let’s say a hacker is targeting a midsize company called Teleports International. From online research, the hacker identifies a technician there named Arnold Smith. Arnold’s LinkedIn profile confirms that he works for Teleports International and a Facebook post makes it clear that he will shortly be going on holiday. More LinkedIn searching finds other people at the company, including the operations director, Madeline Bond.
The hacker now has everything needed to go phishing. They create a Gmail account, firstname.lastname@example.org and write an email:
My corporate email isn’t working on my phone, so I’m sending this from my personal email. Your annual leave should be approved, but we need a few more details. Please fill out this form for me.
The important part of the message is the link. The first part looks legitimate, but the next part is where the danger lies. The hacker has bought the domain staff-organizer.com and created a web page that clones Teleport International’s internal portal. When Arnold clicks the link and logs in, the system sends his user name and password to the hacker. Once the hacker has Arnold’s login, it is little trouble to invade the system and really get to work.
Re-Used and Weak Passwords
We are always being told not to re-use our passwords and to have strong ones with hard-to-remember strings of letters, numbers and symbols. But we are seldom told why.
Start by imagining that Evil B. Hacker has been hired to gain access to the email inbox of the CEO of a satellite antenna manufacturer, BigDish, without anyone knowing. The first step of the campaign is research. Searching the web for CEO Matt Longview, he finds social media profiles showing him to be an avid enthusiast for classic sports cars and that he posts often on a site called classycars.com. He even has a profile on that site, and it reveals his personal email address, email@example.com.
Because Evil is a professional, he has copies of the immense data files that other hackers have stolen and dumped onto the internet in recent years. Unfortunately for Matt, he uses Dropbox to share photographs and videos of cars he loves, and Dropbox suffered just such a hack some time ago. A search for Matt’s personal email address in one of Evil’s data dumps turns up a record with his Dropbox password, which is “favcars2012.” Now Evil is getting somewhere. He goes to Matt’s favorite website and logs in as firstname.lastname@example.org, with an updated version of the password: “favcars2019.” And it works on his first attempt: Evil is in Matt’s record and can view private messages going back years.
Having found a password that works, Evil does one last bit of research. He searches Google for “intext:@bigdish.com” and it turns up records of employees with their email addresses visible. All seem to have the same format: FirstName.LastName@big.dish.com. So he tries logging into Big Dish’s corporate email system using email@example.com and the password “favcars2019.”
It works – because Matt made the critical error of re-using his password. Evil sends a copy of Matt’s most sensitive emails to his client on the dark web and gets a fat paycheck in return.
Does this series of events seem unlikely? Perhaps – but people who steal for a living work just as hard as those who don’t and can afford to dig deep on the web to find what they need.
Social engineering is the cyber-term for using basic deception techniques to con people into providing access to your systems. It is distressingly easy for a social engineer with the right tools to penetrate your organization. What are those tools?
- A professional and charming nature
- Business attire
- A fluorescent vest, clipboard or tablet, and lanyard with fake ID
- A fake email from the CEO giving permission to be there
If a stranger turns up in your lobby and asks to look around the place, the receptionist is sure to say no. But if the same person walks off the street in this year, saying “I’m here for the safety audit of your data center,” the same receptionist may say yes. Not because she is dim-witted, but because she is human.
This is only one of many guises in which an attacker can approach and penetrate your physical defenses. They are limited only by imagination and our preference for trusting others.
Human beings are the biggest threat to the security of your enterprise network. Ironically, they are also its most vital defense. Technology will always play a role in cybersecurity, but the biggest contributor is a strong security culture within the company, built through required training that is regularly refreshed and a supportive and responsive IT department. An important element of that training is to make sure employees know what to do after they have made a mistake and don’t fear that they will be punished for it. A call to a manager or tech support right after that mistake can make all the difference between a major incident and a quick fix.
Robert Bell is executive director of the World Teleport Association. This article is adapted from “How Cybercriminals Break into Your Teleport,” published by WTA for the benefit of its members. More information at www.worldteleport.org/page/UpcomingRepts