Sunday, July 19, 2015

The Reality of Hacking

We are no longer using padlocks or safes to protect our documents, instead we are using passwords to protect our finances, livelihoods and most precious information making us practically rely on secrets to protect ourselves.

Hollywood portrays Hackers as cool, mysterious and mostly nerds who speak techno-babble no one really understands and are able to connect to any computer system over a network, find a vulnerable entry point and steal all the data they require in a few minutes.
The reality is quite different, as today even using the most advanced hardware and software combination might take a hacker years to bruteforce his way through a computer network and find a usable username and password combination, mainly due to the high level of encryption and security being used by most network administrators.
Just like the game of cat and mouse, hackers will find a new way in, and today most breaches only happen after some insider knowledge is gained or by tricking someone to divulge confidential information.   The most common form of exploit used by hackers is today happening over the phone, by using a technique called Pretexting, meaning that someone attributes a pretext to his story, such as by impersonating an IT administrator and asking a relatively junior employee for his credentials and password or in more elaborate ploys by physically entering a building disguised as an authority figure such as an insurance inspector and gaining access to documents which might include administrator codes that might eventually lead to a point of entry over a computer network.  This process is now generally being referred to as Social Engineering and involves some element of human interaction in the process before a computer system is breached.  Instead of skills normally associated with IT Specialists, Social Engineering involves the use of mainly psychological principles such as being able to impersonate someone, manipulation and exploiting cognitive biases to ones advantage.
Computer security experts spend lots of time ensuring that their networks are impenetrable but in reality few companies, especially locally, are aware of such ploys and rarely take counter measures to train their personnel to ensure they don’t fall prey to such elaborate ploys.

In the early days of computers, mainly the 1970s and 80s, hackers were mostly amateurs, just curious to see how far they can go with most having no real intention of utilizing the data they managed to steal.  However today hacking has become a billion dollar business as the cyber espionage industry is booming and competing firms might engage hackers to steal your data and use it to their advantage.  This does not mean that your competitors know they are doing something illegal as most don’t even know they are indirectly employing the services of hackers.  Most hackers advertise their services as research consultants and promise they can obtain competitive data analysis about sales and plans without divulging how they are actually acquiring such sensitive information and in the most elaborate ploys they even manage to play two rival organisations against each other.
Some companies don’t even realise they were hacked and lost data whilst the others who notice the breach might not even report the breach as they are wary of the resulting bad publicity for their organisation.
Many local business directors think that just because Malta is considerably smaller than other countries, we as a country are immune to such attacks, nevertheless one must consider that breaches have been recorded in the past and some of the attempts were even quite elaborate and carried out by foreigners with extensive experience in this illicit trade.
One must also ensure that employees and administrators do not open themselves up for blackmail or becomes a target, for example an employee who has a gambling problem and runs into large amounts of debts might become an easy target of a competing company who might offer to pay off his loan sharks if he divulges confidential business data or maybe an employee with a drinking problem might become talkative and brag about information in his possession.
The first step someone running a business should take is to ask what information if divulged might hurt the organisation and therefore identify the upper strata of confidential data.  One might be surprised at the amount of data such as sales projection, client lists are roaming around on different computers, it would be a good idea to store such priority data in one centralised location, that way it can be better secured.  It is not a good business practice to invest in the latest servers and IT security whilst your employees are copying data on their USB drives and taking them home and saving such files on various computer systems which are more vulnerable to attacks.
The second step one has to take is to ask all employees to never, under no circumstance divulge a password or certain sensitive information over the phone, ask everyone to change passwords every few weeks, ensure that all persons entering a building are duly registered and provided with an internal identification tag and most importantly ask employees to be alert and never let their guard down.  This should at least provide a first line of defence against a potential attack.
These steps might be sometimes inopportune or tiresome but we must insist on security over inconvenience otherwise we might as well start leaving our doors open to anyone wishing to stick his nose in and take a sniff around.

A third step actually involves testing your own security procedures and engage a whitehat hacker, someone who is trained in computer security and social engineering, to evaluate your system and try to see whether he is able to ‘steal’ some of your sensitive information.  This will allow you to later take remedial action and close any loopholes or weak points in your overall structure.

Original Scan:

click on scan link to open full size :

Notice: Article was originally published on the Sunday Times of Malta, TechSunday Supplement, 19th July 2015.  Written by Ian Vella.  Article is being republished here only for information purposes and copyright is shared between the author and editor therefore republication is not allowed unless written consent is obtained by all parties.

No comments:

Post a Comment

Your IP address (computer identification) is being recorded for authentication purposes only. Any comments related to abuse / drug-use / racism / violence and illegal / crime will be reported.