There is only one true way to know if your computer system is vulnerable to an outside threat—to be the victim of a cyber attack. Not awesome. But what if there was a better way? What if you were the one attacking … yourself?
That would make you an ethical hacker—someone who systematically attempts to infiltrate a computer system or network vulnerability, like a hacker would, but on behalf of a company’s owners.
Ethical hackers, also known as White Hat hackers, use the same methods and techniques to test and bypass a system’s defenses as their criminal counterparts would, but rather than exploiting them for Ransomware (see our previous blog post on cyber attacks here), they document them and provide actionable advice on how to fix them.
An ethical hacker uses all or some of these strategies to penetrate a system:
- Scanning systems to find open ports
- Examining patch installations
- Tricking employees into sharing passwords
- Evading IDS (Intrusion Detection Systems), IPS (Intrusion Prevention Systems), honeypots, and firewalls
- Bypassing and cracking wireless encryption, and hijacking web servers and web applications
The Skills To Be A Hacker
Businesses and government-related organizations are so serious about hiring ethical hackers that an entire industry has opened up to train them. An online search for “Ethical Hacker Degrees” reveals numerous degrees and training programs. The International Council of Electronic Commerce Consultants (EC-Council for short) offers Certified Ethical Hacker (CEH) certification, currently the industry standard, where students learn about viruses and Trojans, identify theft, attack tools, counter measures, and much more.
In addition to technical expertise, ethical hackers also need people expertise. According to a PC World (pcworld.com) article, How To Become an Ethical Hacker, “Ethical hackers also need street smarts, people skills, and even some talent for manipulation, since at times they need to be able to persuade others to disclose credentials, restart or shut down systems, execute files, or otherwise knowingly or unknowingly help them achieve their ultimate goal.”
A Hacker’s Bag of Tricks
People are the greatest security risk to any application. The more people who have access to a system, the easier it is to exploit them. Finding and exploiting vulnerabilities is often a matter of trickery and taking advantage of laziness, kindness and ignorance.
For example, many organizations insist on passwords being changed every ninety days. Since it can be challenging to continually create new passwords, these types of policies actually encourage easy-to-guess and poorly-created passwords shared by multiple users. A hacker can go to a login portal used by many users and try just one password against every user (this also avoids the ‘common brute force technique’—trying multiple passwords with just one user name, which can quickly lock out the user after too many failed attempts). On a blog for the internet security company peoplesec.org, one ethical hacker describes how he used a common Outlook app to guess a single password against 800 different user accounts. Fifty of the accounts matched, fifteen with VPN access and two with local admin access. The ethnical hacker then used the same password to gain access to the entire system and from there, he could do anything he wanted. The entire process, start to finish, took less than three hours.
The same hacker describes calling a law firm help desk technician, pretending to be one of the firm’s partners and complaining how he couldn’t run an application at home. Without prompting, the desk technician shared his own user name and password for the ‘partner’ to use, instead. With this information, the hacker soon had control over the entire network. Concludes this hacker, “I’d be shocked if more than 10% of enterprises exercise, measure and report the human readiness underlying more than a few of their cyber policies.”
But the most common way to gain access through users is with phishing emails. These can encourage people to respond to a fake DocuSign request, download a patch that is actually a virus, or visit a site that requires password and user name entry (also an easy way to gain access to a bank account or credit card account, as most people re-use the same combination across numerous sites). It’s been reported that, “two-thirds of electronic espionage cases can be traced back to phishing,” and “23 percent of recipients open phishing messages, and 11 percent open attachments,” numbers which are alarmingly high.
It’s Not Ethical To Wait
According to a post on thenextweb.com citing reports on U.S. News and the Ponemon Institute, “Hackers have cost the global economy an estimated $575 billion in 2014 or 0.8 percent of global GDP. Further, in 2015 the average breach at a U.S. company cost 6.5 million dollars.”
Waiting until you have a cyber problem is the wrong time to fix it. Training your team on best practices is as vital as having the right policies in place. We’ve mentioned many threats and solutions in previous blog posts, such as those easily fixed through timely security patches, those exemplified by the recent Equifax breach, and the importance of email security and back-up protection. All are important, and easily implemented.
At Single Path we can provide the guidance and training you need, a plan to keep your organization safer, and supply all your comprehensive IT security needs, from managed firewalls to risk assessment.
Learn more about how Single Path’s Security Offerings can help you create a cyber strategy your business can live with.