At CompTIA’s 2017 EMEA Member and Partner Conference in London, where the international IT channel gathered to gain insight on industry trends and technologies, Andrew Bassi from IntaForensics, a world leader in payment security, took attendees on a whirlwind tour of the dark arts of hacking and social engineering.
From an exposition of the methods of malicious hackers to a live demo of a cyber-attack based on a recent real-world case, the session highlighted the insider threat to businesses, large and small, from the most mundane of employee practices. The key theme to emerge was that the most effective hackers exploit simple human kindness and trust, and our failure to apply the same caution to the virtual world that we apply to the physical world.
Taking Advantage of the Good Samaritan
Attendees witnessed a mock cyber-attack on a business that exploited an honest employee, based on a recent real-world scenario and a real vulnerability in an operating system used by many businesses, large and small.
You can have a security system that costs the earth and is top in its class, but if your employees let the hackers in, then it is effectively worthless.
The employee discovered a lost set of house keys that contained a USB drive and inserted it into his office PC to see if he could find anything that might identify the owner. One of the files he opened appeared to be a jpeg picture but was, in reality, a disguised piece of malware that opened up a backdoor to a hacker. The hacker was able to then install a piece of trampoline code on the employee’s PC, which exploits an unpatched flaw in Windows to gain privileged access to confidential computer files and systems without the user’s permission.
Because the malware encrypts itself, its signature cannot be detected by anti-virus software, although its behavior might be detectable. The hacker was able to show how fast he could use this exploit to gain access to everything from cached passwords to confidential business documents stored on the employee’s PC.
In an incredible scene, the hacker was able to turn on and live-stream the employee’s laptop camera and microphone and even capture his keystrokes, while the worker remained blissfully unaware. This would give a hacker the opportunity to eavesdrop on board meetings or other private business discussions.
“The demonstration is an example of what can happen when a companies’ employees are subjected to a targeted and sophisticated attack. The demonstration used a set of keys with a USB drive on them, the same attack could be delivered by many different approaches such as email, on the fly injection and zero-day exploits,” Bassi said. “Falling prey to an attack like this can devastate a business as the hackers have full access to upload and download any file, execute additional attack tools and gather confidential company data.“
Leaving the Front Door Unlocked
What emerged was that this type of hacking is so difficult to prevent or trace because, far from breaking in to company systems, hackers are adept at exploiting well-meaning employees who have unwittingly broken out of their own security systems. It is the equivalent of a burglar sneaking into the property during the day and then breaking out once everyone has left and locked up. Any security system designed to keep people out is very difficult to break into from the outside; however, from inside there is little resistance.
The key is that people do not take the same precautions in the virtual world that they take in the physical world. For example, people often leave their social media accounts logged in and their computers unlocked when they leave for a break, yet they wouldn’t walk away and leave their door or safe unlocked. Similarly, passengers probably wouldn’t open a suspicious package left on a train by a stranger, yet company employees often mistakenly open dodgy email attachments sent by complete strangers.
Treat Cybersecurity the Same as Physical Security
The only true solution is for businesses to educate their employees to treat cybersecurity and data privacy the same way that they treat physical security and personal privacy. Companies should run ‘cyber drills’ or red- and blue-teaming exercises, just as they run fire safety drills. Cyber-hygiene should be treated just as seriously as physical health and hygiene. Firms could also certify and train other employees, outside the IT department, in cybersecurity, just as every worker is trained in how to safely use company equipment and lock the office at night.
“The only real layer of defense is the employees themselves,” Bassi said. “We hope it serves as a reminder to businesses, large and small, that even up-to-date patching and security solutions like anti-virus are not a complete answer and that it is vital to educate staff in essential cyber-hygiene to fill in the gap.”
It is critical for businesses, large and small, to accept that a cyber-incident is never more than a mouse click away. IntaForensics sees this issue arise on a daily basis and in many respects, the lack of employee cyber-awareness is the weak link. Working alongside CompTIA, IntaForensics is responding to the industry need for cyber-awareness by opening up its dedicated training center to the public, offering CompTIA certifications, bespoke digital forensic and cyber investigations training courses and two apprenticeship standards, Cyber Intrusion Analyst and Cyber Security Technologist.
“The message is simple,” Bassi said. “You can have a security system that costs the earth and is top in its class, but if your employees let the hackers in, then it is effectively worthless.”
Improve your cybersecurity skills with the CompTIA Cybersecurity Career Pathway.