The Art of the Hack: Creative

social engineering cyber wise guy

Social Engineering

Social engineering involves manipulating people to share confidential information or take certain actions. It exploits basic human psychology by leveraging trust in authority figures or conformity to norms. With sufficient personal information, social engineers can impersonate others and access sensitive systems and data.

Common social engineering techniques include:

Phishing – When someone sends fake emails or texts that look like real ones to trick people into giving away their passwords, bank details, or other information. Even smart people can fall for these fake messages.

Impersonation – This is when someone pretends to be an employee, contractor, or another person on the inside to gain special access. Social engineers find out details about how the company is set up and important people to pretend to be authorized users over the phone or in person.

Tailgating – When someone follows an authorized person into a restricted building or area without the right access. Tailgaters blend in and count on someone holding the door open for them or using stolen badge codes.

Dumpster diving – This is when someone goes through trash bins and recycling containers to find important papers with passwords, network diagrams, rule books, or other valuable information that was thrown away without care.

Even with just basic tech skills, social engineers use these human tendencies to get past even very good cybersecurity defenses. Helping people understand, training them about security, and having rules to check who people are is really important to stay safe from these simple but very effective techniques.

Physical Theft

Thieves can easily steal important data and control systems by physically taking computers, laptops, mobile devices, hard drives, servers, paperwork, or storage devices. Once they have the stolen items, they can access and take the data stored on them.

Some of those methods include:

  • Breaking into offices and stealing devices off desks or out of storage rooms
  • Walking out with laptops from insecure areas like lobbies or cafeterias
  • Picking up lost or forgotten devices like USB drives or mobile phones
  • Dumpster diving to find improperly disposed hard copies of data
  • Shoulder surfing passwords and then stealing unlocked devices
  • Accessing unattended delivery packages with new equipment

Simple theft of physical items is still one of the easiest ways for data to end up in the wrong hands. Organizations need to have strong physical security policies such as locking doors, securing devices, limiting access to certain areas, shredding documents, monitoring surveillance footage, and quickly reporting missing items. Good cyber hygiene, like full-disk encryption and remote wipe capabilities, also helps reduce the impact if a device is lost or stolen.

Software Exploits

One of the most common ways that cybercriminals breach security is through bad software like viruses, ransomware, and Trojans. These bad software take advantage of weaknesses in operating systems, applications, and networks to get unauthorized access, steal data, or lock files for ransom.

  • Malware is any kind of harmful software that is intentionally designed to cause damage to systems or networks. Malware comes in many forms including viruses, worms, spyware, adware, and more. Malware often piggybacks on legitimate files or websites in order to infect devices. Once installed, it can allow attackers to steal sensitive data, delete files, track user activity, or even take full control of the infected system.
  • Viruses are a type of malware that infects files or systems and spreads by replicating itself. Viruses rely on users unknowingly spreading them by opening infected files or visiting compromised websites. Once activated, a virus can overwrite data, corrupt files, spam contacts, and enable remote access for attackers. Viruses often remain undetected until they have already infected multiple endpoints.
  • Ransomware is a form of malware that encrypts important files and data on a system and demands a ransom payment in order to decrypt them. Ransomware typically spreads through phishing emails containing malicious links or attachments. Once downloaded, it will quietly encrypt files in the background before revealing itself. Ransomware can be incredibly disruptive by making critical data inaccessible until the ransom is paid. However, there is no guarantee files will be recovered after payment.
  • Trojans disguise themselves as legitimate applications in order to trick users into downloading and installing them. Once activated, Trojans can allow attackers to remotely control the infected system, log keystrokes, access files, and more. Trojans often avoid detection by antivirus software by masking their malicious capabilities. Downloading apps and files only from trusted sources can help mitigate the risk of Trojans.

Staying alert and keeping your systems updated is very important to avoid being attacked by malware and viruses. Using comprehensive security software, firewalls, and making sure your staff is aware of cybersecurity can also help reduce these risks. However, simple software vulnerabilities remain a common and effective way to breach systems.

Unpatched Systems

One of the most common ways that hackers can breach cyber security is by taking advantage of unpatched systems. All software contains vulnerabilities that need to be patched over time. However, many organizations fail to regularly install the latest security patches and updates for their operating systems, software, and firmware. This leaves them susceptible to cyber attacks exploiting known bugs and vulnerabilities that have already been fixed.

Outdated and unsupported software is a prime target for attackers. Software vendors regularly release patches to fix security flaws. When systems are not kept up to date, hackers can easily exploit these holes to gain access, install malware, or steal data. For example, the WannaCry ransomware attack in 2017 spread by utilizing an exploit in unpatched versions of Windows. Situations like this demonstrate why it is critical to install software patches and OS updates as soon as they become available.

Neglecting to update and patch systems indicates sloppy security practices. Unpatched software can allow intruders access into the network, where they can then pivot to exploit other unsecured areas. While patching requires time and effort, it is a fundamental task that all organizations must prioritize as part of their cybersecurity hygiene and defense. Failing to regularly patch and update all systems provides an open door for cybercriminals and makes a data breach increasingly inevitable.

Weak Passwords

Weak, reused, or default passwords are a common way for cyber attacks to happen. Many people use easy passwords like “123456” or “password” which are simple for hackers to figure out. Reusing the same password for different accounts is also risky, because if one account is hacked, hackers can then access other accounts with the same password.

Another problem is organizations or devices that use default passwords that are known to the public or easy to find online. For example, many routers or IoT devices come with a standard default password that often doesn’t get changed by users. Hackers can easily find lists of these common default passwords and gain access.

There are some simple ways organizations and individuals can improve password security.

  • Require strong passwords – Setting password complexity rules like minimum length, mix of characters, no dictionary words etc. makes passwords much harder to crack.
  • Use a password manager – Password managers generate and store strong unique passwords for each account, instead of reusing the same credentials.
  • Educate on password hygiene – Teaching best practices like not sharing passwords or using the same one everywhere.
  • Change defaults – Ensure any default passwords on devices or systems are changed before going live.
  • Implement multi-factor authentication – Adding another layer of verification like codes sent to a mobile device prevents access with just a guessed password.

With a bit more attention and effort, we can avoid using weak passwords, which can create a big cybersecurity risk. By having better rules for creating passwords and following good password practices, we can make an organization much more secure.

Physical Access

Unauthorized physical access to buildings and computers is a common simple threat that can lead to data breaches or theft. Intruders may get in using a variety of methods.

  • Poorly secured doors, windows, or other entry points. Facilities should have electronic keycard access, locked doors, security cameras, alarms, and other physical security measures. Any external entry points should be secured.
  • Tailgating authorized employees to gain building access. Staff should be trained not to allow unknown individuals to follow them into secure areas.
  • Disguising oneself as an employee, contractor or visitor. Reception areas should verify identities and limit access to only necessary areas.
  • Accessing facilities outside of business hours by exploiting weak locks or other vulnerabilities. All entry points should be secured after hours.
  • Gaining access to computer rooms, servers or other sensitive equipment. Data centers should be locked with electronic access control for only authorized individuals.

Once someone gets into a building, they could steal entire computers or hard drives with important information. They might also connect devices to download data, install harmful software, or put in monitoring devices. It’s important to regularly check the hardware to find any unauthorized devices.

Stealing physical devices like laptops, mobile devices, hard drives, backups, or printed documents is a common risk. A strict policy for taking out and bringing back devices or sensitive materials is crucial. Properly destroying old equipment is also important.

Good physical security is needed to stop unauthorized people from getting into buildings and IT systems. A mix of access controls, surveillance, checks, and rules is necessary to prevent data breaches from physical attacks.

Unsecured Networks

Public WiFi networks can be risky if not secure. Many free ones have no encryption, making it easy for hackers to steal data. Even password-protected networks can be unsafe without WPA2 encryption.

Hackers can use tools to intercept data on open and weakly encrypted WiFi. This exposes sensitive info like passwords and credit card numbers. Using unsecured WiFi for things like online banking is very risky.

Businesses often don’t secure their WiFi properly. Using old WEP instead of WPA2 makes the network vulnerable. Not changing default passwords or SSIDs also makes it an easy target. Employees using unsecured WiFi can unknowingly expose company info.

For proper WiFi security, use WPA2 encryption, a strong unique password, hide the SSID, and use MAC filtering to limit device access. For public hotspots, use a VPN to keep data safe. Avoid sensitive activities on unsecured public WiFi.

Communication Interception

One of the easiest ways for hackers to break into cybersecurity is by eavesdropping on unencrypted communications and data. Unprotected emails, phone calls, texts, and other messages can be intercepted in several ways.

Unencrypted Email

  • Email protocols like SMTP, POP3, and IMAP transmit emails in plain text by default. Anyone who can intercept network traffic can “listen in” and read the contents of emails.
  • Emails are often cached or copied in multiple locations as they travel between sender and recipient. At any of these stops, an unauthorized party may access and read the emails.
  • Emails can be forwarded, printed, copied, and stored in ways that expose their contents. Once an email is received, it is outside the sender’s control.

Phone and Network Taps

  • Cellular calls can be intercepted over the air and landline calls can be tapped. Older cell networks like 2G have very little encryption.
  • VoIP calls made over the internet can be intercepted since they are transmitted in an IP packet.
  • Networks can be passively monitored to intercept any unencrypted data flowing through them.
  • Tools like wireless sniffers and network protocol analyzers can intercept packets and decode unencrypted contents.

Implications

  • Unencrypted communications should be considered exposed and potentially accessible to hackers. Sensitive data should always be encrypted in transit and at rest.
  • Policies should prohibit the transmission of sensitive data over unsecured channels. Encryption should be mandated for handling confidential data.
  • Technology controls like VPNs and encrypted email should be implemented to prevent interception of plain text communications.

Improper Data Disposal

One common way for private information to get into the wrong hands is when companies don’t properly get rid of paper documents or old digital devices. This can make it easy for people to access and put together sensitive information. To prevent this, it’s important for any organization handling private data to make sure to destroy paper records and wipe digital devices completely before throwing them away. Just deleting files or throwing documents in the recycling can lead to leaks of private information.

Lack of Policies

Many cyber attacks succeed because organizations lack cybersecurity policies and proper training. This results in employees being unaware of best practices or failing to take necessary precautions. For instance, without a strong password policy, employees may choose weak passwords that are easy for hackers to guess. Additionally, they may not understand proper email security, leading to opening dangerous attachments or links and enabling phishing scams.

It is important for companies to have security policies covering areas like acceptable use, access controls, encryption, remote work, password requirements, and incident response. These policies provide rules to follow to minimize risk. Organizations can then train employees on these policies through seminars, testing, and simulated attacks. With consistent training and enforcement, employees develop good cyber hygiene habits that close security holes.

Policies help to create a corporate culture where security is a priority. They show employees the proper way to handle data and respond to threats. Even basic policies raise awareness and reduce preventable mistakes. Companies that are unwilling to implement robust policies and training are leaving themselves vulnerable to basic attacks. Educating employees can greatly strengthen cyber defenses.