I find that good, law-abiding citizens are fascinated by what I do. I’m a penetration tester, a.k.a. “white hat” or “ethical” hacker. In other words, companies hire me to break into their systems for a living to demonstrate where there are vulnerabilities. (I can’t believe I get paid for doing this!) If you want to avoid a cyber security breach at your company, I recommend that you understand – and guard against – three hacking techniques that your enemies (the “black hat” hackers) use every day.
First, let’s set the stage. Let’s say that your company is Big Boxes 4U, a major mass-market retailer with more than 1,500 locations in the United States. Your innovative designer partnerships, high-quality product mix, and great customer service have earned you a loyal customer following.
You capture customer information every day at the point of sale, including both in-store and online purchases. The result is a central database that houses a collection of valuable customer information that gives insight into how your customers shop, what they buy, and what products and services they prefer. Just as you value this information, so do hackers. Here’s how they create a cyber security breach.
Hacking Technique #1: Attack Internet-facing servers Hackers love the Internet – it provides multiple open doors right into your data. Most commonly, hackers will:
- Hack default or overly simplistic passwords.
- Use publicly-known exploits for certain systems – or find their own.
- Gain access through a security misconfiguration, i.e. via file upload or SQL injection.
Hacking Technique #2: Use people against you People are always a vulnerability – their actions cannot be predicted or controlled. Hackers know this and play off it. They will:
- Send a phishing email to employees, implanting a bot or Trojan on the internal network. The bot sends a signal to a control server, and thieves gain access to the internal network.
- Access through third parties (i.e., suppliers) with access to the network.
- Partner with a rogue employee to steal data electronically or work with thieves to implant a bot.
Hacking Technique #3: Steal the keys to the kingdom Once inside the system, most hackers follow a familiar five-step path to get to the goods:
- Gain access through points of entry.
- Install a bot, Trojan, or root kit to maintain access, and/or add another account.
- Elevate privileges by gaining the “keys,” or credentials, for greater access to the network, including:
- Cached credentials from a previous login
- Local account password hashes
- Running processes with stored network-level credentials
- Move through the network to access higher-level systems and discover more powerful credentials.
- Access the area targeted with those credentials – a server or a point-of-sale platform – to acquire credit card information.
Fortunately, you can take definitive steps to protect your company against all these hacking techniques. The main factors that reduce both the threat and the cost of cyber security breaches are:
- Having a strong security posture: reduces the cost of a breach by $14.14 per record. This includes patching, hardening, enforcement of strong passwords, security awareness training, egress filtering to stop bots, segmentation of credentials to protect critical systems against stolen passwords, and security monitoring.
- Instituting an incident response plan: reduces the cost of a breach by $12.77 per record.
- Having a Chief Information Security Officer: reduces the cost of a breach by $6.59 per record. This Chief Information Security Officer (CISO) should spearhead a comprehensive security program driven by a tailored strategy.
- Using disaster recovery as a service: reduces your cost and losses by keeping your business running, even when it can’t use the main network because of a breach; provides increased security to detect and prevent threats when they emerge; provides greater protection to your customers.