How I would hack your system if I wasn’t an ethical hacker?
Terry Cutler
Certified Ethical Hacker and Vice President of Cybersecurity at SIRCO
Over recent years, we’ve all seen some mega breaches like Ashley Madison, Democratic National Convention, Yahoo, Telegram, Mossack Fonseca, and 2017 promises to get even crazier.
Most companies don’t take cyber security as seriously as they should. IT is often allocated the smallest budget of the overall budget, and most managers don’t see the need for security until it’s too late. So as the VP of Cyber at SIRCO and a professional Ethical Hacker, I get hired by clients such as yourselves to try and break in and tell you how to fix your vulnerabilities before the evil hacker does.
Cyber Criminals today are making about 10x my annual salary, so I get often get asked the question “Why do you do what you do when you can be earning so much more?”. Simple, I love helping others, but here’s how I would hack your company if I turned to the dark side.
Step 1 – Recon: It wouldn’t take me long at all to find your employees on social media. I would find out their interests, who they’re connected with, and the best email to reach them with. I may even find out where the CEO lives, drive to his house and scan his unsecure WIFI. I may even leave a few USB sticks around your office like I did to another company back in 2011 which is detailed in my “USB keys in the Urinal” story.
The job postings that some companies put out there are revealing way too much information about what software is running inside the company. Guess what? There’s nothing you can do about it because it’s required to do business. There’s so much information I can find out about your organization from various sources and I haven’t even touched your organization yet!
Step 2 – Scanning: Now that I’ve spent a day or so building my battle plan, I’m now going to scan your network to find out what systems are online, what software you’re running, and how many vulnerabilities exist for each of your software. We hackers have a support system where we share information about how to breach a certain technology which is very effective.
Step 3 – Attack: Now that my VPN is setup and I’ve now changed my IP address from Montreal Canada to make myself appear I’m coming from another country, just to mess with your IT department. Here’s the thing, I don’t have time to waste trying to crack your firewall and risk being detected, when all I have to do is send a compelling email with a link to your employee who I befriended a few days ago. You’re employee won’t think it’s a scam so they’ll click on my link and let me right into the network almost undetected. I say almost because a lot of times the incident was logged somewhere in your systems, but the IT department isn’t trained to look for that so it gets missed.
Oh, and for the record, your firewall and anti-virus won’t save you. We hackers have access to specialized training on how to bypass the top anti-virus products, and it’s free.
Now that I’ve gotten into your network, I’ll gain access to your entire server that would tell me the list of all your users and their passwords for each account. I’ll then reuse that login information to get me into other account both in the network and social media. Having a company’s social media account taken over and sending embarrassing messages from it can hurt your reputation.
In previous intrusion tests I’ve pulled out credit card data, client lists, buyer’s lists, birth certificates, passports, digital signatures to sign cheques, nude employee or extramarital photos that if fell into the wrong hands can be used for extortion. A malicious hacker could seriously destroy your business.
Step 4 – Maintaining access: Once I’m in your system, I plan to return undetected as many times as I want. I may even increase the security of your server without you knowing just to prevent other hackers from getting in and undoing my hard work. I could be in there for years collecting the latest and greatest stuff that your business is producing.
Step 5 – Cover my tracks: Since I’d have complete control of your network, I would then manipulate the network logs to make myself appear invisible. I may even create a diversion to make the IT department think there’s a problem somewhere else while I stay covert.
In conclusion, way to often I’m getting the calls after the hack has already occurred and the evidence destroyed. By then it’s way too late, and it’ll be very costly if you plan to find out who did it. I’m sure you’d rather someone like me test your system before the evil hacker does.
If you’d like more information about this topic such as a presentation or rapid assessment, please don’t hesitate to reach out to us at 514-744-1010.
Stay safe!