Thursday, December 23, 2010
People Are The Weakest Link
Targeted attacks by persistent individuals will entail days if not weeks of physical reconnaissance on the organization they're looking to infiltrate. This will include watching when employees enter the building and what their habits are around the work place. Trying to get close enough to get a picture of their company badges in order to replicate one and gain access. Going through their trash at night or "dumpster diving", attempting to find information about the company that might not be public. Dressing in a stolen or replica uniform that could allow hackers to walk through the front door without being stopped, and much more. (Have you ever held the door for the Fedex delivery man while he walked up to the building holding a large box? Are you sure that was a Fedex delivery or did you just give some hacker access to your building?)
Another area that doesn't really get looked at enough is the complete and almost blind trust that people allow their cleaning crews. Many if not most cleaning crews are hired as a third party and are normally given keys to almost every office and room in the organization. What if a janitor making minimum wage was given $1000 to put a hardware keylogger on the CEO's workstation for a week and than send it back via mail to a P.O box? Better yet what if he was given multiple hardware keyloggers and asked to place them on the IT staffs desktops for a day, collecting as many high level logins as possible. The hacker for around $1500 dollars could have almost every admin login to the network and systems without even using a computer.
Another way that hackers gain access to an organization is through phishing and social engineering. They use these techniques to con people into giving them information they need. This is normally done over the phone and through an e-mail campaign directed at a compnay to make it look like the correspondence was legitimate. Examples of these would be e-mails coming from someone claiming to be from IT asking you to enter your username and password into a new system as a test (This is a text book example of a phishing e-mail, collecting the credentials that you just gave up willingly to a hacker). Or someone calling as the companies Helpdesk explaining to you that there's been an issue on the system and you need to change your password right away, oh and by the way here's a secure password for you to use.
So as companies continue to tighten their network perimeter the hackers are going to continue going after the low hanging fruit, the employees. You can have a $50 million dollar IT Security budget blown away by the receptionist being tricked into giving away her password over the phone.
Now that the perimeter is relatively secured, its time to start looking inward and securing the new target area; except here you can't buy hardware to stop the attacks. You need to educate the people on how to act and what to look for, which is easier said than done.