In my last article, we discussed the first of three security threats in this series, social engineering and the human element.
While the social engineer operates as a hybrid between human and technological weakness, pure technical threats exist as well. These threats involve many forms of technology systems: computers, smartphones, printers, security systems, networking equipment, data storage warehouses, databases, websites, heating and cooling systems, etc.
The premise of hacking these systems relies on exploits, which can be described as software or hardware bugs that allow a skilled hacker to execute system commands that were not intended by the original designers. There are many information security researchers whose sole jobs (as consultants or insiders) are to find exploits in software and hardware. While their methods are beyond the scope of this article, they have various highly technical methods that they use to ferret out the exploits.
While many exploit hunters operate in the corporate world, many are also exploit bounty hunters, meaning their goal is to not only find exploits, but sell those exploits for profit. These aren’t just sold on underground electronic exchanges, but also from actual legitimate companies like Vupen. The legal and ethical implications of this exploit selling activity are contested. Currently, there are no known laws that criminalize the sale of such.
Be aware that your information technology and information security departments are probably running on thin budgets. They are tasked with protecting the “keys to the kingdom,” yet many times this directive is financially unsupported at the corporate finance level. This is a major problem. Without proper information security safeguards and trained personnel to operate them, it’s not a matter of if you will suffer a breach, it’s a matter of when.
Exploits take time to find, solve, distribute and apply. You may think that exploit patching is commonplace, reasoning that an organization would be eager to patch their systems. The sad reality is that there are still computers connected to the Internet that have remained unpatched for years, and could have hundreds of vulnerabilities just waiting to be exploited by an opportunistic hacker. For example, one website that is a wealth of information about your organization (and others) is shodanhq.com. Just visit that site, type in Linksys, and you will get tens of thousands of results. You can also try admin+1234 which gives you the username and password for over 40,000 routers on the internet. A hacker could easily automate trying to connect to these using default passwords, and in my instances, get into the core administration panel and deny access, access computers/files on the network, etc. It’s much easier than you think.
As the corporate risk advisor, suggest that information security programs be carefully developed and supported with appropriate budgets, personnel and training to ensure your company positions itself as a difficult target. Often, hackers will seek out the easy target and will move on from more difficult ones.
Try to achieve the situation where you are ahead of your industry’s adoption of information security measures. If your company doesn’t have one, hire a Chief Information Security Office (CISO) to oversee the technological solutions that further your organization’s information security goals. Suggest information security audits through outside counsel. The benefit of engaging outside counsel to oversee audits is that the information security consultant’s report can be delivered to outside counsel and incorporated into a more complete legal document that analyzes potential threats in both legal and technological terms. This also allows attorney-client privilege to protect the disclosure of such report.
The next article in the series will address the security threat of the insider, which is purely a human play. Even the simplest action of an employee holding a door open for someone coming into the building might be a breach.