The biggest risk is that a hacker will capture an employee’s credentials and then log in externally to third-party vendors, says Benjamin Gordon, the manager of advisory services at Rook Security in Carmel, Ind. “Employees just aren’t educated enough on security, to be perfectly blunt. It doesn’t matter what technology you have in place, what IT team you have in place. If somebody clicks on a malicious link, it’s a problem.”
White Hat Hackers
Rook performs such attacks, (known by their nickname as “pen tests”) for major corporations, including financial institutions, in a variety of packages that include basic vulnerability and software testing as well as more novel physical site breaches.
Gordon and Nat Shere, Rook’s senior information security consultant, say that even before a pen test is done, they would recommend that smaller firms do vulnerability scanning with software that costs a couple of thousand dollars a year for a license. “Going further is the pen test itself,” says Shere. “We would perform reconnaissance over the environment and look for credentials that had already been compromised through other attacks.” The pen test is meant to prove that a suspected vulnerability could actually be exploited.
After that, the fun cloak and dagger stuff begins in which the hackers (with permissions from business owners) don costumes and try to fool staff by slipping into the physical locations themselves. Says Shere, “We have posed as a maintenance crew, as fire extinguisher inspection agents, insurance agents, FedEx employees. And that gets somewhat involved … having costumes related to those personas. Creating e-mails, creating fake IDs.” The first thing they do during a physical attack is recon, some of which is fairly unsophisticated—walking around buildings inconspicuously to get a sense of what the entry points are, finding out whether there are badge readers or cameras. The Rook team might loiter around the back of a building to see if they can sneak in when somebody leaves a door open.
A lot of times the owners will set flags throughout the building, Gordon says, challenging Rook to break through different levels of security or into certain areas, like the server room.
Recently, says Shere, the firm was contracted to go into a client’s large data center in Texas. “We dressed up as though we were from the fire department. We had some clipboards; we had some very official looking outfits. And we came in and said we are here to inspect the fire extinguishers to make sure they are still up to code.” The person at the front desk called the manager. “We had a fake printed-out e-mail from a supervisor who was not there at the time saying it was OK.
“The manager ended up giving us a full access key to the entire building so that we could go floor to floor inspecting all the fire extinguishers. So we did that, wandering around on our own and basically taking pictures of all the various network and computer hardware.”
Other times, Rook finds out stuff about its clients on the internet. After finding out that an employee of one firm had just gotten a performance review, “we sent e-mails to around 50 to 75 of their employees with an attached document that said, ‘Here’s the results of your performance review.’ And we had nearly 60% to 70% of them download and try to execute this malicious file that gave us access to their computers.”
The firm also does phone attacks—posing as help desk or HR staffers—asking employees to reset their passwords. “It’s amazing what you can find on the internet,” Gordon says, “in terms of what a company is doing and who works there, and we can tailor our attack plans based off that information.” Hackers can find out who works in HR on LinkedIn, and send fake e-mails to staffers spoofing real human resource names.