How Breaches Actually Happen

I asked my go-to cybersecurity expert today whether the popular view of a security breach, as depicted in the movies, is accurate, and I found the answer interesting enough to share. The popular view involves some ultra-genius hacker in a dark room with multiple monitors running arcane commands to overcome the technical defences of the target organisation.

Mark Belfanti, who has a history as Chief Information Security Officer (CISO) for large corporations and headed security for the NBN network, now leads the cybersecurity practice at ThunderLabs. Mark explained that the more common approach to initially gaining access to someone's infrastructure involves some clever email writing and a simple website. All of this takes a couple of days to set up, max.

First, the fraudsters set up a website to look like one of the company's internal systems—often the HR system or payroll. Once that's done, they send emails to as many of the employees as they can find. The email is made to look like it is coming from someone in authority within the company. Commonly, the email will notify the recipient that HR requires them to log in and recheck their times to process payroll. But instead of taking them to the internal payroll system, the link in the email directs them to the new (copy) website, controlled by the fraudsters. Even the most vigilant employees can have a momentary lapse of concentration and click on the link. It only takes one.

When the employee thinks they are typing their username and password into an internal system, they are actually entering their credentials into a fraudulent website, which stores the details. This process is known as "phishing." The term is a play on "fishing" because the cybercriminals are throwing out thousands of hooks, hoping for one of us (the "fish") to take the bait.

As a side note, the "ph" comes from "phreaking" (a combination of "freaking" and "phone"), which is where hacking originated in the 70s and 80s when people exploited security holes in the telephone system to get free access to national and international calls. This naturally transitioned into computers when the digital age hit.

The fraudsters then use these details to sign in for themselves. Once they breach one system, they begin gaining more and more privileges and accessing additional internal systems. Although this work is closer to the popular view of "hacking," the reality is they are just exploiting "known vulnerabilities" in various systems to see if any have been left unpatched.

This is where the importance of "patching" comes in. The fraudsters are not identifying these vulnerabilities themselves (this is the work of real hackers); all they are doing is checking to see if the target organisation has patched against them. Many of the vulnerabilities exploited today were identified and published over a decade ago—it's just that someone forgot to patch them.

By exploiting these vulnerabilities, fraudsters can escalate their privileges beyond those of the employee whose credentials they've stolen. This process is called "privilege escalation." In many cases, it's relatively straightforward to gain access to shared drives and even back-end databases with sensitive data. Once they have access to this information, the fraudsters have several options, including selling the data, holding the organisation to ransom, or using it for further attacks—either on the same organisation or others.

The only practical defence against this type of attack is education. Once you're aware of what to look for, the habit of checking the source of suspicious emails quickly forms. The best example I've seen of this education was at a previous client, where the internal team would regularly and randomly send out typical phishing emails to employees, followed by a lighthearted educational video for those who clicked on the links. Some of these emails were crafted more cleverly than the real phishing ones I see every day.

Andrew Walker
Technology consulting for charities
https://www.linkedin.com/in/andrew-walker-the-impatient-futurist/

Did someone forward this email to you? Want your own subscription? Head over here and sign yourself right up!

Back issues available here.