If you’re worried about your network security, then you may think the last thing you should do is to invite someone to hack your network. However, one of the types of cyber protection you may not know about involves hiring teams of so-called “ethical hackers” to discover your system’s vulnerabilities.
Beware of Cute Cats
What is it about cat pictures or videos people find so irresistible? The Wall Street Journal reported that an ethical hacking company called PhishMe, co-founded by Aaron Higbee, put together a phishing email that featured a picture of a Turkish Angora cat with a purple mohawk. The email promised that clicking a link would lead the user to more cat pictures. Instead, the link led the employee to a warning from the tech department.
PhishMe designed another fake phishing email designed to prey on employee competitiveness. He sent an email to employees that appeared to come from the company CEO. The email had an attachment that claimed to contain figures for potential bonuses for many company employees. PhishMe then sent a second email attempting to recall the first. Many employees clicked the attachment, which again sent them to a warning page.
Higbee says that cute cats are to employees like kryptonite is to Superman. Of the 3.8 million employees that PhishMe has worked with, 48 percent have clicked on the cute cat phishing email. PhishMe’s work reveals vulnerabilities to “social engineering,” which are attacks designed to capture sensitive information from employees.
Common Vulnerability Points for Networks
In addition to attacks that prey on human frailty, hackers can capitalize on a number of vulnerable network points, including:
- Wi-Fi networks. When employees do work over wireless, they can expose the company to a hacker. A “man-in-the-middle” attack, for instance, can use a computer with two wireless cards near a Wi-Fi hotspot to lure employees into logging onto a fake network. One wireless card connects to a legitimate network while another generates a fake network. Employees log onto the company intranet through the fake network, giving their credentials to the hacker.
- USB drives. Imagine an employee using a USB stick to take work from the office to his or her home. The employee’s personal computer downloads a virus, which then transmits itself to the USB drive. When the employee returns to work and inserts the USB drive into a corporate computer, the virus could penetrate the corporate network. The Stuxnet worm, which took down the network at an Iranian nuclear facility, was probably delivered by an operative using a USB drive.
- Weak passwords. Many employees use obvious passwords like “123456,” “iloveyou,” “password” or their names. Sometimes, they write their passwords on sticky notes and stick them to their monitors or the undersides of their keyboards. Also, many employees use the same passwords for multiple accounts. For instance, if an employee gives away a company email password in a phishing email, and he or she uses that same password for online banking, the employee could face a serious problem.
Ethical Hacker Tactics
Ethical hackers use multiple techniques to reveal network vulnerabilities. An ethical hacker may sit out in a company parking lot and attempt to launch a man-in-the-middle attack on the company’s wireless network. Also, some ethical hackers drop rigged thumb drives in company bathrooms, which employees often pick up and insert into their USB ports. Some ethical hackers go so far as to conduct in-person breaches. For example, a hacker may dress up like a package delivery person or a fire marshal to gain access to restricted company areas.
Look for an ethical hacker who holds the Certified Ethical Hacker (CEH) credential. A CEH has training in subjects like virus creation, buffer overflows, social engineering, policy creation and intrusion detection. CEH students aren’t allowed into training centers without undergoing a thorough background check. After completing training, a CEH has to pass an examination to earn his or her final credential. CEH’s also sign legal agreements stating that they will not use their training for illegal or malicious purposes.
If you’re concerned about data loss or network vulnerability, you can find an ethical hacker who can determine your network’s weak spots. These hackers do an important service for consumers, businesses, not-for-profits and government agencies.