At the recent Black Hat Conference, security firm, Bitglass, surveyed over 100 black hat and white hat hackers to learn what motivated them and what they looked for when attacking a network. Irrespective of their current hat color affiliation, 81% claimed that they had worked in corporate IT at some time in their careers. Here are some of the findings.
The Morality of Hacking
To many, perhaps most, individuals, stealing is wrong, no matter what excuses are made to justify it. Most hackers steal. They either steal money or information. That’s just part of the game. The exception to this would be hackers who hack for political reasons. However, according to the survey, money is the main motivation for most hackers.
How do they feel about that? 48% feel that hacking is either neutral or always good. Only 3.9% believe that hacking is always bad. It is not clear from the statistics if certain types of hacking are considered better than others on the morality scale.
What vulnerabilities are the easiest to exploit?
Actually, the question was along the lines of which security tool was least effective. The study found that hackers thought that password protection of documents was the least effective security tool. The top 5 least secure tools (most easily circumvented) were agreed upon by over 80% of these hackers. Here is that list.
It’s somewhat surprising that face recognition made the list as it is a relatively new tool. However, in early September, Samsung facial recognition was reportedly hacked with Facebook photos. In defense, Samsung did include a disclaimer for their facial recognition software, saying that “your phone could be unlocked by someone or something that looks like your image. Face recognition is less secure than Pattern, PIN, or Password.” Something that looks like your image? Would it be fooled by holding up an artichoke? Yeah, this seems pretty insecure to me.
MDM stands for ‘mobile device management’. It is a term that describes the policies corporate or institutional IT departments implement to protect the network from mobile devices connected to it. Apparently, hackers find such policies easy to circumvent, which should be bad news to these enterprises. Access controls may be physical or digital and their purpose is to limit who can use what resources. Hackers often circumvent these by infiltrating a connected endpoint (smartphone) and enabling administrative rights.
What is the best way to infiltrate a network?
To many in the cybersecurity business, the answer to this question will be of no surprise. Almost 60% of hackers admit that phishing is the best way into a network. Phishing exploits the human component which has always been found to be the weakest point in any network. Appealing to the basic human emotions of greed, romance, sex, or fear can induce an emotional human to open an email that a logical human would never open. (See my post on Phishing with Naked Women and Romantic Lures ). A recent survey of executives, IT managers, and other cybersecurity experts found that 74% of them agree that employees were the most likely source for a criminal attack. The only thing preventing phishing from being much more deadly than it is is the notable lack of social skills possessed by most hackers. It’s their own social ineptness that often exposes them as hackers.
Malware came in second among hackers as a way to infiltrate a system, but this is somewhat misleading as most malware is introduced through an initial phishing attack. However, other methods of exploiting malware exist, such as bundling it with a trusted app and putting it on Google Play Store.
Since these first two methods of infiltration account for over 85% of all infiltration techniques, IT departments should focus primarily on them rather than more obscure vectors.
What network blind spots are the easiest to exploit?
All corporate or institutional networks do their best to plug all possible holes, but, invariably, they will always overlook a few until they are successfully hacked. It is why some enterprises pay for the ‘privilege’ of being hacked by a competent hacker in what is known as ‘pentesting’.
So, the list basically sums up what vulnerabilities a hacker looks for before beginning an attack. Respondents could choose more than one category. Here is the chart.
Notice the concentration on endpoints, such as smartphones. Almost every hacker (97.6%) looked for blind spots/vulnerabilities involving endpoints that were either poorly managed or poorly protected. Clearly, IT teams have to find better ways to secure this weak point.
There is a good reason why some enterprises don’t have their software instantly updated. In fact, the larger the enterprise, the more difficult it is for it to keep its systems updated. Software or system updates usually aren’t implemented until they’ve been tested. This is because some updates may cause unpredictable behavior when installed on a network. But this testing takes time. It is during this testing period that a network is vulnerable to attack. Hackers know this and will often attack corporations as soon as they analyze the updates, hoping to get malware installed before the security hole is closed. Updates take place to repair security flaws. The explanation that accompanies updates details these flaws, meaning that hackers are given a known attack vector. Although not as effective as a zero-day attack, in which an unknown security flaw is used to attack a network, these so-called one-day attacks are successful more often than one might think.
Note also that data in the cloud is considered a blind spot. Many firms have the mistaken belief that their troubles are over when they store data in the cloud. It is basically passing the security buck to those who manage the cloud service. Hackers, apparently, aren’t convinced that the cloud is so safe.
The one overriding conclusion that can be drawn from these statistics is that IT departments have their work cut out for them. Any solution that can lower the burden on corporations or institutions in managing endpoints will be welcomed. Some newer solutions have appeared which allow endpoint users to be careless without this behavior affecting the network, but most enterprises keep trying to implement tired, time-worn, and frequently compromised policies and, in such an environment, we can all expect to hear about hackers breaching more and larger networks. Government networks, it appears, will be the most vulnerable if the statistics given above are true. Their sheer size, outdated operating systems, and slow response to updates leave them in a continuous state of vulnerability. In short, fearing neither moral or physical consequences and possessing predictable access to porous networks, hackers will continue to practice their increasingly complex skills and keep IT teams perpetually on the back foot.