The Weakest Link: How Malicious Hackers Break into the Most Secure Organizations
March 28, 2013
Apple, Facebook, Twitter, LinkedIn and Microsoft are a few of the big players to recently report incidents of malicious software infiltrating their security walls. Each of these companies utilize sophisticated intrusion detection and prevention systems (IDPS) in order to stop malicious activity from causing damage to their organizations, so how is it that hackers are penetrating these systems with ease? The answer is simple; they are exposing and entering back doors via the weakest link, an organization’s unsuspecting employees.
The Usefulness of Pen Testing and Social Engineering
Through a combination of penetration testing and social engineering tactics, employee email addresses are exposed and seemingly legitimate messages are sent to them appealing to their interests. Once opened, the email can contain links or documents sending the unwitting employee to a spoofed page or document requiring secured log in information or malicious codes. Either way the hacker gains the access needed to cause further damage. This idea of a spoofed page is a man in the middle attack, such as through cross-site scripting, as it emulates the real corporate page and can easily fool an unsuspecting end user.
This type of attack breaks into systems so easily because it allows someone already affiliated with the organization to essentially carry the malware into the secured system. The social engineering aspect itself also reports high success rates because employees are not educated on the tactics hackers use and it appeals to basic and instinctive aspects of human nature. For this reason, U.S. companies, in 2012, witnessed 102 successful cyber-attacks per week, equaling a cost of $8.9 million annually. These numbers are only predicted to increase in 2013, unless more significant strides in cyber security are made.
Despite the use firewalls and anti-virus software to prevent malicious attacks, corporations are still being infiltrated by social engineering tactics. The only way to truly prevent a malicious exchange is through educating employees on the signs of social engineering and the tactics hackers use. Training courses, such as EC-Council’s Certified Secure Computer User (CSCU), help to educate an organization’s end users and provide them with the insight of a malicious hacker in order to make less trusting and more knowledgeable decisions. Only through training and strengthening the weakest link will companies begin to make real strides in the prevention of cyber-attacks.