logo_red

REAL TALK ON
ALTERNATIVE INVESTMENTS
BUSINESS & FINANCE

Cybersecurity
How to Hack Any Organization by Understanding the Weakest Link – The Human Element

Cybersecurity
How to Hack Any Organization by Understanding the Weakest Link – The Human Element

Timothy C. Summers, Ph.D.



‘On Tuesday, April 7, the news media reported that the White House, home to the most powerful family on Earth, was hacked and that foreign spies were the likely culprits.

Experts claimed that the attack started with a targeted phishing email, where a foreign agent was able to trick at least one American government worker into unwittingly opening the door for hackers who would soon after expand it into a major breach. Based on reports, this breach resulted in the exposure of the President’s personal calendar and whereabouts. Security experts close to the White House are accusing Russian hackers of the cyberattack. Some are calling this the latest high-profile attack to come to light.

Understandably, the details surrounding the incident are scattered and unclear. According to sources at the White House, there was no real harm since the hackers were unable to breach classified networks. In fact, the White House Press Secretary, Josh Earnest, was quoted as describing the attack as a simple “inconvenience”. As much as the White House wants to minimize the situation, the fact still remains, that someone gained unauthorized access to important systems that contain sensitive but unclassified information. As ZDNet Government writer, David Gewirtz suggests, “An unclassified system breach can be as bad as a classified breach.”[1] Official response to the situation sounds similar to those that we’ve heard before where the administration describes the importance of cybersecurity and its dedication to improving our national cybersecurity posture.

In order to make these improvements, the administration and its abundance of experts have to address the problem at the core of this breach. That problem is the human element.

A recent study conducted by the IT trade association CompTIA found that human error is the root cause of 52% of all security breaches[2]. The study suggests that “the main reason that companies exhibit a low level of concern over human error is that it is a problem without an obvious solution.” One could argue that this problem could be addressed with a sizable investment in training. The study goes on to note that only 54% of companies offer some form of cybersecurity training with the most common format being new employee orientations or annual refresher courses.

Many of the companies that participated in the study attribute their lack of cybersecurity training to: (1) not having a sufficient budget; (2) being unsure where to find the appropriate security training; and (3) being unsure of which training is the most effective.

It’s doubtful that the White House would use any of these reasons not to provide cybersecurity training to its personnel. In fact, one would think that the White House contributes a sizable investment to training its staff not to open malicious emails. But what about partners and affiliates?

How Hackers Think

In order to truly understand your organization’s risk posture, you must understand how hackers think.

If a skillful hacker is interested in hacking your organization, or the White House for example, he or she is not going to take the most direct or expected route. Hackers are lazy and will look for the easiest approach. What do I mean by this? A hacker is more willing to string together multiple easy exploits or low hanging fruit rather than try to go through the heavily guarded front door.

Being a skillful hacker is not always about how well you know a particular protocol or knowing how to code in the most popular programming languages. Of course, these things can help and it is not my intent to imply that they are not important in the hacker’s repertoire; however, an effective hacker must be able to examine a system, spot the weak points, and then conceive of creative ways to exploit those weak points.

In the case of the White House, the hackers realized that instead of hacking the White House directly, they could target someone at a partner organization and use them as a backdoor. According to an article from CNN[3], “To get to the White House, the hackers first broke into the State Department.” The article went on to state that “the State Department computer system has been bedeviled by signs that despite efforts to lock them out, the Russian hackers have been able to reenter the system.”

The hackers used a phishing attack to penetrate the system. By now, most people have heard of phishing but for those that are still in the dark, phishing is a specific attack methodology employed by hackers, usually black hats, to acquire sensitive information such as usernames, passwords, and other useful information by masquerading as a trustworthy entity via some form of electronic communications. Most people have received an email claiming to be from the family of a Nigerian prince whose money is trapped in a bank or from a friend who was supposedly travelling overseas and has lost their passport and now need you to send them some money to help out. Those are phishing emails.

You may think that there’s no way that someone would fall for this, but you would be wrong. Back in 2014, Google conducted a study to examine the effectiveness of phishing and found that some phishing emails can achieve a hit rate of 45%[4]. The study also noted that even the most obvious scams can get clicked by at least 3% of the users that received it. These numbers may not seem very high; however, if all you need is one person to click a link that opens up a door to some of the most coveted information in the world, it is actually quite high.

Research conducted at Carnegie Mellon University in 2010[5], found that women are more susceptible than men to phishing. Even more specifically, the study found that women between the ages of 18 and 25 were the most vulnerable.

Using the facts and data presented here, I am going to walk you through some of the ways that a hacker could get into your organization, national political campaign, newsroom, or even the White House.

*The author does not have specific knowledge related to the White House or State Department hack, nor does he suggest that anyone attempt the following activities for unauthorized or unlawful entry into any systems.*

The Hacking Process

Let’s say that we are specifically interested in gaining access to a specific person like an executive at an organization or within a national political campaign. A skilled hacker recognizes that all organizations are a collective of human beings, meaning that they all have the same weakness. That weakness is that they all have a human infrastructure. As we’ve seen with recent and past cyber breaches, the human element is the weakest link in any organization’s security posture.

Back to our executive. For fun, let’s call her Cillary Hinton and let’s assume that we want access to her because she has access to something that we want. She’s just a pawn on our chess board. We are going to take a targeted approach to reaching her through information gathering and profiling.

Let’s also assume that she’s a heavily protected individual or someone that’s hard to reach. This means that there are gatekeepers around her. Gatekeepers are the people who handle things for Cillary and act as filters. Keep in mind that the more powerful an executive is, the more gatekeepers they will have. For the sake of this example, the gatekeepers will be our targets. We know that if we get access to the gatekeepers, we can get access to our ultimate target, the executive. Also, we know that Cillary Hinton probably has an executive assistant or two that have access to almost everything. In addition, we know that according to the most recent U.S. Census data, that executive assistant and her counterparts are typically women.

So what do we do? Well, there are a couple different ways that we could approach this situation, but for this example, let’s start by using a social profiling technique that can be effective for mapping out an attack route. Typically, we would gather as much information as possible and then put together a profile, but this depends on how much time we have and how much fun we want to have with the situation. Let’s just say that we want to find out as much as we can about Cillary and her executive assistant.

If she’s someone at a public organization, we could call the organization and ask to be connected to Cillary Hinton. The operator would likely put us through to Cillary’s assistant or someone connected to her. Of course, we could just ask the operator for the name of Cillary’s assistant. There’s no harm in that, right? So, we find out that the assistant’s name is Amy Johnson. We ask for Amy’s email address but the operator doesn’t have it. Instead, we go onto the corporate website and do a search for Amy Johnson, only to find that her email is Amy.Johnson@CillarysCompany.com. Guess what?! There’s also a picture of Amy in the company directory. We grab that picture and do a Google Image search, like the one they use on the Catfish show, to see where else Amy comes up on the Internet. Well, Amy is like a lot of women between the ages of 20 and 50 and she has a Facebook page. Now, we have a pretty effective list of her friends and family.

There are a few other things that we could do with Amy’s picture. If we were hackers with resources, like the Russian hackers that may have hacked the White House and State Department, we would refer to some recent research conducted at Carnegie Mellon University where the researchers were able to combine publicly available Internet data with off-the-shelf facial recognition software[6]. They successfully grabbed photos of strangers on dating websites, found other websites where photos of the person showed up because people commonly recycle photos that they already have. Then the researchers grabbed information about the person from those sites and crafted profiles of them. This was all done automatically by software created for the study. As stated by the researchers, “the results highlight the implications of the inevitable convergence of face recognition technology and increasing online self-disclosures, and the emergence of “personally predictable” information”.

Let’s consider another route. We could also use freely available software, like Maltego, to find all of the email addresses linked to Cillary’s company domain (i.e. www.cillaryscompany.com) with Whois info. Then use the same software to do a search for Cillary’s and Amy’s email addresses to see if they come up on any other web sites or URLs. We then find that Amy has reviewed restaurants on a review site, like Yelp. In the review, she talks about setting up a dinner meeting for her boss and other executives at the restaurant. The review reveals other nuggets of information that we can use, such as Cillary’s favorite foods, other restaurants that she enjoys, etc. Of course, we could use the same software for lots of other cool information gathering, but for fun let’s look at another thing.

Let’s do a correlation of Amy’s friends on Facebook with people who come up in the company directory. This will give us some interesting insights into Amy’s social circles at the company. Also, it will let us know other people that we can target to get us closer to Amy and Cillary. We find that 45 of Amy’s Facebook friends also work at the company. But guess what, Cillary is one of them. Of course, her profile is private.

By this point, we’ve only done a few hours’ worth of information gathering and profiling. Based on the information that we collected, we have a pretty solid profile of Cillary and who to target to get access to her. So, we could do some spear phishing, where we send malicious emails to Amy and her friends/colleagues. The point being to get them to click on something where we can either get access to their system or give us information that will give us access to their account. Remember the statistics that women between certain ages are more susceptible, so we could focus our spear phishing on people who are in that demographic.

But most importantly, we know exactly who to target, how to target them, and we haven’t had to do anything other than take advantage of the weakest link: the human element.

 

About Timothy C. Summers, Ph.D.

Dtc

Timothy C. Summers, Ph.D. is the CEO of Summers & Company, LLC and specializes in organizational design and cyber strategy.  He earned his Ph.D. in Management from Case Western Reserve University.

Twitter: @HowHackersThink

 

Citations

[1] http://www.zdnet.com/article/the-white-house-hack-imagining-a-system-breachs-nightmare-scenario/

[2] http://www.cbsnews.com/news/the-human-element-and-computer-security/

[3] http://www.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/

[4] http://www.digitaltrends.com/computing/phishing-emails-still-surprisingly-effective-reports-google/

[5] http://lorrie.cranor.org/pubs/pap1162-sheng.pdf

[6] http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/
















































Fintech

Getting in on the Groundfloor


Dara Albright



















Alternative Thinking on Today's Market Events

The Daily Alpha - 09.21.15


Garrett Baldwin


Assume Breach


Garrett Baldwin


Currencies

The Week Ahead for Forex


FXHQ.com


Alternative Thinking

The Daily Alpha - 09.18.15


Garrett Baldwin


Alternative Thinking on Today's Market Events

The Daily Alpha - 09.17.15


Garrett Baldwin


Alternative Thinking on Today's Market Events

The Daily Alpha - 09.16.15


Garrett Baldwin



Modern Trader

Rise of the Ethical Hacker


Garrett Baldwin





QOTD

Quotes of the Day


Garrett Baldwin



Modern Trader

Why are Hedge Funds Hiring Poker Pros?


Garrett Baldwin


Gambling and Gaming

Wall Street Casino


Garrett Baldwin


Gambling and Gaming

Investing: A Pretentious Word for Gambling?


Doug Litowitz


Gambling and Gaming

Gambling and Gaming: A Common Thread of Risk


Michael Stegemoller, Baylor University


Gambling

Where Gambling Meets Trading


Modern Trader, William Ziemba





Cybersecurity

Fire-sale: Were Three Leading Organizations Hit By A Global Cyber-Attack?


Dr. Timothy Summers and Dr. Joseph Wall


Real Talk

CNBC Demystified


Doug Litowitz


Modern Trader

False prophets


Garrett Baldwin, Illustrated by Mario Zucca


OTC

Why OTC is Back in Vogue


Edward Lopez



Modern Trader Magazine

Does Your Alma Mater?






TAP Innovation Series

Alpha Pages Innovation Series: Acorns


Garrett Baldwin


Alternative Energy

Yield Cos? More like Yield Can’ts!


Bryan Birsic


Vice Spending

April Vice Index Shows Strong Rebound


Andrew Zatlin


Disruptive Technology

Part II: Possible Hedges Against the Robot Apocalypse


Garrett Baldwin


Disruptive Technology

Part I: Possible Hedges Against the Robot Apocalypse


Garrett Baldwin


Water Investment

Rick Rule: Time to Change California’s Water Policy


Global AgInvesting


Insider Trading

Why The Second Circuit Refuses to Reconsider Its Newman Decision


Jonathan N. Halpern, Ehren M. Fournier


Futures Magazine

logo_red

ENTER YOUR EMAIL BELOW TO FOLLOW THE ALPHA PAGES

Art, Antiques & Collectibles • Forestry • Film Investments • Alternative ETFs • Wine, Spirits & Cannabis • Hard Assets • Sports & Exotic Wagering • Oil & Gas Exploration • Startup Investing • Private Equity • Treasure Recovery • Commodities • Digital Currencies • Peer-to-Peer Lending • Venture Capital • Hedge Funds • Private Real Estate • Managed Futures & CTAs • Forex & Derivatives Trading • Alternative Energy • Futures & Options