Billions are spent worldwide on cybersecurity, and that number will increase over the next few years. But there’s one thing that hackers prey on time and again with excellent results: human error.
We wanted to understand how a hacker infiltrates an organization from the inside, so we sat down with one and asked some questions that we’re betting you didn’t know the answers to.
A: We think of hackers as people sitting in dark and dusty basements trying to tap into security systems and sell data on the dark web. How accurate is this representation?
“While some hackers do fit that stereotype, many hackers are the exact opposite. These are people that live well, do not hide in the shadows, and work to infiltrate companies by literally walking in the front door of any business or office building.”
“That’s kind of true. It really depends on what type of hacker you’re dealing with -- there’s definitely a stereotype.”
“Yeah, if I walked into your office you’d never know that I was a hacker. I blend in completely but that’s kind of what my goal is too.”
A: Do some hackers walk into a business and hack from the inside, a la James Bond?
“That’s exactly right. When I want to steal information from a business or organization, I spend days or weeks scoping out the front of the building and the employees that may hang around outside for a lunch break or walk to their cars after work. I notice what they are wearing, what they look like, if they are wearing any branded clothing, if they have name tags -- all of those details. I take photos of employees and make lots of notes.”
“Absolutely! People are the biggest weakness in a company (and not just because most employees have no idea what their actual job is!). If I want to know why a company is failing at security or what’s happening on the ground level, I walk into a building and find out.”
“Haha! Maybe not exactly like James Bond but fiction is based on reality...in this case, it’s largely true. We have all kinds of tools that can read anything from an ID badge to mini cameras that record every detail of a conversation. You’ll never know I’m there.”
Q: That sounds kind of creepy! Do you scope the place out before you go? How do you know that you can walk in?
“I want to know exactly how they look and act so I can blend into the company I plan to visit. I bring the photos to my team and they find me similar clothes, the right name tag, etc. We can put any logo patch on any item of clothing and look exactly like the people that work in an office. Sometimes I even copy a hairstyle that’s popular or the way that people talk to each other. We [hackers] can copy every detail precisely -- and that’s important if you want to blend into a workplace.”
“Yes. Of course. If I want to blend into a place that ships products, I will want to look like every other person in the warehouse. You never want to aim for a job too high up either because most people know what their boss looks like (unless the company is huge and then you’d be surprised at how many people do not know what their boss looks like!”
“Yep. I look at every single detail from afar, take photos, wait in a car a bit away from the place, note the clothes and the gestures and everything else. It’s important to know the entrances and exits too and how to navigate the building’s layout.”
Q: So then what? You show up one morning and walk in?
“Almost. I note which entrances are equipped with security personnel or cameras and find the exits and entrances that have no protection -- believe me, there is always one door that is open and accessible. That’s the door I use. From there, I wait for someone to open the door or go on a lunch break and join in the conversation. Many times someone has held the door open for me!”
“You’d be surprised at how often that’s actually true. I can walk into most places and either just blend in by joining a lunch break crowd or fumble my way through security with a name tag and a story.”
“Yeah, it’s crazy how simple it is!”
Q: Once you’re inside, do you look for a computer or server room and start hacking?
“No. I hang around for a few days, visit common rooms, pretend I’m a special presenter there for a meeting, and bring donuts.”
“Yes! Anything snackable works.”
“Oh, donuts are always a great way to walk into a place!”
Q: Donuts? Why?
“Yes. People never ask questions when you walk into a room with donuts! They are more than happy to talk to you about nearly everything when you have a box of donuts in your hand. I can find out where the server rooms are, where the CEO’s office is -- almost anything. One time, a laptop was sitting in the common room unattend. That made my job much easier.”
“Does anyone turn down sweets or coffee?”
“Cookies work too and those big boxes of coffee! People will say anything if they trust you and often food builds trust. It’s human psychology.”
Q: Where are the weakest points in a company or office?
“It’s not the security guard, it’s usually an administrative assistant or other employee. Most people do not know everyone that works in an office, so they have no idea that I’m not supposed to be there. If I look like everyone else and talk like everyone else, I can blend in quite easily.”
“I am not sure that it’s one person really. An entire company can be weak if they haven’t been trained to spot a hacker or ask questions.”
“Yeah, I’d go with most people -- sometimes even a CEO or other upper management because a lot of times a company will train lower level employees but not management.”
Q: Okay, so obviously, it’s a lot simpler to walk into a company and complete a hack than most of us probably think. What can companies do to prevent these types of hacks from happening?
“The best thing that companies can do is invest in training but it can’t be a one-time thing. Training has to happen consistently and with all employees. Most companies do not bother with upper management or assistants but those people can leak information too.”
“Yeah, the thing is that hackers are constantly inventing new ways to obtain information, so companies that invest in one type of training will inevitably be left behind. If you aren’t keeping up with training and new hacking tactics, you won’t know what hit you when a hacker does walk into your company.”
“I think training is important but it’s also important to be prepared. Know what to ask people you’ve never seen and teach employees that it’s okay to question someone’s presence.”