From the movies people have images of a dark room full of computers with one or more people doing incomprehensible things. While this creates something visual and exciting for the movies, it is not the reality. The idea that some genius has a bag of secret tricks to get through the firewall of a big company is a plot device for a story. In the real world it is some fairly simple tricks that rely on people no knowing what to look for, or knowingly ignoring the security policy of their company because they don’t believe there will be a problem. News stories often contribute to this perception using terms like “Sophisticated hacking tools” when they haven’t actually researched the topic.
Going through the firewall, is usually not easy. After all it is designed to stop attackers. Like the front door to a building that has all of it’s locks, alarms, maybe a security guard. If you wanted to get in why would you go that way? Find the back door with the sticky lock instead, or come up with a plausible reason that someone will let you in.
So how do they really get in?
Email: Possibly the most common method. “Click on the link”. It might pretend to be from your bank, a friend, customer, or agency, something to give it credibility. Often there is some claim of urgency, but it can also be as simple as “Take a look at” this document. The user gets tricked in to executing something with their user privilege. Once that is done, other software is installed to further enable control. This could be something like cryptolocker, a backdoor to allow access, software making your computer part of a bot net, or a RAT (Remote Access Tool). Data could be stolen or damaged at this point, or your computer can be used as part of a larger attack. Don’t click on the link. It may be convenient, but at sometime it will be used against you.
Malicious web pages: These could be comical things, free giveaways, streaming media or other types of “Candy” to attract people. They range from seemingly harmless things to decidedly bad neighborhoods such as porn sites. People laugh and deny that they would do such a thing at work, but I have seen the data streams, there is a lot of porn being browsed at work. Screening which sites are ok, and which are not can be very complex. Sometimes you can find a warning about the site, but for the most part it is just better to stick to the sites that are needed for business.
Software install sites are also a huge contributor, even if it is a legitimate software package, there are often extra “tools” being installed along with it. The problems created are not necessarily evident immediately, so someone saying they “use it at home” is not usually sufficient testing. Better to leave software installs to qualified IT people. Software tools, drivers and programs are usually established by a company.
Popups: “A virus has been detected”, “Something is wrong with your computer”, just click or call here to fix it. Do not click, call, or install anything. Do not give some stranger your credit card number, or let them in your computer. Call your IT technicians.
WiFi access points: Frequently unencrypted, or passwords are given to a lot of people. Poor isolation from the network provides a way to bypass the firewall, and even to monitor network traffic such as passwords.
Insider exploits: Everyone wants to believe that the people they work with would not steal or vandalize anything, but it happens, frequently. This could be a disgruntled or terminated employee erasing or stealing data. It could also be things that people do thinking it isn’t really a security problem. Unauthorized equipment or software plugged in can be a problem. Shared passwords mean no control or accountability for actions on the network. Users with too much access can lead to problems both deliberate, and accidental.
Weak passwords: There are people that think that nobody will guess that their password was password, or that it is their user name. If they add a number, it is usually 1, 01, or 99. Many office workers use grandchildren’s or pets names. It is also common to use zip codes, phone numbers, or addresses. There is software to guess possible combinations of these, and they are not as hard to guess as people think.
Bait services: When you sign up for a service, they have a username, password, and your IP address. Was the information you used the same as your local or other services?
Notice that all of these have something in common; they are not using huge computers or “sophisticated” software. They use simple tricks. Nobody should think that they are too insignificant to be a target. People have made millions encrypting data the data files of average people. The goal may be to use your computer or email. It might be to steal your bank info, credit card, or other information. Small bits of data may lead to other pieces, construction something larger and more dangerous. From large companies like Equifax, to the corner restaurant, and even your home computer, all systems are being attacked, constantly. Steps like Firewalls, and Virus scanners are essential, but user security training is also an essential item, as is having IT technicians that are trained in security as well. Many security steps are skipped due to lack of knowledge, cost, or convenience.