How My Son Hacked Your Business

When I began my consulting career most of the consultants around me were COBOL coders doing exciting work like coding a custom accounting system for the Grand Trunk railroad. I had just spent four and a half years learning 68000 assembly language, C and hardware communication protocols. Working on the railroad so-to-speak held no interest. Perhaps recognizing this, my firm threw me into the burgeoning new field of computer security. Since I had been a system administrator, I knew about access controls, etc. And I would learn a LOT more. In the late 80s, companies were just beginning to allow dial-up access to their computers, most of which were IBM mainframes. They all needed advice on how to control access to their systems and guard against data loss and data release.

At that time to learn about access control and vulnerabilities you had to attend training or meet with experienced professionals that knew how the systems were designed or at least how to manage the security settings and manage a large system.

All that has changed. My son, who is now a security professional and sometimes works with Redbank, learned everything he needed to know to gain access to your systems online. Just by Googling security vulnerabilities or queries like “recover password Windows 7”. Many of the approaches he can use to gain access to your system don’t even require physical access to the system. Often, he can gain access using phishing to get one of your employees to reveal their credentials. The best part about most of these approaches is that the victim is not aware that they’re a victim.

The motivation of an actual perpetrator determines what they are interested in and what their goal is. We used to think that industrial spying was the primary motivation. That still is, in the case of Chinese hackers attempting to steal technological designs, etc. But far more common is the simple greed motivation. The perpetrator wants to steal something that he or she can monetize quickly without being traced. High priority targets are those that are useful in creating identities for use in setting up fraudulent credit and other credentials that can be used to get cash or goods. This means identity information such as social security numbers, names, addresses, bank card numbers and other account numbers and information.

Lately, the monetization strategy has taken a more direct route. By denying an owner access to their system or information, a perpetrator can demand direct payment, often using untraceable bitcoin to allow the victim to regain access to their system. This strategy only requires a user on the system to execute trojan code depending on the type of system in question. Unfortunately for the victim, this strategy can stop a business in its tracks while the ransom is worked out or the system is restored to an operating state.

So what can you do to keep my son out of your system?

  1. Begin with an open-eyed assessment of your security – physical and information security;

  2. Identify threats not just those discussed above, but everything from natural disasters to disgruntled employees, to accidents – everything;

  3. Evaluate the likelihood and impact of each threat;

  4. Eliminate threats where possible and mitigate the risks when threats cannot be eliminated;

  5. Test your disaster recovery plan and review insurance and other provisions to recover from a disaster should one occur; and

  6. Test. Test your business recovery plan and conduct penetration testing on your physical and information security. These should include testing your employees to vulnerability to phishing and other social engineering type attacks.