It’s a typical morning at a leading health care clinic. Nurses are buzzing about, doctors are making their rounds, patients are dining on their choice of oatmeal, scrambled eggs, or toast and jam. In between replenishing supplies and checking vitals, a nurse receives an email from HR with a holiday schedule update and a link taking her to a chance to be one of 15 lucky winners of a Fitbit.
Woohoo, she thinks. Holiday season is starting off right.
Except the email isn’t really from HR. It’s from Kevin Mitnick and his team, who were hired to conduct penetration testing to identify holes in the organization’s security ecosystem. And the link she clicked to take her to the entry form also fired off a macro document that deployed and installed malware on her computer.
The damage didn’t stop there. Once Kevin’s team was able to hack the victim’s workstation, they continued with a multi- step technical exploitation process that yielded administrative rights across the entire domain within days.
“We gained access to everything,” Mitnick says. “All financial records, all patient records, everything. And we were there for two months before they detected us.”
Four ways a hacker can break into your systems right now, and what you should do about it. Via @kevinmitnick
That’s because the organization had what Mitnick calls, “M&M Security,” as in hard and crunchy on the outside, which makes it difficult to get in, with nothing internally to prevent lateral movement.
“Too many companies focus their security efforts on keeping outsiders out, but don’t include the due diligence of ensuring proper configuration, password and patch management,” Mitnick says. “It’s critical to have a security expert evaluate your environment to ensure best practices and security controls are implemented within your environment. Whether you use in-house security experts or outsource the service, have them evaluate your environment to identify your weak links.”
Let this be a lesson for all industries. Attackers use the same methods, whether they’re attacking a financial institution, a government agency, a corporate entity or a retail mall.
Every industry vulnerable
Mitnick and his team are currently testing a North American retailer that uses a cloud service for processing payroll.
“Let’s call it payroll.com,” he says. “This particular company is headquartered in a different country. Let’s say Mexico.”
The payroll company only bought and registered payroll.com, so Mitnick bought the domain payroll.mx and set up a clone of the real payroll site.
“It looks exactly the same,” Mitnick says. “All we had to do was call the payroll administrator pretending to be IT, asking him to go to payroll.mx to log in because the cloud provider wanted customers to use their country domain for expediency, as the servers would be closer in geographical proximity.”
The administrator had no reason to doubt anything – the site looked exactly like the site he was used to. “We were able to deploy a SSL certificate for the fake site, enabling us to gain trust and credibility,” Mitnick says. So, the administrator followed along. Mitnick then prompted him to enter all his credentials, which he did.
“In that instant, I had full administrative access to the payroll for the entire company,” Mitnick says.
It took less than 10 minutes.
Learn more about cybersecurity
Insights on Data Protection on Xerox.com.
More articles about security on this blog.
Also, be wary of the physical break-in
Mitnick and his team also do physical security testing, pinpointing ways bad actors can bypass access card security controls to get inside a customer’s facilities. For example, one client had fingerprint readers for building access.
“In this case, the readers were not properly configured with a tamper switch, so we had the opportunity to take the reader off the wall and install a malicious hardware implant,” Mitnick says. “Then, when legitimate employees signed in with their biometrics, we were able to connect via Wi-Fi with our mobile phones and replay the data to open the door. Once we gained access to the building, we gained the ability to compromise laptops and workstations.”
The cybersecurity landscape is filled with organizations that have been hacked like that. There is no computer, no IoT device, no reader that cannot be hacked. In fact, the smarter the refrigerator, the thermostat, the lighting, the more vulnerable it is.
Or, as Mitnick likes to say, “The more complexities built into the technology, the more vulnerabilities.”
So, what is one to do?
Be proactive vs. reactive
Understand the threats that you face as a business and a consumer, and know how to mitigate the risk as much as possible.
“The first step is doing a risk assessment of your environment,” Mitnick says. “Look at what could be considered the low-hanging fruit, then employ security controls to mitigate risk,” he says. But the best advice, he adds, is to get a security expert internally or externally to deploy best security practices.
“Hire someone to do penetration testing. Get an accurate snapshot of your security. Discover where your security controls fail, and then, once you do this exercise, have the road map for what you need to do next; what steps you need to take to secure your environment.”
Train your people to stop, look and think
Every organization is a potential victim of social engineering attacks that could appear to come from a supplier, a vendor, a customer or an internal employee.
“Educate and train your people to recognize them by using the same sources and methods the adversaries use,” Mitnick says.
He suggests you consider using a company like KnowBe4 to conduct simulated phishing to inoculate your organization against the real bad guys.
“The goal is to train users to make smarter security decisions, and to stop, look and think before clicking a link or opening an attachment or giving out sensitive information.”
Final words of advice: Assess your situation. Do your homework. Remember that we’re all in this together. And last, find partners you can rely on who take your security as seriously as you do.
6 Steps to Mitigate Security Risks in 2018.
Be proactive rather than reactive. Keep up to date with recent security threats that could affect your business.
Understand the threat facing you as a consumer and in your business. Get a snapshot of your security and mitigate the risk to the highest degree possible.
Do a risk assessment of your environment. Set up a pen testing schedule and consider using a bug bounty to reward people who report security vulnerabilities on your internet- facing website and/or any of your company’s external network resources.
Make sure your operating system is up to date. For example, if you’re running Windows 7, even if you have all the patches for the latest security flaws, you will never have the level of security features that Windows 10 has.
Employee security awareness training. Test to see if they fall for a phishing attack.
Secure all internet-facing websites and network services, including cloud services, and make sure that remote access requires two-factor authentication.
From the editor: Kevin Mitnick (left) is the world’s most famous hacker, bestselling author, and the top cybersecurity speaker. Once one of the FBI’s Most Wanted, he is now a trusted security consultant to the Fortune 500 and governments worldwide. His books include “The Art of Intrusion: The Real Story Behind the Exploits of Hackers” and “Intruders and Deceivers and The Art of Deception: Controlling the Human Element of Security,” which are mandatory readings for security professionals. His autobiography, “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” was a New York Times best seller, and his latest work, released in February 2017, is a groundbreaking book on privacy, “The Art of Invisibility.”