Ty Cobb | Owner and Principal at Cobb Solutions | 29 June 2017
If I want to get into your servers and have access to everything you have, I just need to make a phone call. . . .
I’m just finishing reading an excellent book, a biography of the world’s most famous hacker. If Cybersecurity is a field you have interest or investment in, you’ll want to have this book. Ghost in the Wires (free Audible copy here if you don’t have an Audible account). I’d heard cybersecurity often denies the human factor but, come to find out from the best of the best, hacking is far more about social engineering, or social hacking than actual computer programming and penetration testing.
In Ghost in the Wires, Kevin Mitnick describes in detail his many escapades where he overcame a block getting into the major phone companies, the Department of Motor Vehicles, state government offices, or large private firms just by making a call into the target organization to get the information he needed! He would research to discover the name of someone senior in the organization who worked in a different office location than the one he was targeting. Then he would phone in posing as that VIP and demonstrating enough knowledge to be credible with a request that seemed reasonable. Most hacks would be something like, “Hi Gerry, this is (insert superior position in the company) Jeff Tilman from (another office location). I’m in the field and don’t have what I need to get (insert specific need) done. Can you help me out?” Because people want to help, are respectful of people in superior positions, heard enough info that sounded right and was said with confidence, they will give out passwords, intellectual property, access codes, or even tell Kevin how to get what he wanted. Amazing, right?
Which is why Cybersecurity still sucks.
In 2016, of all the data breaches in U.S. business, 60% were initiated by an insider. That means no matter what hardware or software your system employs to protect your average company against cybersecurity threats, you are only about 40% effective. It’s not that your employees have to be upset to instigate a cybersecurity breach (though as we know, this occasionally happens) they just have to be friendly and untrained on how to protect the company. A majority of U.S. employees would fall into this category. Mitnick describes on a number of occasions when he did not get what he wanted in his first attempt, he’d call back at a different time and work on a different person. Very few times was he ever foiled.
That’s why there is a growing demand for help from companies such as Mitnick’s company Mitnick Security, Counter Intelligence Security, and The Raven Group. These companies recognize the 40% you already have covered but can help your company understand, prep for, and prevent the 60% chance – and the more likely way – your company will be undermined. A thorough program of hacking and malware prevention must include a complete evaluation not only of your servers, but who in your company has access to what sensitive information.
A top Account Executive from one of the top three IT resellers in the America told me her customer’s U.S. president quipped that he didn’t worry about his Intellectual Property (an electronic chip manufacturer). He said this after cutting his IT department from 200 to 15 IT engineers. The AE then went on to tell me that her own company gave her easy access to way too many of her company’s own systems which made her nervous.
For those of you who use AWS, according to one of their promoters, even Amazon is not protecting your servers unless you check all the right boxes when setting up your AWS agreement, and then only covering your 40% which is your software and data.
The solution today is to get a full check up. Use a company that does this for a living – one that accesses your people, your business partnerships, your current security solutions, and can design a program for you to plug all your holes. Find a company that can find all your security risks.
They should be able to solve these types of problems too . Check out these links.
Other related articles:
The Raven Group is a Corporate Counterintelligence consulting firm that helps companies protect their data, systems, trade secrets, intellectual property (IP), employees, and reputation. Raven’s consultants of former CIA Intelligence Officer and Federal Law Enforcement Special Agents have spent a lifetime protecting our nation from threats of every kind and are second to none. Let us bring that expertise to your company.
Raven’s defensive intelligence services are un surpassed. The best defense is a good offense!