It is difficult to read the news headlines these days without finding a story about another high profile hack. Security professionals expect this trend to continue and likely become much worse. As a society, our investment in and dependence on networked computers now permeates nearly every aspect of infrastructure, both in the public and private sectors. This increasing dependence has likewise increased the potential rewards for a successful hack.
To combat this increased risk, organisations and government agencies spend billions every year on Information Security. Training programs, security research, forensic analysis, and sophisticated hardware and software solutions are all implemented in the effort to keep our systems and data safe. And every year, 90% of the successful hackers simply walk right through these defences using social engineering.
How are hackers doing this?
Successful social engineering depends on information. Just as a criminal will case a neighbourhood looking for the most vulnerable house, hackers will research organisations to determine which would be most susceptible to human engineering attacks. Experienced and successful hackers frequently use the data available on the Internet Underground to identify organisations that fit certain patterns. Some of the things they look for are:
- Rapidly growing companies that can't keep up with the demands of growth;
- Ossified management practices or management that is out of touch;
- Revolving doors in upper management, especially IT management;
- High employee dissatisfaction;
- Companies rapidly losing money or being acquired by another organisation;
- Organisations with questionable ethics;
- Organisations that tolerate nepotism or favouritism; and
- Many levels of management and a large bureaucracy.
Finding a target
One successful high-profile hack in recent memory was the November 2014 attack on Sony Pictures Entertainment. Hackers clearly accessed information in the internet underground in order to implement the attack. But anyone with a decent knowledge of the surface web and access to a smartphone could easily have figured out that Sony was a target.
Free mobile apps and websites that provide a company rating service for employees, such as Glassdoor, Vault, CareerBliss, and The Job Crowd, all house databases that can be accessed by anyone. These contain reviews of companies and organisations written by former and past employees of virtually every company in existence. It's an excellent resource for job-hunters, but also a treasure trove for hackers.
Searching Sony Pictures Entertainment on Glassdoor for example, returns nearly 300 reviews. There is enough here, in one database on the surface web, to suggest Sony Pictures Entertainment as a ripe target for a social engineering hack. It doesn't take long for patterns to emerge, and we find several recurring themes that are present — even in reviews that gave the company a good overall rating:
- "Top management is completely unstable";
- "Lots of turnover, layoffs, poor management";
- "Very large organisation with heavy and somewhat limiting business processes";
- "Lots of people are hired based on 'favours' and relationships";
- "Constant restructuring has become the norm";
- "Layoffs have been so frequent over the last five years it leaves an uneasy feeling among employees";
- "Some departments seem exclusive and hire only from their own pool of friends"; and
- "Most unethical and dysfunctional workplace ever!"
Another example is Target, an American retail store that was hacked in December 2013. Of 15,000 reviews on Glassdoor, the same recurring themes of employee dissatisfaction, nepotism and poor levels of company management occur:
- "Senior leadership does not communicate down to middle and lower leadership;";
- "The company is always making changes at the sacrifice of employee satisfaction and workplace morale";
- "Promotions are based on seniority or family ties";
- "You don't get to advance unless you are a favorite";
- "Incompetent leadership. Toxic environment";
- "You literally cannot say one thing without five different levels of superiors hearing about it and reprimanding you";
- "Favouritism. Posting job openings that aren't really open"; and
- "HR will lock the door & hide from problems".
Even the biggest of companies can be targeted
Media companies are attractive targets to hackers for a variety of reasons. Many hackers sympathise with users that have been prosecuted for copyright violations. Others blame the media companies for some of the ills of our society. And anyone can see how much damage can be achieved by looking at the fallout from the Sony hack.
A look at some of the other large media companies reveals several that fit the same profile as Sony. The most vulnerable of these seems to be CBS Corp, an ageing media giant with an iconic brand. Plugging CBS into Glassdoor returns 215 reviews and a similar overall rating to Sony. Here are Some of the comments:
- "Zero communication, no organisation";
- "Hard work was not recognised. Leadership was out of touch";
- "There is a major disconnect between management and employees";
- "Unstable management there was a lot of turnover on the digital side";
- "They treat their employees like serfs";
- "The management treats technicians like dirt beneath their feet";
- "Employee morale was also a factor in my departure";
- "Difficult to break into the executive ranks, unless you are related to someone"; and
- "CBS is a company full of nepotism".
As with Sony, these comments represent themes that were present in both positive and negative reviews of the company experience. A black hat hacker looking to select their next target wouldn't have to go further than a company rating and review app to determine that CBS was worth attention. In fact, anyone can do it.
Organisations can use exposed weaknesses to protect themselves
If there is any good news here, it is that the same tools and methods can be used to realistically assess the weak points in our own organisation that make our networks more vulnerable. They can also be used to try and predict where the next attack may fall, allowing the victim to defend against it.
The spillover of the internet underground onto the surface web cannot be ignored by any information security professional or by any organisation. Think about your organisation's human dynamic. Then load up an app or do a simple web search. Do your beliefs match what you find? Do potential hackers know more about the health of your organisation than you do?
This article was co-written by John McAfee and Rob Loggia.