The percentage of the population that has some form of tech savvy is higher than it has ever been. Many 21st century grandmothers know how to tweet using their iPhones and they no longer make a funny face when told to "Google" something. Progress. And our level of dependence on computer systems in business and industry is complete. Computers are everywhere and they now power the infrastructure and processes that make everything go. And the more we come to depend on these systems, the higher the stakes when someone tries to harm us by hacking them.
Behind the internet of networked computers that everyone sees and uses on a daily basis lies another, deeper realm that can be collectively termed the Internet Underground. This underground consists of the deep web and the dark web.
The deep web is the collection of information that is available on networked computers, but is not indexed by search engines and other typical data-retrieval tools.
The dark web consists of overlay networks that use the same infrastructure as the public web but require special tools and knowledge to access. Both lay beyond the casual reach of the typical Internet user.
The effectiveness of social engineering
The Internet Underground represents a playground for hackers. Here can be found troves of information, never intended to be publicly shared that can be used to create havoc in the physical world. It also contains a wealth of information that can be used to gain even more sensitive data from private networks and computers – information that fuels the attack vector for most successful hacking attempts.
A look at the world's worst hacks reveals a common pattern, or theme: these hacks were not accomplished in the main by using sophisticated hacking tools or brute force attacks on security mechanisms. Consider one of the worst of these – the 2012 attack on Saudi Aramco, one of the world's largest oil companies. Within hours, nearly 35,000 distinct computer systems had their functionality crippled or destroyed, causing a massive disruption to the world's oil supply chain. And it was made possible by an employee that was fooled into clicking a bogus link sent in an email. This is social engineering.
In fact 90% of hacking is social engineering, and it is the human elements in your organization that are going to determine how difficult, or how easy, it will be to hack you. We – the user – are the weakest link in the chain of computing trust, imperfect by nature. And all of the security software and hardware in the world will not keep a door shut if an authorized user can be convinced to open it.
The good news is that there are patterns that we can look at and, in some cases, use to predict where the next attack may fall. Experienced hackers don't concern themselves much with your firewalls, anti-spyware software, anti-virus software, encryption technology, etc. They want to know whether your management personnel are frequently shuffled; whether your employees are dissatisfied; whether nepotism is tolerated; whether your IT managers have stagnated in their training and self-improvement. They want to know what level of transparency exists within the corporation and how bloated your chain of command is. In short – they want to know how healthy and nimble your organization is.
The deep web overflowing into the surface web
While any individual or organization is susceptible to an attack at any time, hackers, like anyone else will tend to go after the low-hanging fruit. Why go after a tightly-knit organization of competent, satisfied professionals supported by a stable IT staff unless there is a tremendous and unique payoff promised? There would be greater risk involved and the chances of success would be low. Instead they will target an organization with identified human and structural problems.
To make this identification, hackers have traditionally turned to the Internet Underground. But recently it has started to become even easier, for the Internet Underground is beginning to spill over into the mainstream web. Shocking types of information that used to be available only for a price on the dark web can now be found using simple web searches or mobile apps. And found by anyone. While some of this information may seem innocuous to the untrained eye, the fact is that much of it is manna falling from hacker heaven.
What this means is that protecting systems and networks against successful attack just got harder, and will require us to take a good look at ourselves and our organizations. IT professionals are accustomed to securing hardware and software. But how well do you know the human side of your organization? Is there information about your organization out there, right now, migrating out of the Internet Underground to appear in simple web searches? Does this information make your organization an attractive target?
Answering these questions honestly and taking the time to find out for ourselves what information is already available about us needs to become required best practices for IT security. We are accustomed to securing systems and networks against sophisticated teams of hackers. But information wants to be free; like water it will flow freely once released from its container. Are you prepared for a world where grandma or anyone else can quickly obtain, on the wide open web, all of the necessary information for a social engineering hack? Is your organization prepared?