Think You’re Not A Target? Think Again…
It never ceases to amaze me how many people tell me that they’re too small to get hacked, that they’ve got great antivirus, that they have Cloud services and backups up the yin yang, and their IT guys are the best. If I had a nickel for every time I heard something like that, I’d make Bill Gates green with envy.
The fact is, small businesses are one of the primary targets of hackers for the very reason that they don’t have the money and resources to devote to security themselves. Sure, they’ll get a free antivirus from AVG, Avast or MalwareBytes and think that’ll do the trick, but the fact is, hackers see that as nothing more than wet toilet paper when they’re burrowing through to get to sensitive data, money, or whatever else they’re after.
Even firms that actually have money to spend on security are often stymied by the very employees in their employ. They inadvertently help the hackers by having weak passwords, passwords that never expire, account numbers written on Post-It notes all over their monitor and desk, and the list goes on. And they often whine and complain to the IT guys about having to change their passwords so often, as well as wanting access to things that sometimes have nothing to do with their jobs, and they do so to the point where the IT folks just cave in and cater to the whims of the employees, which is the worst of all security policies.
A story I always like to tell is a real case I dealt with. This involves a law firm I did a penetration test for. To protect their good name, let’s call them the Law Offices of Whiskey, Tango and Foxtrot, PLLC. They were a prosperous firm that dealt with very high end cases, had high end clients, and their bottled water budget alone was well into the five figures. They prided themselves on having a wonderful firewall, great security, privacy for their clientele they said was second to none, and their IT staff was top notch with more certifications and experience than you can shake a stick at. They agreed to let me come in and perform a penetration test to gauge exactly how good their security really was. I performed my tests, and found a number of things that were wanting in their systems. For one, most of the staff had passwords that never expired, and their passwords weren’t set to a certain level of strength. In fact, a critical alert popped up, saying the secretary to one of the senior partners had a password so weak, my program estimated it could be cracked in less than 12 minutes. There were other things, such as multiple computers that had fallen far behind on critical security patches from Microsoft and other third party software vendors, the fact that I was able to not only add a computer to the Active Directory tree, but also browse it and edit it both with a non-administrative account was a definite cause for concern. Oh, and multiple people, including the afore mentioned secretary, had access to network shares that were dubious. Plus, their antivirus was, laughably, a free version downloaded from the Internet and installed because one of the IT staff admitted that a couple of the senior partners wanted to use the money to instead buy new furniture. My phishing tests were just as enlightening, and I even caught the IT chief opening one of my phishing email links that, thankfully, only went to a YouTube video and not something more malicious.
Once I was done, I held a meeting with the senior management and the IT leadership and explained my findings. The meting itself was surprisingly quick in that I was gladhanded, given the check for my services, shook everyone’s hand and proceeded to go about the rest of my day. Normally, I’m bombarded with questions about what I found, how I found it, and I sometimes have to butt heads with IT over how they’ve had things configured and set up, but this didn’t happen, much to my surprise, but I just chalked it up to an easy day.
About six weeks later, I got a message from one of the IT staff there. They had gotten hacked. Perplexed, I replied back and asked what had happened. The IT person, who shall forever remain anonymous, told me that the IT chief promptly threw my final report and recommendations (along with all the step-by-step fixes) in the trash and went on with business as usual. Then some hacker spearphished the secretary, enabling them to install a password cracker on her computer, which allowed them to crack her password in no time, and let them log in under her credentials. She was given access to, among other things, the financial network share, despite having no need to be in there, as they had their own financial people handling things. In that network share were unencrypted and plaintext files containing bank account numbers, balances, routing numbers, client account numbers, you name it. The hackers were able to siphon off over $100,000 from an escrow account, and the law firm only noticed the money was gone when the senior partner needed to withdraw money from it for the client whom it belonged to, only to find it had been cleaned out. At first, they thought the secretary was responsible since it was her password that accessed the files, but upon looking at the timestamps in the logs, they quickly realized it couldn’t have been her since the times they were accessed and the time the money was withdrawn all matched up to when she was on a cruise, and had no Internet access.
According to the IT tech, the client was understandably livid when they were told they had to pony up an additional $100k for their retainer, and even came in person to chew the lawyers out, threatening to sue them, to make this whole thing public, the list goes on. I don’t know what happened beyond that, since I never heard back again from the IT tech.
That being said, the story of the Whiskey Tango & Foxtrot illustrates that not only is anyone a target at any time, but often one’s own hubris and staffmemebers can be the best allies of a hacker.