I am a hacker. The type of hacker that spends her days uncovering the weaknesses in others. Not just corporate networks, but people as well. At first, I was curious to see how secure companies were when it came to protecting their data, everyone’s data. I wanted to know what made people respond the way they did.
Now, I’m tired of seeing the headlines about large breaches that result in the loss of privacy, and companies that don’t treat sensitive data with the proper (if any) safety controls. Security is merely a “nice to have” and not a critical component driving everything they do. Now, I feel a (slight) internal sense of responsibility to make sure that companies are promoting proper security practices when it comes to managing consumers data.
The first harsh reality is this: for every company that has a solid security plan to help keep hackers like me out, there are another dozen more that demote security to a minimal set of checkboxes and re-allocate funds to other projects.
Not that I am complaining, companies who rely on free endpoint solutions or other minimal security controls to keep me out, just make it easier for me to get in. Those companies just become a larger bullseye for me, simply because I would rather spend less time and go after smaller businesses than try to hack into a large corporation that’s well-invested in a bulletproof security posture.
Risk vs. reward, that is what motivates me, and you would be amazed at the types of data that I can retrieve from many organizations.
I hate to brag, but even companies that are considered impenetrable are no longer immune to my skills. Enter: social engineering and ransomware.
If I choose to send an email to the right people, your average employee, heck even high-level executives won’t be able to resist clicking on links or attachments with super relevant subject lines like ‘invoice’ or ‘past due’. From there I exploit this weakness and inject malware or crypto viruses to encrypt all of the company data. I will force IT teams to either restore from an old backup or pay a ransom - which in many cases will contribute to me accessing their sensitive information.
Whoever was responsible for the Hollywood Hospital ransomware attack made $23,000 in a single day. So, tell me, how often do you back up your critical data?
These types of exploits became many hackers’ go-to methods, as they easily slip past lower-grade security controls, with minimal effort. After all, it’s just an email. You see, no matter how good your security controls are, even if you set up the best firewall or email protection, we will find our way in. It’s just a matter of time and patience, exploiting the right weaknesses.
The minute you move your data to the cloud, or connect anything to the Internet, your data is exposed.
People like me from all around the world are looking for anything they can use to profit, and smaller organizations are a great gateway to get into larger ones. For example, small branch offices with lax security controls that connect to corporate headquarters, unsecured Point of Sale (POS) systems at the local retailer and -my personal favorite- unsecured hotel Wi-Fi. These become entry points for many of us, with a lot less risk than going after larger corporations. But large corporations aren’t safe either; they just require a different set of tools. I can take down your network with a DDoS attack for the price of a fast food combo – which means your entire network including data stores and applications are rendered inaccessible. Personally, I show little regard for the damage that is caused by breaching one of these organizations. I justify it as a cost of business. After all, it wouldn’t have happened if they had better security controls.
The second harsh reality is: hackers like me attack corporations, well, because we can.
We no longer need a reason, we cite corporate greed, or wanting to teach these corporations humility, but in the end, you’re all the same targets to us.
So, why write this letter? I want organizations to stop overlooking security. Hackers aren’t going away, in fact, we are evolving and growing right alongside the latest security controls.
You need to protect your endpoint devices, file servers, confidential information, mobile devices, applications, internet access, corporate mail, web gateways, and collaborative solutions.
How much would you pay to get your customer data back?
Listen, until you start to take security seriously, and build it into every part of your organization, you will always give hackers a reason to do what we do. Want to know how to stop me? Put enough security controls in place to get me to move onto the next guy who doesn’t take security as seriously.