The Nontechnical Ways Hackers Obtain Sensitive Data

Considering an expensive technological upgrade to minimize the danger of a successful hacker breach? Think again! Total security is a myth and installing all possible hardware and software upgrades will not protect your company from the human element. Your staff are a much more attractive target to cybercriminals and are hacked more easily than any technical restrictions present on your network.

Unfortunately, black hat hackers are sometimes perceived as cool, with honorable motives against big business and 'Big Brother'. While TV shows and movies would have us believe that hackers are all powerful and routinely hack government departments, military bases and more, the reality is a little different. Black hat hackers are motivated by greed and will utilize the easiest methods to acquire data that is used for financial gain, whether through identity theft, online purchases or being sold on the Dark Web.

Hackers are Productive

In fact, as hackers also work on a reward versus effort timeline and are efficient, it makes sense to use someone else's legitimate credentials to acquire information rather than seek vulnerabilities and force their way in. Acquiring these credentials or access is achieved through 'social engineering' although the end results are often about as social as a baseball bat to the skull.

While a wide variety of social engineering techniques are available, they are broken down into several categories:

Common Threats

1. Research online – Hackers will use the Web to obtain personal information on staff members. This will include social media sites, online profiles, blogs and any other sites that will provide data point that can be used to guess a password. For example, the whois information on a blog or website can yield contact details. Why do they even bother with this approach? Unfortunately, as people continue to use birthdates, names of spouse and family members in their passwords, it remains a technique that yields results.

2. Email or social communication – Hackers will send a message from a trusted organization, such as a bank or retailer and encourage staff members to click a link. If successful, malware, key loggers or viruses are then installed on the target system.

3. Phone Calls – Fraudulent calls offering remote IT support or claiming that your account needs verification. The aim here is to disclose contact details not publicly available, such as SSN or even your account password. On some occasions, friends and colleagues are contacted, supposedly to act as a reference for a new job opportunity. Seeking to help, additional clues are unwittingly disclosed to the hacker.

4. Theft – Mobile devices yield a lot of data, especially since the rise of BYOD. A remote wiping feature is recommended for all devices in case it's lost or stolen.

5. Data recovery – Hackers seeking valuable have no problem with crawling through dumpsters to find discarded or shredded documents. Some have the time and resource to assemble even those sent through a cross cut shredder. Incineration is preferred. It is worth noting that obsolete or discarded equipment also contain data. When even fire or water-damaged hard drives can be recovered, ensure secure disposal of all drives either by degaussing, incineration or by driving a large metal spike through the drive platters.

6. Direct Contact – Hackers will place themselves at company events or even at venues where employees go for lunch to make themselves known to the group. Once this happens, casual questions about the company often lead to its building and network security processes being divulged.

7. Tailgating – Simply walking closely behind a group of employees to enter the premises. Once there, the hacker can place additional devices on the network that allow remote access or simply use an available workstation that is inside the company's firewall and other defenses.

8. Infiltration – How much easier is it for a hacker to compromise a company if already working there? Hackers are aware of the infrequency of extensive background checks and take advantage of this failing, remaining with the company until objectives are reached.

Is your Company Secure?

Can you protect your company, verify that your business is secure and confirm that staff are vigilant against potential threats? Enter the age of the ethical or white hat hacker, caped crusaders that can think like their evil counterparts, provide penetration testing services to verify IT security and also use social engineering techniques on employees to bypass this security. In the majority of cases, the last is always successful. It is no real surprise that these professionals are in high demand and there is a global shortage of IT pros with certified skills in ethical hacking and penetrating testing. Ethical hackers are well paid with salaries commensurate with their experience and certification. Their motives are pure, to educate and prevent data breaches. Can you afford not to increase your security posture and improve staff awareness by employing their services?