Being aware of potential risks can help organizations to mitigate those risks, but first they really need to understand what hackers are looking at. That’s the view of IT security auditor Paula Januszkiewicz, founder of CQURE.
Januszkiewicz delivered her message during a keynote session at the virtual SecTor security conference. Januszkiewicz noted that during the pandemic there has been an increase in cybersecurity attacks as attackers aim to exploit weaknesses for their own benefit. In her view, defenders should take a hacker viewpoint to gain better situational awareness.
“So awareness means we know what’s going on with cybersecurity, we know, different cases and examples, and we are educated in cybersecurity,” Januszkiewicz said.
Hacker Confidence
To help highlight what awareness means from her perspective, she gave an example of how she was able to get into a company that she was doing a penetration test for in Switzerland.
Simply by following an authorized employee into the building then making small talk with another in an elevator, she was able to gain access to an employee area. When employees were out at lunch, she found her way to a desktop that was unlocked and inserted a digispark USB device to steal information.
“That is the beauty of social engineering; people expect that, when you do things with confidence, they are the things that you were supposed to be doing,” she said.
Seven Security Issues That Shouldn’t Happen
In Januszkiewicz’s view there are seven key security issues that defenders need to be aware of, that hackers love to exploit.
The first issue is weak passwords. She noted that in one case her company was conducting an audit of an oil and gas company and executed a password spraying attack. She explained that her firm simply took a list of the company’s 6000 employees and attempted to access user accounts with the employees’ name as the username and a password of {CompanyName}2020. She was able to access 29 accounts with that method.
The second key issue she identified as “Peeping ROM,” which is where workers are able to sneak a peak at a co-worker or stranger’s workstation in the workplace or in a public place. She suggested that organizations have a policy for locking desktops, so when an employee is not active, the desktop is locked. The third key issue she called “USB Stick Up,” which is when victims pick up a random USB stick and plug it into their system to see what’s on it. That’s an activity that can lead to exploitation.
Januszkiewicz said that there are a lot of phishing messages today that get past spam filters which leads to the fourth key issue that she called “Phish Biting.” The unfortunate reality is that untrained users still click on phishing emails, especially when they get past spam filters. “Reckless Abandon” is the fifth issue, which is when users simply do not take basic precautions to secure their devices, such as not putting a passcode on a smartphone.
Using someone else’s Wi-Fi connection is also a bad practice that Januszkiewicz advocated against, as an attacker can potentially see all your traffic. The last key issue that she discussed was being too social. Some people have a tendency to share too much information on social media. The hacker perspective on that is that it can provide information that might be useful to help exploit the user.
“We had a case where there was a guy on LinkedIn from a certain company, and he liked Tesla cars, and for one of his personal emails he was using, there was a recovery question of what’s your favorite car and we typed in Tesla,” Januszkiewicz recounted. “That worked and that was so much fun because this information was super easy to find.”