The phone rings and the IT department answers. On the other end is the secretary for the president of a big bank, one of your company’s biggest customers. The bank’s president is doing a video presentation with your president and the secretary has no idea what she’s doing. She’s freaking out. She’s got a list of crazy questions her tech people told her to ask about things like “firewalls” she doesn’t understand. The technician on the other end does what you’d want any good employee to do: He calms her down and starts walking through her questions. He even offers to login to to a company’s server and share his screen so she knows exactly what to tell her tech people. Phew, what a lifesaver.
But it wasn’t a secretary, it was a hacker. And a well-meaning technician has just given away the keys to his company’s cybervault. That’s just one way that a hacker might get information like what firewall and antivirus software your company is running.
Thankfully, this particular hack wasn’t perpetrated by a cybercriminal, it was done by a professional security expert called a “pen tester.”
Listening to Clint Crigger talk, it’s hard to imagine any of us have a real shot when it comes to cybersecurity. Crigger is a pen tester, and while that doesn’t sound like an impressive title (it’s short for penetration tester, which sound more impressive; and is also known as red teaming, which is even better), it means he spends his days breaking into businesses and financial institutions.
Thankfully for you, Crigger hacks into systems because he’s been asked to, to test the security that all of us take for granted when we log in to our bank website or complete a financial transaction using personal information. Crigger is the cybersecurity and GRC (governance, risk and compliance) manager at SVA Consulting, a company that offers business, financial and technology solutions. Part of its services are penetration tests.
Crigger has a long experience working in security, building and testing systems in the private and public sector. He takes all that expertise to guide his team into your servers. And you don’t stand a chance. “We always find problems,” Crigger says.
The first step of Crigger’s pen tests are all about public surveillance. This means finding all the domain names a company uses and making a list of all the active email addresses at a corporation. Then Crigger’s team starts doing research on the people at their target. Crigger’s team scans Linkedin, Facebook and Twitter accounts as well as anything else he can find on the public web.
“We build a small personality profile on each person: what are their passions, where they live, how many children they have, names, pets,” Crigger says. “You may infer someone is going through a difficult time in life right now on Facebook, some personal or financial tragedy, and unlike a hacker we don’t exploit that.” It’s a reminder of just how much information we give away in our daily lives.
The next step of hacking a company is trying to find out what the organization’s infrastructure is like, what computer systems and software the company is using. This is the equivalent of casing a bank before a heist. Here, the team looks at public resumes and job openings to see what kind of employees a company has, and the expertise of its security team. Often companies advertize what software vendors they use, or the vendors themselves advertise their clients.
Social engineering is a term that refers to exploiting people instead of a computer system during a hack. For Crigger, that might mean calling a company pretending to be a business customer and asking for an antivirus recommendation. Or it might mean pretending to be a secretary who is trying to get some information, like in the example at the beginning of this article.
Crigger starts with one big advantage over hackers in that he’s already been told by the company what data is vital to its business, so he knows what to look for. But he has to be careful that his penetration tests don’t create a reportable breach—he must leave the company’s reputation intact. “We take only pictures and leave only footprints,” Crigger says.
The next step is gaining access. That can come in the form of a phishing attack, where a fraudulent email message carrying a benign-looking attachment opens the door to malware, software that can actually take over a computer. “Malware is a trick that uses social sciences based on trust, it tricks people into thinking that someone in authority has asked for it, or that it’s urgent. Or exploits their curiosity,” Crigger says.
Sometimes Crigger finds a server that lets him spoof emails from anyone in the company. “We’re using authority,” Crigger says. “No one questions the president of an organization.”
The best messages look like they’re trying to protect the company. One well-meaning system administrator even offered to post a .pdf that could deliver malware on an internal server because it was called, “How to avoid a phishing attack.”
Another method of getting malware into a company is dropping a USB flash drive with an important-sounding file, like “tax returns.” An employee might pick it and and open the file hoping to find its owner.
Crigger’s team once spoofed an email from a company’s IT department, requesting that people login to a remote mail server. Unbeknownst to the recipients, it was really a website that collected their usernames and passwords. “We sent it to eight people; five clicked, and four gave us their passwords,” Crigger says.
Once he has access, Crigger often will change the rules on the mail server to block legitimate email from system admins or any messages that might alert staff that they’ve been hacked.
If a computer is compromised, Crigger’s team loads more software, including one that takes pictures of a user’s screen every 30 seconds and sends it to Crigger’s command and control center.
Malware can be loaded directly into a computer's short-term memory, or RAM, which means it’s never written on a hard drive where an antivirus can see it. Sometimes this can mean piggybacking on a real program. Attacks can exploit well-meaning and useful software already on a computer that can grant system admins remote access or track typing. Other times the attack software can come in several benign packages that assemble on a target computer, like a Mars mission collecting supply drops.
Once his team gets a beachhead on a computer or a server in a company, Crigger moves horizontally, gathering more information and trying to gain more access.
“A black hat hacker may spend three weeks in the intelligence gathering phase; they may spend three hours to three minutes exploiting it; and it may take three years before it’s discovered,” Crigger says.
Planning the final move is a delicate game, too. In one situation, Crigger launched his attack at 2:30 p.m. on a Friday, had the credentials to move further by 3:30 p.m., but waited, knowing that in a short time the whole office would be driving home for the weekend. The next phase came at 5:30, when the organization would be flat-footed. “At 6:00 we sent an email to the CEO that said, ‘We’re done,’” Crigger says.
Crigger may find vast stores of critical information, but being part of a pen test means he stops the test as soon as he gets access.
After compromising a company, Crigger has to to translate everything he’s done from technical jargon into something closer to English, so the company’s management can act on it. Crigger says this is the most important part of the job because technical speak can be so impenetrable.
All this may seem terrifying, but Crigger insists there are things you can do to protect yourself.
The easiest step for a business, Crigger says, is to stay really current on its software and upgrade it often. He also says to limit employees' privileges on computer systems to what they need to get their jobs done. Businesses should also communicate with their partners and make sure that the other businesses they pass information to are secure.
The biggest step toward running a safe company is building a “culture of compliance” where employees know how to spot risks and report them, Crigger says. Part of that is being incredibly careful about email messages. All employees should ask themselves if they really need to open an attachment if an email seems even slightly suspect. They should also hover over links to check where they go, a feature that before a click shows a url in the lower left of most email services. And users should never click on a link they weren’t expecting.
“Pen testing is a fantastically entertaining, delightful challenge. It’s a fantastic puzzle,” Crigger says.