The idea of hacking invokes fear and uncertainty. While it may seem mysterious, inevitable, and unpreventable, it’s not. And protecting yourself against hacking isn’t an elusive process either.
“Security isn’t magic,” said Alex Foley, Electric’s CISO, during our recent “Defense Against the Art of Hacking” webinar. “Security is diligence,” he added.
During the chat, Alex walked us through some common types of hacks, and provided tips on how to defend yourself and company against them.
Four Common Hacks
1. Physical Hacking (Breaking and Entering)
Alex began the lesson with a type of hack anyone, technical or not, could understand — breaking and entering. Examples of “physical hacking” include:
- Getting around key-card entry by tripping the inside sensor in an office.
- Duplicating RFID proximity cards.
- Old-fashioned lock picking.
So what can companies do to fight these low-tech (but very common) hacks? Alex recommended implementing compensating controls that would discourage nefarious behavior. These include:
- Push-to-exit buttons
- Security guards
- Additional physical locks
- Security cameras
2. AWS Root Key
Next, Alex jumped into the topic of “real” hacking, beginning with the Amazon Web Services (AWS) root key vulnerability.
AWS root or access keys give “god level” access to an AWS account. Anyone with root user credentials has access to almost all of a company’s servers storing terabytes of sensitive data. This vulnerability poses a significant risk because many companies have built their entire digital infrastructure on AWS.
Alex detailed an example of this problem involving an organization he consulted with in the past. Root keys that had been generated in 2015, but had never been disabled were accessed by an external group. Luckily, all the hackers did was mine cryptocurrency. There was no evidence that accessed any sensitive data.
What to do:
AWS Security Hub recommends users do the following:
- Delete root keys
- Enable multi-factor authentication (MFA)
- Avoid using a root account for everyday tasks
- Create minimum necessary roles on Identity and Access Management (IAM) users
3. Network Security
“If you’re not looking at vulnerabilities, then you’re not able to understand where the issues lie,” Alex said while talking about network security vulnerabilities. He recalled conducting a network security assessment on client and observing the following problems:
- Lack of patching
- Lack of device firewalls
- Use of default passwords
- Not using passwords at all
This behavior is particularly dangerous if any of your company’s devices access the public internet, which Alex likened to the zombie apocalypse. “There are just people attacking you all the time,” he said.
What to do:
That zombie apocalypse stuff was a bit frightening, but Alex followed up by offering the following security tips:
- Perform regular vulnerability scanning, using the Kali Linux toolkit.
- Harden everything: patch, encrypt, use antivirus, and set firewalls to deny all inbound.
- Track vulnerabilities by subscribing to security mailing lists.
4. Web Attacks
The web is a major external attack surface for many companies. Web vulnerabilities, along with configuration issues, are often the cause of data breaches that have been happening more frequently. According to Alex, issues the most common web-related hacking issues are API abuse, cross-site scripting, and SQL injections.
What to do
- Follow the Open Web Application Security Project (OWASP) research on web vulnerabilities.
- Learn how to use penetration testing tools like OWASP ZAP (Zed Attack Proxy) and Burp Suite Pro.
- Learn the process of manual testing.
We often think of security in the realm of the business, but we also need to think about how individual actions can put a company at risk.
- Patch your software and devices.
- Use a password manager.
- Enable multi-factor authentication.
Before ending the webinar, Alex emphasized the last point an additional time. “Two-factor everything,” he said. “Two-factor yourself. Two-factor your business. Two-factor every account you can.