Hear me out, as this is my take on things. I think most of the major hacks we hear about in the news are much more likely the result of social
engineering than botnet or other brute force approaches. Not that I rule out other hacking methods, but I think the effort vs. payoff is much better.
If anything, I think the non-social methods of hacking are employed more as a distraction to make the bigger weaknesses more readily exploitable. (I
think that was one of the biggest things Kevin Mitnick discussed for that time he was in the spotlight some years ago.)
So this is what I'm thinking. You have a company staff setup to handle lots of information. Of that staff, you might have up to a dozen well paid IT
specialists. (Admin roles.) They watch ports, monitor various systems, keep on top of servers for uptime, etc. But these guys aren't your weakest
link, they're usually paid well, have all the benefits, etc. For them, things are good and there's usually an attachment to what they're doing.
So who do you exploit as a hacker? The same company has in their employ something like 100+ customer service reps. However these people tend to be
outsourced to remote data centers, or are on part time as contracted through various staffing services. More or less they're temps, and on average
they're not being paid much more than minimum wage. As workers, they also tend to be treated as disposable, so not much job security either. However
these lowest paid on the data-management totem pole have the same keys to all the pertinent info that the top brass does. (And to even do their job
they need access to all the customer records by default.) If you want to social engineer the keys to the kingdom, this is where you make the hit.
First not everyone takes the job seriously (meh, another temp gig), so they're bound to be a bit loose. Others do, but then its' a matter of finding
those who are disgruntled or hurting for money while working in this role. The odds are good too, as there's like 50 to 1 vs. IT staff and perhaps 20
to 1 vs. higher ups managing and monitoring things. Don't hit it off as a hacker? Just make another bogus call into the system and re-roll the
dice.
Thus the greatest hardware firewall in any business means little when the best keys to get in a system are relatively cheap. (Perhaps a few months
wages?) I bet you could ask anyone that works at a phone bank type place that handles customer records or billing in one form or another, and they'd
agree that security is apparently paper-thin on that end. (Also I did a stint working in that area, and the way things appeared to be done in some
areas made me cringe a bit. I'm the type that stays honest and respected confidentiality for what I did, but I could see where less scrupulous types
could easily pick up a bounty with access or knowledge they have by wandering into some darker parts of the internet. Thus my suspicion is most of the
expensive hacks we see in the news occur from the inside.)
So if somebody wants to really secure their system, they really need to poll through the data handlers and penetration test them. And I'm willing to
bet that's a lot more difficult than running a firewall and locking it down. For real security it's necessary that people in all data roles are on top
of their game, but to get that you also have to be willing to pay them well and not treat them like dirt.
edit on 23-10-2015 by
pauljs75 because: (no reason given)
I'm posting this as a rant, as it seems like it really should be freakin' obvious. But most news seems to postulate that everything is vulnerable by
doing things the hard way.
edit on 23-10-2015 by pauljs75 because: (no reason given)