The recent data breach of 10,000+ Departments of Justice and Homeland Security staff and over 20,000 supposed Federal Bureau of Investigation (FBI) employees is another example that becoming an insider by using social engineering tactics is much easier for hackers than writing zero-day exploits
Balabit, a leading provider of contextual security technologies, today announced its recent CSI Report. 494 IT security practitioners participated in the research that highlights the Top 10 Most Popular Hacking Methods which aims to help organisations to understand which methods or vulnerabilities attackers are using the most – or taking advantage of – when they want to get sensitive data in the shortest time. The key finding of the survey is that outsiders want to become insiders with the least possible effort, and insiders help them do so – mostly accidentally.
“The highest risk to corporations is when outside attackers gain insider access, as they can stay undetected within the network for months. Balabit aims to support organisations to know their enemy by knowing who is behind their user accounts, and determining whether it is a legitimate user or a masked hacker. This should be the fundamental priority in every kind of organisation’s IT security strategy,” said Zoltán Györkő, CEO at Balabit.
Over 70% of IT security experts consider insider threats more risky
54% of the survey respondents said that, according to their experience, organisations are still afraid of “hackers” breaking into their IT network through their firewall – but at the same time over 40% of them said that they already clearly see that first-line defence tools, such as firewalls are just not effective enough to keep the hackers away. Balabit surveyed whether IT security experts consider the outsider or insider threats more risky, when those attacks that are started from outside and primarily target insider’s privileged users accounts – so would never be successful without becoming an insider – belong to the insider category. In When a data breach occurs, the fact that it was a result of an accidental or intentional insider “help” is secondary. The survey results point to an efficient defence strategy: over 70% of those surveyed said that insiders are more risky.
Top 10 List of Most Popular Hacking Methods
Balabit surveyed which methods or vulnerabilities IT security experts think that attackers are using the most – or taking advantage of – when they want to get sensitive data in the shortest time:
- Social engineering (e.g. phishing)
Most of the attackers aim to get a ‘low level’ insider user account and escalate its privileges. Trying to identify an existing corporate user and trying to break its password is a slow process and leaves so many footprints behind (e.g. lots of additionally generated logs as a result of the automated attacks) that greatly increases the risk of being noticed that something suspicious is happening. Therefore, hackers mostly use social engineering attacks when users “voluntarily” give their account and password.
“The recent data breach of more than 10,000 Departments of Justice and Homeland Security staff and over 20,000 supposed Federal Bureau of Investigation (FBI) employees is another example that becoming an insider using social engineering tactics is a much easier job for hackers than writing zero-day exploits,” Zoltán Györkő, CEO at Balabit said. “Traditional access control tools and anti-malware solutions are necessary, but these only protect companies’ sensitive assets while hackers are outside of the network. Once they manage to break into the system, even gaining a low level access, they can easily escalate their rights and gain privileged or root access in the corporate network. Once it happens, the enemy is inside and poses a much higher risk as they seem to be one of us.”
“These hijacked accounts (when a legal username and password is misused) can only be detected based on the difference of the user’s behaviour, for example login time and location, speed of typing, and used commands. User Behaviour Analytics tools that provide baseline profiling about real employees, that are unique like fingerprints, can easily detect the abnormal behaviour of your user accounts and alert the security team or block user activities until further notice,” Györkő added.
- Compromised accounts (e.g. weak passwords)
Compromised accounts, especially weak accounts are dangerous because users commonly use weak passwords, sometimes the same password is used both for corporate and private accounts. In case a hacker can gain such a user’s account and password in a less secured system (such as through a private social media account), it can easily be used to log into the company network.
- Web-based attacks (e.g. SQL/command injection)
Security issues of web based applications such as SQL injections still rank as very popular amongst hacking methods, mainly because applications are the #1 interface for company assets for many insider and outsider users therefore providing a huge attack surface. Unfortunately the quality of application codes are still questionable from a security point of view, and there are many automated scanners from which attackers can easily detect vulnerable applications.
The other hacking methods listed can also have the same results for attackers but might be a bit more complicated or time-consuming, for instance, writing an exploit takes time and requires good coding skills.
The additional most popular hacking methods are ranked as follows:
- Client side attacks (e.g. against doc readers, web browsers)
- Exploit against popular server updates (e.g. OpenSSL, Heartbleed)
- Unmanaged personal devices (e.g. lack of BYOD policy)
- Physical intrusion
- Shadow IT (e.g. users’ personal cloud-based services for business purposes)
- Managing third party service providers (e.g. outsourced infrastructure)
- Take advantage of getting data put to the cloud (e.g. IAAS, PAAS)
Conclusion of Balabit’s CSI Report
Regardless of the source of the attack, the list of the Top 10 most popular hacking methods clearly highlights that organisations must know what is happening in their IT network in real time; who is accessing what with certain usernames and passwords, and determining whether that is the real business user or an outside attacker using a hijacked account. This can only be reached by complementing the existing control-focussed security tools, such as access control tools and password management solutions, with continuous real-time monitoring. Monitoring can highlight anomalies in users’ behaviour that are worth investigating and not only alert suspicious activities but can also immediately respond to harmful events and block further activities. As the survey results show, today it is not enough to keep away outsider attackers, you also need to identify the unusual behaviour of our own users, because you can never know who is actually behind the insider account.