Current events are often of significant interest to attackers. Mergers, acquisitions,
scandals, layoffs, rapid hiring, reorganizations, outsourcing, extensive use of temporary
contractors, and other events may provide clues, opportunities, and situations that didn’t
exist before. For instance, one of the first things to happen after a merger or acquisition
is a blending of the organizations’ networks. Security is often placed on the back burner
in order to expedite the exchange of data. How many times have you heard, “I know it
isn’t the most secure way to do it, but we need to get this done ASAP. We’ll fix it later.”?
In reality, “later” often never comes, thus allowing an attacker to exploit this frailty in the
name of availability in order to access a back-end connection to the primary target.
The human factor comes into play during these events, too. Morale is often low
during times like these, and when morale is low, people may be more interested in
updating their resumes than watching the security logs or applying the latest patch. At
best, they are somewhat distracted. There is usually a great deal of confusion and change
during these times, and most people don’t want to be perceived as uncooperative or as
inhibiting progress. This provides for increased opportunities for exploitation by a skilled
social engineer.
The reverse of “bad times” opportunities can also be true. When a company
experiences rapid growth, oftentimes their processes and procedures lag behind. Who’s
making sure there isn’t an unauthorized guest at the new-hire orientation? Is that another
new employee walking around the office, or is it an unwanted guest? Who’s that with
the laptop in the conference room? Is that the normal paper-shredder company? Janitor?
If the company is a publicly traded company, information about current events is
widely available on the Internet. In fact, publicly traded companies are required to file
certain periodic reports to the Securities and Exchange Commission (SEC) on a regular
basis; these reports provide a wealth of information. Two reports of particular interest
are the 10-Q (quarterly) and the 10-K (annual) reports, and you can search the EDGAR
database at http://www.sec.gov to view them. When you find one of
these reports, search for keywords like “merger,” “acquisition,” “acquire,” and “subsequent
event.” With a little patience, you can build a detailed organizational chart of the entire
organization and its subsidiaries.
Business information and stock trading sites can provide similar data such as Yahoo
Finance message boards. For example, check out the message board for any company
and you will find a wealth of potential dirt—er, I mean information—that could be used
to get in the head of the target company. Comparable sites exist for major markets around
the world. An attacker can use this information to target weak points in the organization.
Most hackers will choose the path of least resistance—and why not?
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন