cyber-security-vulnerabilities-e1463664601459Anyone with a computer, an Internet connection and Google can hack. Hacking software is inexpensive (or free), easy to use and powerful enough to cause massive damage to your system — even in the hands of an inexperienced user.

 

In the hands of skilled hacking gangs, it’s all the more dangerous. Professional hackers are some of the most skilled and prolific thieves, willing to spend months inside a target’s system, learning how everything is put together before striking, stealing as much data as they can before covering their tracks. For the victim, the costs can be enormous: from stolen intellectual property, to countless compliance penalties, a single hack can sink a company if they don’t have the proper precautions in place.

 

If you want to protect your company, you need to understand the most common cyber security vulnerabilities, and how (and why) hacking attacks are becoming more common throughout the business world.

 

The Speed and Proliferation of Hacking Tools

Hackers develop new tools at a phenomenal rate. In 2015, Kaspersky Lab detected 121,262,075 “unique malicious objects” through its web antivirus program. In particular, hackers are evolving to take advantage of new security vulnerabilities inherent in many mobile apps — or, more accurately, they are taking advantage of how common mobile devices have become.

 

Software is spread through a network of devices and people, meaning companies can’t solve the problem just by building and defending a security perimeter alone; nor do hackers need to get inside your servers when they can steal your data from your employees’ smartphones.

 

We’re also seeing foreign governments using hackers to compile sensitive information that could harm national security. The OPM breach exposed more than 21 million current and former federal employees and applicants, along with untold family and friends. The breach may have exposed federal agents, informants and others all over the world, weakening the U.S. for decades.

 

Other hacks have targeted security manufacturers and cutting-edge research institutions — and that’s to say nothing of the Internet of Things, which opens up a whole host of new devices to potential attackers — and that’s just the tip of the iceberg. Here’s a brief look at what we’re up against:

 

The 8 Ways Hackers Take Advantage of Cyber Security Vulnerabilities

 

1. Crypting Services: The antivirus/anti-malware industry has always been an arms race, but lately, things have been heating up dramatically. As bad guys started to produce malware more quickly, antivirus providers automated detection. New malicious programs could be detected quickly, and updates would be sent to consumers, preventing most systems from being infected.Unfortunately, the bad guys discovered a neat trick: if they could encrypt malware, the new virus would no longer resemble the original code, meaning the antimalware programs couldn’t catch it.Instead of having to put in the work to find and exploit a new cyber security vulnerability, hackers can now send their malware to crypting services, which modify it repeatedly and test it against antivirus programs until they make it undetectable. Then they send it back to the hacker, who can then use it to exploit unsuspecting users.

 

2. Crimeware: In many parts of the world, it takes skill and experience to find hacking tools, but in North America, crimeware is easy to obtain. Small time criminals, unscrupulous competitors and other unsavory characters can find forums and sites selling hacking tools with a simple query — and buy them for less than the price of a cup of coffee:

 

Remote Administration Tools (RATs): Also known as Remote Access Tools and Remote Access Trojans, RATs are among the most dangerous exploits. These programs are often downloaded disguised as legitimate pieces of software. Once activated, however, they give hackers full control over the infected computer. Hackers can steal account information, edit files, use the camera to record the user and even block the user’s keyboard and mouse commands.

 

Being careful to avoid suspicious downloads can decrease the likelihood of infection, but it can’t eliminate it. Attackers can still spread RATs through a compromised vendor. In 2015, for example, attackers compromised ICS and SCADA software vendors. When manufacturing, research and educational organizations downloaded what looked like trusted software, the hackers were able to gain control of their systems.

 

Keyloggers: Why bother to take control of a computer when you can get access to employee accounts? Software keyloggers record keystrokes the user enters, then upload them remotely, allowing hackers to then retrieve account login credentials. This can be used to hack into your system, compromise sensitive data or even send malicious messages posing as the user.

 

Ransomware: This software literally holds your computer for ransom. Hackers get inside your system and encrypt your data, making you unable to access it. Once they’re done, you can either pay up or lose data permanently. The price of the ransom can be expensive, but the downtime is often far more costly. One hospital lost access to patient records, email and other critical bits of information for more than a week, until it paid the hackers $17,000 to unlock it.

 

3. Exploit Kits:It used to be that common sense security could protect users from most cyber security vulnerabilities; as long as you avoided clicking suspicious links, visiting dodgy websites or installing software you couldn’t trust, you’d stay reasonably safe. But because of exploit kits, your safe habits are no longer enough.Exploit kits are used to target users on trusted sites, which have either been tricked into displaying malicious ads or outright compromised. The user is quietly redirected to another site, without showing any indication like a pop-up window. The site then scans the computer for cyber security vulnerabilities such as unpatched software. When it finds a weakness, it installs a targeted piece of malware, to steal data, hijack your computer or perform other malicious actions.

 

Web exploit kits come with control panels, documentation or training and even periodic bug fixes. They are rented or sold to hackers and often don’t require sophisticated computer skills to operate. Patching software and installing antimalware tools provides some protection, but a determined hacker could almost certainly compromise some user in your company, with potentially disastrous results.

 

4. Leaked Data: Stolen or illegally obtained data has always been a valuable commodity, but the difficulty of selling it used to limit the incentive for criminals. Finding a buyer for stolen company secrets or financial information could take time, and expose hackers to a great deal of risk.The Internet, however, has revolutionized the black market, making it easier and less risky to buy and sell stolen data. Much of this trade takes place on the dark web — hidden parts of the Internet that require additional software or credentials to access. However, in North America illegally obtained information is often sold right out in the open, where an unscrupulous competitor with little technical know-how could easily get ahold of it.Stolen credit cards are a popular item, sold in bulk for prices ranging from $19 for a single card’s credentials, to hundreds for a clone, complete with chip and PIN. Social security numbers (along with enough information to then steal someone’s identity) are also popular — and sold in bulk.

 

Identities are kept secret, and payment is usually made using anonymous technologies like bitcoin, making it highly unlikely a particular hacker will be caught. There are even stolen data search engines to make it easier for criminals to find and exploit sensitive data.

 

Although this doesn’t directly cause breaches, it incentivizes them. A hacker is much more likely to try to steal account credentials, knowing they can turn around and sell them quickly and with little risk.

 

5. Social Engineering: Social engineering uses psychology to illicitly compromise security. For example, a social engineer might walk into a restricted area behind someone, asking them to hold the door, convincing the other person they belong there through a display of confidence. Phishing — sending someone an official-looking email with a malicious link (e.g., a message disguised to look like it’s from a bank, or the target’s own company) is one of the most common techniques, but social engineering can get far more complex.Social engineers often combine leaked and publicly-available data with cyber security vulnerabilities to create sophisticated attacks. For example, a hacker might gather intelligence about an executive from their Facebook and LinkedIn accounts, use that information to guess their email password, then pose as the executive. They could use that account to:

 

  • Steal money or trade secrets
  • Damage the target’s business and reputation
  • Commit blackmail
  • Implant malware to gain more access

 

Hacker networks and tools enable social engineering on a large scale. Bad actors can purchase illicit data or hire hackers, but it’s also possible to find the data you need through completely legal means. Intelligence gathering software like Maltego can comb through vast amounts of information, outlining a target’s interests, relationships and habits along with personal information like email addresses, aliases and IP addresses. For a resourceful hacker, gathering enough information to do serious damage would not be difficult.

 

6. Card Skimmers: Point of Sale (POS) machines and ATMs have inherent cyber security vulnerabilities. If the card reader can decode your payment data, so could a bad actor with access to that reader. Hackers use a wide variety skimming machines to steal card data — often from chain stores, banks and other major enterprises — including:

 

  • Plug-ins that intercept data when an ATM uploads it to the Internet
  • Altered card readers, that skim data as it is scanned
  • Devices that fit over the magnetic card slot
  • Pin capture overlays installed on top of the keyboard
  • Hidden cameras to capture PINs

 

Encrypted cards are more secure, but they haven’t completely eliminated the threat. New cards still have magnetic strips to stay compatible with machines, which can be scanned when they’re used.

 

7. Unpatched Systems: They’re not as glamorous as some of the more exotic exploits, but in sheer volume of attacks, they’re probably the most damaging. According to the 2016 HPE Security Research Cyber Risk Report, 48% of the top 2015 exploits used cyber security vulnerabilities that were at least five years old. Year after year, companies fail to fix cyber security vulnerabilities, leaving the door wide open for any hacker who bothers to look.Part of the problem is simply a lack of adequate resources. Staying ahead of SAP vulnerabilities requires the time to do regular patching and the knowledge to configure the system correctly to prevent more sophisticated exploits. In many companies, the ERP admin doubles as the chief security officer, and lacks the time and experience to keep things up to date.The explosion of BYOD’s popularity in the workplace only increases the problem. Any program on your device could present a potential attack vector. Workers often don’t delete old or outdated software, or patch applications like they should. Good tech usage policy and whitelisting can help, but without a full time security and compliance team to enforce best practices and monitor access, there will always be a gap somewhere.

 

8. The Integrated Approach: Most crimes are crimes of opportunity — criminals look for a cyber security vulnerability, break in and get paid. If you have no obvious weaknesses and another company does, they’ll usually be the target.But hacker gangs are incredibly sophisticated, and many can use a dazzling array of tools and tactics. If the payoff is big enough, they will find a way in. Hackers have attacked Boeing to steal military aircraft designs, funneled money away from some of the most secure banks in the world, and compromised highly confidential US government databases.To do this, they often use sophisticated, multi-stage attacks:

 

  • Gathering intelligence — often through social engineering
  • Implanting backdoors
  • Strengthening control and access of the target’s network
  • Exfiltrating data for as long as they can
  • Covering their tracks

 

In the case of the Carbanak bank heist, hackers were able to spy on employees, study their work habits and use a range of attacks over about two years. It took an incredible amount of work (as many as 100 banks were targeted), but the $1 billion payday must have been a pretty good incentive.

 

Know Which Cyber Security Vulnerabilities Can Impact You

A bad guy may be willing to spend months or years scanning your system for cyber security exploits. Stopping them requires the same obsessive level of attention, not just from your security team, but from your entire organization.

 

Technologies like intrusion detection and prevention systems, firewalls and anti-malware suites are important, but they’re no replacement for good engineering. Your system should be designed along network security architecture best practices, and hardened by a thorough security audit. Likewise, databases need to be encrypted, hardened and properly configured. You need dedicated SAP Basis support to handle patches and configuration, and admins who understand how to control access and spot suspicious activity.

 

Your security technology provides the outer layer of defense, but it can’t do it’s job without human beings at the controls. Your company needs around-the-clock incident detection and response, ready to neutralize a hacker probing your network for weaknesses, or shut down a compromised system before hackers can steal the data.

 

That’s a lot of people, and a lot of tech. For the largest companies, it might make sense to do it in house, but most companies can’t afford it. Fortunately, the IT managed services model allows organizations to spread costs and pool resources, hiring an entire security army for less than the cost of a small in-house team.

 

Stay safer, worry less. No cyber security partner can keep you perfectly safe, but the right partner can drastically cut the risks, and minimize the damage of a worst case scenario. Symmetry provides a complete array of cyber security services. We’ll assess your security, identify vulnerabilities and work with you to fix them.

 

We’ll also provide a custom incident response plan to mitigate breaches and train employees in security best practices to reduce risk. Continuous protection is achieved through continuous monitoring. Our Cyber Security Defense Center engineers will log system access around the clock, quickly spotting potential breaches or attempted breaches, and neutralizing them in real time. Your data is your most important asset. That’s why guarding it is our most important job.

 

Contact us to learn more about how Symmetry can protect your company.

About Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.