As news broke this week that more than 10,000 Departments of Justice and Homeland Security staff and over 20,000 supposed FBI employees details have been compromised in a breach, it is another example that becoming an insider using social engineering tactics is a much easier job for hackers than writing zero-day exploits.
A new survey of security professionals has revealed the top ten methods and vulnerabilities attackers are using the most – or taking advantage of – when they want to get sensitive data in the shortest time.
The key finding of the survey is that outsiders want to become insiders with the least possible effort, and insiders help them do so – mostly accidentally.
Security professionals at the Black Hat hacker conventions in the US and Europe were asked which methods are most commonly used by attackers.
Out of the top ten vulnerabilities, social engineering was by far the most popular, with weak passwords coming in a close second. 81% of Americans and 83% of Europeans said social engineering such as phishing was the biggest method used to gain sensitive information, with compromised accounts (weak passwords) coming in at 62% and 63% respectively.
In third place came web-based attacks such as those through SQL/command injection.
Next are client-side attacks against document readers and web browsers, and exploits against popular server updates – such as Heartbleed and Open SSL
'The highest risk to corporations is when outside attackers gain insider access, as they can stay undetected within the network for months,' said Zoltán Györk?, CEO for IT security company Balabit, which conducted the research.
Most of the attackers aim to get a ‘low level’ insider user account and escalate its privileges. Trying to identify an existing corporate user and trying to break its password is a slow process and leaves so many footprints behind (e.g. lots of additionally generated logs as a result of the automated attacks) that greatly increases the risk of being noticed that something suspicious is happening.
Therefore, hackers mostly use social engineering attacks when users 'voluntarily' give their account and password, explained researchers at Balabit.
'Traditional access control tools and anti-malware solutions are necessary, but these only protect companies’ sensitive assets while hackers are outside of the network. Once they manage to break into the system, even gaining a low level access, they can easily escalate their rights and gain privileged or root access in the corporate network. Once it happens, the enemy is inside and poses a much higher risk as they seem to be one of us,' said Györk?.
Regardless of the source of the attack, the list of the Top 10 most popular hacking methods clearly highlights that organisations must know what is happening in their IT network in real time; who is accessing what with certain usernames and passwords, and determining whether that is the real business user or an outside attacker using a hijacked account.