“Simply put, to catch a thief you must think like a thief,”

1. ICT 85THE ECONOMIC UPDATE 0 6 / 0 8
“Simply put, to catch a thief you must think
like a thief,” says Mr Borg. “To this end we have
formed a team of Certified Ethical Hackers
and Penetration Testers, network engineers and
a team of social engineering professionals, to
provide extensive and realistic IT security audits
for companies” he explains.
Although hacking has a low radar profile in
Malta, the risk of our networks being comprised
is actually rising exponentially. The tools used in
this activity are readily available on the internet
and forums that provide assistance and support
to hackers spring up with regularity.
In addition,more and more people are studying
IT in greater depth, allowing them to develop the
knowledge necessary to begin taking advantage
of these readily available hacking tools.
Today, businesses rely on the data contained
within their servers and the protection of this
information is essential to the operation of the
enterprise. Customers trust us to safeguard their
personal details and a data theft severs this trust,
with catastrophic effects on your customer base.
So how do hackers ply their trade and what
methods do they use to get into our systems?
Forget the Hollywood image of a young boy
sat alone with a giant computer, using it to gain
access to private networks. Instead, professional
hackers have a far greater variety of methods at
their disposal and some of them are very tricky
indeed.
Applying techniques detailed in the hacker’s
playbook, isecmalta.com put a network through
its paces to find out just how secure it really is.
“Social engineering, or the art of extracting
restricted information from employees, is one of
the most powerful weapons in a hacker’s arsenal
and one of the best ways to gain access to a
system,” Mr Borg explains.
This is achieved in a variety of ways, ranging
from simply phoning employees to request
information whilst impersonating IT support
staff, to actually applying for a computer-related
job at the company being hacked and using the
resulting interview to ask specific information
about its network and its security.
“It is amazing the information you can get
simply by being polite and friendly,” Mr Borg
remarks. “Ironically, the methods are even more
effective when used on trained interviewers.
Actually, I enjoy the challenge…” he adds with
a smile.
Some HR executives and IT administrators
may be squirming in their seats,realising that they
are guilty of being a little loose with corporate
information during job interviews. However,
there are other loop holes that can be exploited
by a serious hacker ± and these involve asking no
questions at all.
Visitors are rarely monitored on company
property and few organisations have a strict visitor
policy. Often, guests are simply given directions
to the relevant department and allowed to wander
over there on their own steam. Such practices are
highly dangerous and in doing so you could be
leaving your system wide open for attack.
Mr Borg is clear how this can be exploited: “A
hacker only needs a few seconds to slip a floppy
disc into a drive and this can install a variety of
anonymous malicious applications. Such software
can scan networks from that infected terminal and
send out the recorded information to a hacker.
Floppy drives are rarely used anymore and this
has the added advantage that such discs are likely
to go undetected for some time.”
Some may be reading this article, thinking
that they have no data worth stealing. However, a
recent case in the US had three hackers charged
with intercepting credit card information from
cash registers at a restaurant chain. The hackers
were located in three different countries, showing
that such threats are global.In addition,isecmalta.
com was recently involved in a case where a local
company was targeted by French hackers.
And your corporate data is worth a lot of
money to these people. Your competitors, for
example, may be interested in buying a copy of
your customer database, or plans of your latest
product. Hackers are quite unethical about what
they do with your data after they steal it and it
often goes to the highest bidder, or they may even
offer to sell it back to you at a price ± something
known as data kidnapping.
Of course such data holds high value when
you are unaware that you have been hacked and
that your security has been compromised. For this
reason professional hackers are adept at covering
their tracks.
“There is a distinct lack of awareness in Malta
about the dangers of hacking and we need to alter
that, especially as our island is becoming more
and more technologically advanced,” Mr Borg
notes.
He is adamant that IT administrators are
not able to verify the security of their own
network simply because they know it too well
and take some of its features for granted. Hence,
companies should bring in specialised ethical
hackers to independently attack the system and
issue a comprehensive security audit report that
highlights any chink in the armour.
As our reliance on digital tools increases, we
need to protect ourselves with adequate security.
Failure to look after our vital IT resources leaves
us wide open to today’s hi-tech thieves.Otherwise
you may just find your sensitive information
becoming public knowledge.
The word ‘hacking’ is guaranteed to send shivers down corporate spines. Stolen
data, compromised passwords and crashed servers are the stuff of many CEOs’
nightmares. Justin Tonna met with Fabian Borg, Managing Director of isecmalta.com,
who tells him why companies should actually pay to have their systems hacked.