Several worrying news stories have emerged over the last couple of years indicating that not only are relatively well protected companies at risk, but that highly publicised attacks may be the tip of a much larger iceberg.
Over the last couple of years, we have seen a variety of high profile attacks that have struck at the heart of companies' systems. In January 2007, we saw the biggest attack yet on retail group TJX, which resulted in the theft of 45 million credit card records.
Grocery chain Hannaford Brothers experienced its own breach in March the following year, when it found that criminals had compromised its internal systems. 4.2 million credit and debit card numbers were stolen in that particular heist.
And Heartland Payment Systems, which revealed this January that its networks had been hacked, has still not revealed exactly how much data was stolen. It is, however, the target of several lawsuits from irate customers and financial institutions.
Common to each of these attacks was the use of malicious software, placed somewhere inside the organisations' networks. The software then proceeded to gather data for later harvesting.
These high profile attacks are only the tip of the iceberg. Networks of all sizes require constant vigilance against a variety of threats. Here are ten that you should know about.
10 ways to hack a system
Operating system flaws
Hackers can compromise operating systems directly by exploiting security flaws. This hack is getting harder to implement as operating systems get more sophisticated. Microsoft in particular has been striving hard to protect its systems by building in security during the development phase. However, some vulnerabilities remain, and even when they are patched by the vendors, they don't always get patched by the customers. Having a client PC infected on your network can quickly spread malware far and wide.
Solution: "Patch your stuff," warns Emerson Tan, co-founder of security group PacketStorm Security, who sums up the situation thus: "Unpatched server + exploit archive + trivial scripting skills = the contents of your network all over the internet. Including the embarrassing or valuable bits."
SQL is the primary language used to manipulate databases. Web applications should use input validation to strip it out of any text entered into a web form. This often doesn't happen, however, meaning that criminals can use carefully constructed text to do everything from change the product pricing in your database through to stealing your customer details — or deleting everything.
Solution: If you are operating a web application, review your code to ensure that user input is being properly validated.
SQL injection is also a perfect way to insert malicious commands on a web site. Most web content these days is held in a database. Hacking the database to alter the content enables villains to insert special scripts and HTML tags on the site. The scripts can cause a browser to automatically download malicious software from a third party site, infecting any machine that happens to visit a web site.
Solution: Patch your client systems to make them less susceptible to drive-by attacks. Use an appliance or an online service that scans the URLs that your staff visit against a blacklist of sites with known malicious code.
Guessing passwords is often easier than we may think. Password cracking tools such as L0phtcrack can run through thousands of passwords in minutes in their attempts to get into a system. "Password guessing tools can still make short work of even some moderately well-constructed passwords due to the speed of modern hardware," says Bruce Potter, organiser of the Shmoocon hacking conference, and founder of security consulting firm Ponte Technologies.
Solution: Use passphrases (long, easy-to-remember sentences) instead of passwords. Consider deploying two-factor authentication, which requires users to carry a piece of hardware in addition to their password. Require passphrases to be changed frequently.
Perhaps the easiest way to find a password is simply to call the owner, pretending to be someone in the IT department, or someone in authority. All it takes is one gullible user to give up their details, and the hacker then has a foothold in the system. Other popular social engineering techniques include dumpster diving (looking for technical information and account details thrown out in the garbage). For more, read The Art of Deception by Kevin Mitnick.
Solution: Staff training is crucial. Employees should be schooled in security policies that include, for example, verifying the roles and identities of people requesting sensitive information.
You may have put firewalls in place, but what happens when someone sends an email to your employees with a link to a malicious web site, or an attached file with a built-in exploit? Thanks to flaws discovered in programs such as Excel and Adobe PDF reader, opening specially-crafted files in these programs can result in a system compromise, and could allow criminals to run their own code on your computers.
Solution: Install anti-spam software, and anti-malware software on your computers, but don't rely on this alone. Train staff not to open files that they don't recognise from people they're not familiar with. Patch all application software to minimise the chance of exploits.
The easiest way to compromise a system is to infect it directly, by inserting a USB key with malicious code, for example. No firewall will stop an intruder from entering a poorly-protected office and doing everything from directly infecting a computer to inserting a small keylogging device in between a keyboard and a computer which will happily collect password credentials until it is ready to be collected.
"Once a bad guy is in front of your precious machine, it's game over. I've lost count of how many ways a machine can be taken over once you're in front of it. Sometimes it's as simple as sticking a CD into the computer," says Tan. "In 2005 an Israeli hacker managed to take over the PCs of a number of high ranking executives simply by mailing a CD with a trojan on it, marked Business Proposal…"
Solution: Adopt a converged security approach by marrying physical and logical security together. Protect access to your building and require people to identify themselves. Train staff to question people in the building that they don't know.
Some hackers may choose not to go after PCs in the network at all. It is easier in some cases to simply compromise the routers, switches, firewalls or other devices that keep the network operating, and use them to control the network directly.
Solution: Change the default passwords on your network equipment. Keep its firmware updated. Ensure that you only buy the equipment from reputable sources, so that you aren't buying counterfeit kit that has been tampered with.
The rise in flexible working has resulted in some serious vulnerabilities. I am writing this article in a public place, on an open wireless network. If I logged into my webmail account, my password would be sent using an encrypted signal, but as soon as I had logged in, everything else would be sent in plain text. This means that anyone sniffing the wireless network using free open source software such as Kismet could read my email – and pick up various kinds of sensitive information.
Solution: Use a virtual private network when surfing in a public place. VPN hardware can be purchased and installed at your office, and your computer can connect to it before surfing the web. This will encrypt all of your traffic.
Find the weak point
You've secured your database. You've checked your application code. You've installed your firewalls. Great. But what about the old, unpatched system logging server humming gently away in the corner? It's the perfect exploit vector for a hacker that could then use it to mount an attack on your other systems, from inside the network.
Solution: Manage your assets carefully. Ensure that you have catalogued and adequately protected all of your hardware and software.
Ultimately, none of these things will help protect you against the other major threat – insider fraud. If your administrator is working in collusion with third party groups to help them break into your network, your efforts will be for naught. One way to get around this is by implementing stricter administrative controls on the network, ensuring that administrators and their actions are properly policed and audited.
No single approach will save your network from being hacked, but the more measures you take, the harder you will make it for attackers to infiltrate your systems — and the more likely they are to move on to the next potential victim. In the modern security landscape, the people less likely to be hit are those that present the hardest target for an attacker.