Publications
Partners
Cape Town - While cyber security breaches continue to make tech news headlines, experts have revealed that it is surprisingly easy to compromise individuals and companies.
This year, large corporations such as Target, Home Depot and eBay have experienced cyber security lapses as hackers appear to run riot through security protocols.
But while the breaches themselves appear spectacular, a cyber security expert revealed that simple social engineering tools are easily employed to gain unauthorised access.
"We would actually go and visit the client and we distribute USB sticks: Leave it in the bathrooms, leave it the meeting rooms; put it on the desks," Trustwave cyber security expert Leon Van Aswegen told Fin24.
Trustwave is often tasked with investigating whether a company's security is up to scratch, and through its Spiderlabs division, employs ethical hackers who test all aspects of cyber security.
Simple strategy
"On the USB is a piece of code, if you open it up... people want to do the right thing. You make it look legitimate - put your pictures on there, make it look like its personal images and the person wants to return it to you because you're going to lose your data," said Van Aswegen of how the social engineering trick works.
"As soon as a click on a folder or anything, the script runs and you know that data is lost."
But it's not only one person that can be easily compromised with a planted flash drive. People in an office keen to track the owner of a lost stick will often share the device with colleagues.
Spam remains an effective way to deliver malware to computer users. (Duncan Alfreds, Fin24)
"The funny thing is that if you start to number your devices, and this is where awareness comes in: It's not just one individual - they even share that disk, they plug into various machines and in that way you compromise not just one individual, but potentially six or seven," Van Aswegen said.
This way, even if the first individual doesn't have administrator rights to the company's server infrastructure, by sharing the harmful stick, a hacker could potentially hit on somebody that does have privileges.
But there are far more simple methods to compromise a company.
Many firms recycle paper and don't think twice about the information printed on the paper. This information can include financial statements, business proposals and even strategy.
Implementation
"If I'm a syndicate stealing information in the business of fraud, I'm going to target that driver. I'm going to offer him R10 000 a month to provide me with that information - it's as simple as that," said David Taylor of how easy it would be to target the person who collects recycled paper from corporations.
Taylor is a former associate professor of ICT law and founder of CyCaD - a cyber war NGO.
And few companies consider the integrity of third party service providers who conduct maintenance tasks in the office.
"If you have a technician who comes to service the photocopy machine, are you aware that there are still images stored on the hard drive?" Taylor added.
Ultimately, weak implementation of security protocols play an important role in making companies vulnerable to cyber security intrusion.
The 2014 Trustwave Global Security Report found that weak passwords contributed to 31% of intrusions the company investigated in 2013.
The most commonly used password was "123456", followed by "123456789", "1234" and "password".
"It is a very big problem, and I'll tell you why: People are lazy. So if your company policy says to you that you've got to use a minimum of eight characters… users themselves, because they work for the company, they don't really care," said Andrew Kirkland, Trustwave regional director for Africa.
Watch Leon Van Aswegen explain why people don't take their computer security seriously.
- Follow Duncan on Twitter
