In the drier regions of the American Northwest, firefighters have developed a useful technique to battle the wildfires that burn thousands of acres of forest every year. This technique, known as “backfiring,” instructs firefighters to use a controlled fire to burn away a wildfire’s fuel path to quell or divert the flames.
This technique of—quite literally— fighting fire with fire also applies when dealing with cybersecurity threats, if only in a metaphorical sense. Just as backfires burn away a wildfire’s momentum, ethical hackers exploit and disrupt vulnerabilities in your institution’s security framework.
Before ethical hacking can commence, you must be aware of any security vulnerabilities. Your institution’s security framework is only as strong as its weakest point; and if a cyber criminal uncovers that weakness before you do, you’re in trouble. Regular vulnerability assessments help keep your institution both compliant and secure.
Once a vulnerability has been flagged, it’s time to put it to the test. Ethical hacking—or penetration testing—uses seasoned security veterans to circumnavigate your network security. Penetration testing assembles tactics used by cyber criminals around the world. Both external and internal penetration tests are recommended by regulators:
- External Penetration Testing: This includes gathering public information that real hackers can use to penetrate your network, and conducting safe exploit attempts to test your institution’s firewalls, perimeter routers and web servers.
- Internal Penetration Testing: This type of testing assumes that a criminal has already gained access to your network. Here, ethical hackers will try and gain credential information, find domain passwords…essentially, everything a real hacker would do.
Once a full penetration test of your security infrastructure is complete, only one security component remains: your institution’s employees.
Hardware and software might require updates or patches, but human beings are the one security element that can’t be patched.
Criminals conceive new methods daily to infiltrate your bank’s human network. These methods are creative, enticing and dangerously effective, because they prey on natural emotions and fears. These schemes, mainly perpetrated through phishing emails, often entice employees to click on a link containing malware or input their personal credentials. Once obtained, the criminal will use them to access your institution’s network.
Social engineering testing is essential to understanding your bank’s security status. Through this service, ethical hackers will use some of these tactics to test your employees’ susceptibility to real phishing schemes:
- Preying on Paranoia: Human beings are naturally prone to deception, especially when criminals tap into their paranoia. A criminal will send an email indicating that unregulated traffic has been detected on the employee’s device, requiring them to insert their credentials with threats of disciplinary action if they refuse.
- Update in Progress: Contrary to our first example, some types of social engineering attempts will use the humdrum of everyday monotony. Criminals will send an email posed as an administrator asking for a simple update of emergency contact or login info. Viewing this as “no big deal,” employees oblige.
- Suspicious Activity: A timeless classic among cyber criminals. A “suspicious activity” alert is sent, requiring a download or update (often from Microsoft). Many such updates are perfectly legitimate, which is why this particular strategy is so effective. A single click on the bogus link is all the cyber criminal requires to infect your network with malware.
These are only a few of the countless social engineering tactics available to criminals. And the more a criminal knows about your institution, the more specific—and effective—their attacks.
Before taking stock of your institution’s security infrastructure, you must realize if/where liabilities exist. Start with a vulnerability scan to assess possible breach-points. Then, use penetration testing and social engineering testing to weed out these specific vulnerabilities. These types of tests are exceptionally effective for banks, because they use real-world scenarios—like those listed above—to perpetrate attacks on your institution’s security measures as well as your employees; in essence, fighting hacking with hacking.
Terry Anderson, CISSP/OSCP, is a senior risk and compliance consultant and penetration tester for CSI Regulatory Compliance.