To know the taste of a specific food item, you have to put it in your mouth. To know how durable an item is, you need to subject it to a battery of tests and then compute its MTBF. As industry moves from traditional devices to using more modern, connected devices and systems that are always on, security is seen as a major obsession.
People need to know how secure their network is against external attacks. However, just as an arch can withstand a good amount of external load, but crumbles easily against an internally applied pressure, so can networks. Some of the biggest security threats faced by networks unwittingly comes from people on the inside and not from those who are outside the network.
Companies employ a Certified Ethical Hacker to hack into their networks in an attempt to expose security weaknesses that they might have overlooked while securing their network. A company may have several external infrastructures – VPN access points, email servers, domain name servers, web servers, perimeter firewalls and other applications – accessible publicly from the internet. Typically, this is where the Certified Ethical Hacker starts his work.
The hacker has several tools to help him in his task. They include password crackers, keystroke loggers, eavesdropping, denial-of-service, sniffers and remote controls. In fact, hackers usually employ powerful digital tools akin to an expert lock-picker’s toolkit and they use these to attack the firewall systems.
Most companies take great care to make their networks impenetrable against external attacks. Therefore, it is no surprise to hackers if they are unable to get in. However, these same companies often overlook insider threats. Hackers can expose these vulnerabilities, especially, people working on the inside. This depends on a very simple fact – most people’s response is highly predictable when they are placed in a particular situation.
For example, consider what someone will do with an unclaimed innocent-looking USB flash drive lying on the toilet paper holder in the company’s washroom. That’s right, 90% of those finding the USB key will want to know what it contains and plug it into their computer to find out!
Now, a hacker may have knowingly planted a computer program on the flash drive that would auto-run and execute a remote connection to his computer as soon as someone operated the drive. That would give the hacker instant access to the company’s network. The program would take the computer owner’s encrypted credentials and pass them to the company’s own server, thus mimicking a normal and real login.
Once the hacker is able to log into the network of the company, he can unleash any amount of mayhem. He can extract usernames and passwords, open and interact with any file on the compromised system and even take screenshots of current activities on the desktop of the user.
The Certified Ethical Hacker will report his findings to the company management about how easy or difficult he found it to hack into the company’s network. This highlights the fact that security is not just about the protection of the firewall of the network. Even when there are no disgruntled employees, internal threats can be real.