SecTor 2020: The blonde, the smile, and the hack

An attractive blonde follows a man onto an office elevator. “Nice to see you again,” she says to him.

He pauses. She must be right, he figures, so he smiles back. Then she compliments him on his scent.

The elevator arrives at his floor, which is security controlled. He inserts his access card into a slot in the elevator panel, and when the doors open, he turns to the woman and says, “Ladies first.”

The blonde is Paula Januszkiewicz, CEO of Cqure Inc., a Polish-based penetration testing and auditing company, who has just accomplished the first part of her assignment: Get unauthorized access to a customer’s office.

It’s lunchtime at the office she just entered. Staff are leaving their desks. Company policy is employees should make sure PCs are logged off the network before leaving computers unattended to prevent what is about to happen. Even if they forget, machines are configured to log off after five minutes. One staffer leaves his computer on. Januszkiewicz sits at his desk. She yawns or coughs, enough so other staff see a stranger sitting at someone’s desk. No one comes over to ask who she is.

So Januszkiewicz is free to insert a specially created USB key and hacks into the system.

The lesson

There’s a lesson from this incident, Januszkiewicz told the SecTor 2020 virtual conference on Wednesday: If an attacker does things with confidence, they may get through anything from physical security to anti-phishing filters.

As the keynote speaker for this year’s conference, Januszkiewicz emphasized the importance of understanding how cyber attackers your infrastructure: As an object to be manipulated by knowing human behaviour.

Behaviour like being lazy in picking passwords. On assignment to penetrate an energy company Januszkiewicz found no problem guessing some employee passwords. She assumed at least one person would use the firm’s name and just add “2020.” She was right. Twenty-nine of 6,000 employees had that password.

Bad behaviours

Other bad user behaviours hackers take advantage of include:

  • Falling for dropped USB scams. One study showed 90 per cent of people who find USB drives with a company logo in a parking lot will plug it into a company computer to find out who it belongs to. In fact, 60 per cent will do it even if there is no logo. Infected USB devices could run unapproved code. One solution is a whitelisting policy that prevents unapproved code from executing;
  • Falling for phishing and clicking on infected attachments. There’s no shortage of examples, but Januszkiewicz spoke of a new one: A seemingly empty Excel spreadsheet with an infected picture hiding behind an empty cell. If an employee clicks on a cell trying to see if the spreadsheet has hidden information, the malware executes. One solution is strict access management to prevent admin accounts from being taken over by malware;
  • Hacking lost smartphones. Seventy per cent of smartphone owners don’t password-protect their devices, one study shows. One solution: A strict company policy of reporting the loss of company or personal devices that access corporate data;
  • Careless use of public Wi-Fi with devices that access corporate data—one solution: Better user awareness training.

Thinking like a hacker, Januszkiewicz said, will allow organizations to design successful cybersecurity strategies.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now