Think Like a Hacker: How Companies Can Stop Cyber Crime
December 14, 2022
As cyber threats continue to grow, organizations need to understand the extent of their exposure to online crime and the quality of their defenses. Testing their security controls can play a crucial role in gaining those insights.
Aon’s 2022 Executive Risk Survey of C-suite leaders and other senior executives in the U.S., the UK and Europe found 40 percent of respondents reported that their organizations were spending a great deal of time addressing the threat of cyber attacks.
The executives’ level of concern isn’t surprising: according to the U.S. Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), the agency received a record number of complaint reports in 2021. Total losses topped $6.9 billion, with business email compromise representing the majority of the attacks.
Cyber security testing identifies just where an organization might be vulnerable to online attacks, enabling them to direct their defenses appropriately. This testing is more than a technical exercise. It also involves understanding human nature.
“Within the realm of cyber security, testing teams do more than just sit behind a keyboard,” says Erin Whitmore, director of thought leadership at Aon Cyber Solutions. “They have to look comprehensively at a client, at their network and how they’re going to break it. These testers are a rare breed within cyber security — they’re like the James Bond of the cyber security world.”
Among those doing cyber security testing, “red teams” — groups playing the role of sophisticated cyber attackers to help identify vulnerabilities — occupy a distinctive and valuable niche.
“In any other context, what they do would be illegal,” says Whitmore. “Sometimes in these assessments, they’re physically going into places to test security. They might get hired as a ‘new employee’ to see how quickly they can break the network from the inside.”
Red teams look at every type of manipulation to identify system vulnerabilities, just as real cyber criminals would.
Testing Cyber Security
Cyber security testing can involve several elements, including red team and social engineering assessments. Social engineering in cyber security involves testing an organization’s cyber resilience by attempting to exploit a number of different attack vectors, including the organization’s own people.
“When we’re doing social engineering testing, we not only assess how many users are clicking a link and entering their credentials, but we also do a password analysis where we look over the passwords and tell the client how secure they are,” explains Miranda Skar, senior security testing consultant at Aon. Setting stricter password requirements and identifying passwords that have already been compromised could help organizations reduce the risk of successful social engineering or credential stuffing attacks.
Maintaining cyber security may also include testing an organization’s hardware and its connections to Internet of Things (IoT) devices. This form of security testing looks for weaknesses in computer code, vulnerabilities in non-hardened hardware or vulnerabilities in the organization’s IoT technologies.
An Ever-Evolving Process
It’s become easier than ever to launch a cyber attack. Meanwhile, the nature of cyber security testing has evolved along with the evolution of web applications and increasing digitization in business.
Faisal Tameesh, technical director at Aon Cyber Solutions, explains that since the rise of Web 2.0 — or websites and applications that incorporate user-generated content—web application testing has become the predominant form of testing.
The types of cyber threats are evolving as well, and the cyber security testers have to keep up.
“It’s always a cat and mouse game,” says Tameesh. “When companies come up with ways to stop certain attacks, the threat actors will come up with new ways to attack. It’s at a rapid pace because things like ransomware have become almost commercialized. So as an offensive hacker you really have to spend time doing your research.”
Addressing the Human Factor
With such a large percentage of cyber attacks relying on social engineering, such as phishing scams, cyber security testers must consider human behavior.
“With a lot of the social engineering assessments, we’re actually testing the employees,” says Skar. “It is guaranteed that if you have 100 employees, someone’s going to click on that link if the email gets through technical controls.”
Ultimately, a combination of training and technical controls is required to help reduce the risk of cyber threats.
“You need to set up your technical controls to actually block those emails from ever getting there,” Skar says. “And you need to train your employees to make sure that they know how to properly handle those emails that do get through.”
The Benefits of Comprehensive Testing
A red team engagement may be the most comprehensive tool in a company’s cyber security arsenal. “A company that chooses that sort of testing will receive the most assertive assessment of where their cyber security stands,” says Whitmore. In their attempts to break every aspect of an organization’s security, red teams can ultimately help to guard access to networks and employee data.
“To the average person, a hacker is someone in a dark room wearing a hoodie,” Whitmore says. “But the red teams are so much more than that.