“Getting into any system anywhere with the right amount of time, effort, and funding is completely possible,” says professional hacker Chris Nickerson. This includes YOUR association’s computers and servers. That may not be the news you want to hear right now, but it may be the news you need to hear.
Acknowledgement of this truth is what brings organizations to Certified Information Systems Security Professionals (CISSP) like Chris and his team at Lares Consulting. In terms of their day to day work, Chris explains, “The bulk of what we do is adversary simulation services. A sparring partner is a key [training] element to a professional boxer, and we are the equivalent of a sparring partner for today’s electronic business. We do lots of penetration testing: trying to get in from the outside or showing what can happen when someone does get in from the outside.”
In this sparring, the hacker side can use all the tools available to them in an actual attack: social, electronic, and physical. Chris explains that he and his team combine these tools into a mixed discipline attack. To start with they can gather information that is already publicly accessible on sites such as LinkedIn and an organization’s public-facing website, a method referred to as Open Source Intelligence (OSINT) gathering. “For most organizations, no matter how big they are, I can get a good 50-80% of all the users in that organization through [OSINT].”
At this point, the team finds an access point, such as the Virtual Private Network (VPN) that remote employees use to access their office’s systems, and tests out the names gathered from OSINT with common weak passwords. The result? “You’ll notice that very quickly you end up getting access to some of those users, some of those accounts, which now provides you access to the internal network.”
After gaining an electronic toehold, Chris and his team can then move into the physical world if need be. “We’ll elevate our privileges in the [electronic] environment, gain access to those badge control systems so that we can get all of the facility codes and then remotely we’ll create our own badges so that by the time we want to walk in and go onsite we already have a badge that works. So even when the front desk security guards take a look at us, we badge in successfully, it’s a picture of us, happy and smiling, walking right through as we’re getting into their data center.”
Scary scenario, right? But it doesn’t have to be. Chris reminds us that, although we can never stop a determined and resourced hacker from gaining access to a system, we can do something. We can make it harder for the hacker to get in, so that the time, effort, and risk needed to get in are greater than what the hacker is willing to take on.
During his webinar on October 30th, 2018, Chris will dispense advice on making computer security measures and the people that use them much more difficult to get around. Of course, there will be advice on how to develop more secure passwords and institute multi-factor authentication. However, Chris will also provide “an overview of the landscape of what it really looks like from the attackers side of the internet.” Learn what questions you should be asking, and what actions to be taking, as an association executive to mitigate your organization’s security risks. Afterward you will be farther on your way to knowing the true nature of the risks of the internet for your association and how you can act confidently in the face of that reality.
Click on the image below to register for this special webinar with Chris Nickerson, CISSP on Tuesday, October 30th 2018 at 11:30 AM CT.