The Biggest Threats to Your Security Network - #3
#3. "Low Hanging Fruit"
Easy Ins for Opportunistic Hacking
In dealing with security, and specifically in looking for points of entry within a network, we always look at breadth first, not depth. After all, most hackers are looking for the path of least resistance. If there is an easy way to break in, it will be exploited a hundred times before any real effort has to be put into compromising your network.
We refer to these vulnerabilities that can be very easily exploited with publicly available hacking tools as 'low hanging fruit' - easy targets for malicious entities; and most organizations are surprised at just how many of these weak points exist in their systems.
To identify low hanging fruit, we adopt the most popular and prevalent contemporary hacking techniques to test a network. The truth is, we normally don't have to go very deep into the repertoire of hacking expertise to find a way in.
All the tools our security assessment team uses in these tests are publicly available (free on the internet), and we act as a malicious user and attempt to gather as much info about the company we can to break in. We look for low hanging fruit in the form of unpatched programs or misconfigured systems that will be vulnerable to known exploits. These things can be compromised directly. The majority of the time, this kind of shallow attack produces an inlet into the network.
The quickest break-in we ever executed was three minutes after arriving on site. After three minutes, we had domain admin - control of all their networks and all their servers. 75% of the networks we are hired to test are compromised by our team in the first day or two.
Now really, this sounds like bragging, but it isn't. And that's the point. We get into most networks using a path of least resistance that could be found and followed by the majority of hackers.
It's not that our team are made up of brilliantly creative hackers that operate a cut above most in the field; it's that using software that is free to download anywhere, and techniques that nearly anyone could adopt, any determined hacker can find a way into 75% of networks out there within a day or two. This is because it doesn't take a brilliant or unprecedented hacking mind to break into a network, since most have low hanging fruit that can be exploited by even the laziest malicious attacks.
So what could it mean to your network to identify and deal with this low hanging fruit? It means being among the 25% of companies that are difficult enough to break into to discourage the average hacker - who is more opportunistic than determined. Eliminating low hanging fruit will put you out of reach of the majority of malicious opportunists.