Data Security

Breaching Security

What is a security breach?

Definition

ICO Logo

The Information Commissioner's Office (ICO) defines a data breach or security breach as one that leads ...

"... to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service."

This means ...

Anything that leads to the loss or unauthorised access to data, applications or services.

Some people also use the term Data leakage to refer to the unauthorised release of data into the outside world.

Methods to breach security!

So there's this organisation you want to get into. Perhaps you've been hired to test the organisation's security (you're a 'white hat' hacker - a goodish guy.) or you want to fix the results of an election say (you're a 'black hat' hacker - a baddish guy). The first thing to think of, is how you're going to do it?

Fortunately, from the thousands of security breaches that have occurred, most are due to a handful of methods.

White hat Black hat

1. Exploit the Defaults.

Always try the default settings first.

There are sites that detail all default settings used by each manufacturer. These are set by the manufacturer and they rely on the user to change them to their preferred settings on installation.

However users, often fail to change them, either because they don't know how or because they are afraid to, in case they can't get back in. And its not just the password defaults, you need to try. There are all the 'standard' installation locations and folder to try. Unless the user has changed them from their standard places, they are available to attack with tools and exploitation scripts.

2. Steal the Password

Getting hold of a password makes your job a lot easier and as we know by now, there are a number of ways to do this.
  • Try a brute force attack.
  • Try to grab the password as it's passed in plain text if the target uses insecure protocols when web surfing, e-mail, using chat or IM or plain file transfer.
  • Use 'key-logger' software to record the password as its typed in.
  • By observation through 'shoulder surfing' or video surveillance.
  • Discovering if the password is written down.

It's always worth trying to steal the password first. Most users know that they should use long hard to guess passwords. The trouble is, they are always difficult to remember so few follow this advice and if its organisational practice to change passwords frequently the more likely users are to write it down.

row 2 col 2 here
see if can find other types MITM attacks

3. Man in the Middle (MITM) attacks

A popular approach is the man-in-the-middle attack. A MITM attack is where the hacker fools the target user into establishing a connection to a server or service through an object controlled by the hacker.

The object intercepts and misdirects communications from users without the target user being aware of it. A MITM can be:-

  • As simple as a phishing email which directs the target towards a particular URL.
  • A link that sends the user to duplicate of a real site and when the users logs on, records their login credentials.
  • More sophisticated MITM attacks are similar to the above, but the hackers object passes the credentials on to open a link to the real server. This allows the hacker to eavesdrop or possibly alter data as it passes unknowingly through the hacker's server.

4. Trojans

Using Trojans to breach security has proven a successful attack method.

This is where a harmless or even a useful program contains a malicious payload which is unknowingly activated when the host program is installed. Trojans can built by hackers with basic programming skills can fulfil multiple tasks:-

  • Be purely destructive, destroying hard drives and corrupting files
  • Quietly record keystrokes, monitor network traffic, track web usage
  • Duplicate or send emails, transmit data files
  • Allow remote access and control.
  • Launch attacks against other targets.

Commonly Trojan can be hidden seemingly innocuous software like games, screen-savers, greeting card systems, admin utilities, archive formats, and even documents.

Trojan can delivered through e-mail attachments, be presented as a download on a Web site, or it could be placed on a removable media (memory card, CD/DVD, USB drives etc.).

see if can discover famous Trojans trojan authoring tools

5. Wireless attacks

Wireless networks provide an easy entry point to organisational networks. Compared to wired networks wireless networks are relatively insecure. It is much easier for example to mount:-

  • Denial of Service (DoS) attack
  • Hijacking or disrupting the wireless signal.
  • Eavesdropping, sniffing or launching MITM attacks

Wireless networks are extremely easy to establish and with advances in technology, it is now easier than ever for employees to set up their own wireless access point (WAP). If a WAP is connected between an employees desktop and the their wired network, then it would create a wireless gateway into the organisations network, bypassing all their expensive security systems.

A war-drive can easily reveal vulnerable wireless access points. Or a determined hacker could approach a disaffected employee to plug a WAP into the network for him. - just saying, that's all.

6. Remain Informed

It's an arms race! This is not so much a method to breach security, but for a hacker, a way of life.

Security is constantly improving, patches to known problems are being produced, so for hackers its important to keep up to date with vulnerability research to stay ahead of the game. This involves:-

  • Reading web sites, discussion lists and blogs related to security and hacking.
  • Use the web to actively seek out issues related to hardware and software that could be exploited.

7. Research the target

Unlike the movies, hackers take their time discovering as much as they can about the target and who works for them. Much of this information is freely accessible on the internet and includes:-

  • Names of top executives and star key employees from the press and news releases.
  • Company name, address, phone and fax numbers
  • Website address, email and internet service provider.
  • Employee details including names, home addresses, phone numbers, emails, employment history, family members and names, driving history and any criminal records.
  • Technical details like the preferred operating system, major programs, preferred programming languages, preferred devices: Job adverts are a good source for this.
  • Location layout, lines of sight, vantage points, entry points and hidden access points: Building plans, Google Earth & street view are good sources.
  • Web server platform, language and website development environments which can be found from website scanners.
  • Business intelligence including problems with products, issues with staff and company politics from company reviews and competitive intelligence services.

Answers to each of these points can lead on to other questions revealing even more about a target; all of which can provide a hacker opportunities ripe for exploitation.

8. Be Patient & Persistent

Hacking is not easy and it's not quick.

Successful hackers frequently follow a distinct series of steps, acquiring the tools, the knowledge and skills necessary to complete each phase.

  1. Reconnaissance: Where the hacker researches and gathers intelligence about the target.
  2. Scanning: Use the information from research to look for weaknesses and vulnerabilities and planning the attack.
  3. Gaining access: This is the attack phase where the actual hacking is done. The aim of the hacker at this point, is to 'own the systems' because once hacked, the hacker can do anything with the system.
  4. Maintaining access: Once in, hackers want to be able to return for future exploitation so they typically 'harden' the system against other hackers and system security by planting back-doors, Trojans and root-kits.
  5. Covering tracks: Hackers don't want to be caught, so the final phase involves covering their traces by deleting log files or obscuring their activities (stenography) within masses of other data.

9. Confidence Games

Go for the weakest link in any organisation's security; the people.

Employees can be forced, paid, tricked or duped into violating security rules to give a hacker access. With proper research, it is easy enough to find who to target, then its just a matter of using social engineering techniques to get them to do what you want.

10. Being on the inside

Many security breaches have been initiated by internal employees, rather than some external hacker. In these cases the breach has been brought about by:-

  • A determined hacker getting a job with the organisation and exploiting their rights of access once some degree of trust has been obtained.
  • A disgruntled employee seeking revenge or retribution against the organisation.

In both situations, all the outward facing security is bypassed, and the organisation is left relying on internal defences.

Tasks
Content for Accordion Panel 1
Placeholder image
Content for Accordion Panel 2
Content for Accordion Panel 3

Can you now do?


  • Define the term data security breach and understand the term data leakage.
  • Explain some common causes of data security breaches.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee