So what is hacking?
Let’s start off with an analogy. What if I tell you the address and room number of my hotel room and that it’s filled with gold? The entire room is filled with gold and you want to steal it.
How would you do it?
The first piece of information you would need is the name and address of the hotel where I’m staying. Next, you would need to know my room number.
Third, you’ll need a way into my room, which could be accomplished one of two ways. Either you’d have a vulnerability in the lock where you’d physically break in (by unscrewing the lock, swiping a credit card, etc.), or you would have to take advantage of a weakness in a person (such as lying to gain access into my room).
If you do those three things, you’re in my room and able to steal my gold.
It’s that simple.
Well, that’s all hacking is. If you want to hack into an organization, you first have to go in and find a target. You could either target a server or an individual within the organization.
Since targeting the server is a lot like robbing the gold, we’ll start with that scenario.
If you want to break into a company’s server (and steal their virtual gold!), you’d have to find the IP address, which is like the physical address for a building.
Not to get too technical, but we call them data decimal notations.
Right now, on the internet, most systems are still running what we call Internet Protocol IPv4. It uses four numbers, so the IP would be something like “126.96.36.199.”
If you’re curious, go to your computer’s search bar and type, “Command.” Then, a DOS Prompt will pop up. Next, type, “ping.www.[whatever site you choose].”
*Disclaimer: My examples are for illustrating points. I’m in no way telling you to go online and do anything illegal or unethical.*
Typically, it will respond, “Resolving to an IP address.”
Most sites, today, have Ping’s system blocked, but the point I’m trying to make is that when you type in a domain name (like secure-anchor.com), that is for the user’s convenience.
That’s like saying, “I’m staying at the Sheraton,” but if I’m going to get an Uber, I’d have to give them an actual physical address. Whenever you type in a link, it has to resolve to an IP address so you can connect to that server.
Once you find the IP address, you need to find an entry point into the system. Just like a hotel has rooms with numbers, computers have ports.
You probably don’t realize it, but everytime you go into your browser, you connect with a specific port number.
The more open ports means the more entry ports, just like a hotel with 200 rooms has more opportunities to get targeted than a hotel with just five rooms. Once you find the server and the open ports, you just have to find the weaknesses on the system.
If we went back 10 years ago, most companies were locking down their systems with patches. A patch is applied when an operating system vendor realizes that they have a vulnerability. When a company has a fully patched system, it means that they don’t have any known vulnerabilities.
Unfortunately, most companies’ cyber security has gone down, over the last 10 years. A lot of entities have servers that are visible from the internet, containing our critical data, with unpatched systems. All of the major breaches over the last 2 – 3 years have had known vulnerabilities.
The scary part is that there are actually tools on the internet that will tell you the system’s exploit! Every major breach would have been avoided if the company just knew the system, closed the open ports, and PATCHED their server.
The most common way companies get hacked is by targeting a person. A lot of times, employees will get a legitimate looking email (that looks like it came from a friend or business associate), containing a link.
As soon as the link gets clicked, the company gets compromised. When you get these emails, there’s always an urgency.
For example, it’ll say something like, “The item you just purchased is almost out of stock – reply within 2 hours or it’s gone.”
It’s usually spoofed.
Pick up the phone or go to the website, but don’t click on the link.
Another method we see is email with scare tactics – for example, “You’re currently under investigation for committing a crime. We don’t believe that you did it, but if we don’t hear back from you within 2 hours, we will be forced to report this to the police, leading to your arrest.” Maybe that type of email doesn’t seem legit to you, but it scares a lot of people into opening it and clicking on the provided link.
Some hackers will even send out emails that say, “We’ve turned on your webcam and found out that you’ve been on some very bad sites. We’d hate to embarass you, and we’re on your side. Just click on the link below and we will help you.” Don’t click on the link! Just delete!
All hacking really is… finding open ports and vulnerabilities in the system. I just showed you two of the ways it’s done.
It’s not that hard. And, unfortunately, the adversary knows it.
To have a security assessment done for your company, or for any other questions, feel free to reach out to me at secure-anchor.com/contact.