In this blog post I am going to talk a bit about information security in the corporate world. Now, this is a big topic with lots of considerations – but my plan is to talk about the most generally important cases. Namely legal intelligence and illegal hacking.
First of all, there is a lot of information out there available to the public. Doing “Corporate intelligence” is common in many countries but not so much in Norway. Corporate intelligence is not hacking, and is neither illegal. But the result might even be the same if you use the right methods. For example, you can learn a great deal by looking at different methods of legally collecting open source data. With this information you can gain access to customer records, product development, new technology, marketing information, regulation and legislation policy and many more. Just imagine any and all ways an organisation can be monitored.
But there are also some illegal ways to obtain corporate intelligence, mostly known as “hacking”. And here are some examples:
- Social engineering – you use the nature of peoples weakness to gain access to premises or information. Most people like to appear polite and helpful, and feel appreciated. Applying the correct method can cause them to give you access and classified information. Some people also like to seem informed and say much more than they should.
- Dumpster diving – Exactly what it sounds like. You go into the companies dumpsters to search for papers, hardware, drives, discs, product rejects and so on. Anything with data on it.
- Insider (or ex-insider) theft – Having an employee that have or has had access to corporate information can be very valuable. Intentional or accidental failures to information security is one of the most common reasons for the security parameters being breached.
- Industrial espionage – actually entering production premises or going to sales meeting with the only intent to gain more intelligence on what the company is currently doing. This can also be done by more sophisticated methods.
- Hacking – good old hacking. Finding the IP adresses, scanning for open ports and detecting weaknesses in the system. Another one of the larger reasons for information security failure.
- War dialing / War driving – as an example, driving around in your car trying to locate an open network to hack into.
- Communications intercept – the best way is to gain direct access to the companies communications traffic. One very simple way is to install “key stroke loggers”. This sends information about all the strokes the victim does on the keyboard to the attacker. That way you have all the passwords, messages and more.
- Phishing emails – sending emails with malware or links to malicious sites. For example impersonating the bank connection, trying to forward the victim to a fake website to steal credit card details and so on. You also have spearhead phishing where you use the same technique – only specifically targeting certain victims.
These are some of the most common “hacks” out there. Be aware, you come a long way just being suspicious and alert.