View the original article on

By Terry Cutler. Terry Cutler is a co-founder of Digital Locksmiths, an IT security  and data defense firm based in Montreal and serves as the company’s Chief  Technology Officer and Certified Ethical Hacker. You can follow him on Twitter @terrypcutler.

I  am a Certified Ethical Hacker, which basically means I get paid by companies to  hack into their networks.

My  company, Digital Locksmiths, was hired by a manufacturing firm in 2011 to try  and expose any security vulnerabilities that might be lurking in the ether.

A  company’s external infrastructure — including web servers, domain name servers, email servers, VPN access points, perimeter firewalls, and any other  applications publicly accessible from the Internet — is typically considered  the primary target of security attacks. So that’s where we start.

Our  methods include cracking passwords and eavesdropping as well as using keystroke  loggers, sniffers, denial-of-service, and remote controls. In this case, I tried  attacking the firewall systems with every trick in our digital lock picker’s  toolkit, but to no avail: The network was locked tight, so to speak.

So  I told myself, “Screw it. I’m going in.” You see, companies that have an  impenetrable wall against external attacks are often surprisingly open to insider  threats. Hackers are able to expose these vulnerabilities by exploiting one simple  fact: Most people will respond in a highly predictable way to a particular  situation.

First,  I did a little recon on Google Earth and Street View to familiarize myself with  the physical perimeter of the company’s building and grounds. Since the  character I was playing that day was “me,” the walking stereotype of a  friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a  button-down shirt.

I  hopped into my truck and  drove over to the facility. Doing my best to look sharpish, I walked into the  front lobby and said to the receptionist: “This is really embarrassing, and I  don’t usually ask for this type of favor, but I wonder if I could use your  washroom? I knew I’d regret ordering that super-sized drink!”

She  smiled — a good sign — and buzzed me in. Once I was  inside the men’s room and had confirmed it was unoccupied, I yanked two USB  keys out of my pocket and dropped one on top of the metal toilet paper holder  in each stall.

I  quickly gave myself a thumbs-up in the mirror, strolled back to the lobby and  flashed the receptionist a big smile as I walked out the door.

I drove back to my  office and waited, because as soon as someone plugged one of my USBs into a  computer, a program on the flash drive would auto run and execute a remote  connection to my computer.

This would give me instant access and  the ability to ‘pass the hash.’ Note that I’m not talking about the good ol’ college days here — we’re essentially taking the encrypted credentials for the  computer’s owner and passing them to the company’s own server, mimicking a real, normal login.

In a short time, my computer sprang to  life: With the ability now to log into the company’s network, I was poised to  unleash all kinds of mayhem — from extracting user names and passwords to opening  and interacting with files on the compromised system, to taking screenshots of  current activity on a user’s desktop.

Needless to say, company management  was horrified to learn how easily I had hacked into their system, simply by exploiting  how people react in certain situations.

My ‘Big Gulp’ ruse was a success because, by and large, people are inclined to be helpful. And it’s true — curiosity does  kill the cat. Nine times out of ten a person who finds a random USB stick will wonder  what’s on the thing and plug it in to find out. (In fact, my backup plan  should my men’s-room story have failed was to tell the receptionist that someone  dropped this USB stick on the floor and hand it to her.)

Defending against modern attackers    This episode underscores the fact that  security involves more than just protection of your network’s firewall.  Internal threats are real — and they aren’t  all necessarily the work of a disgruntled employee.

Employees need to understand that security  threats can be triggered in numerous ways and trained on how to protect against  possible security threats that may be masquerading as something perfectly  innocuous — like the guy next door. A simple policy like mandating only one  type of USB device for internal use might have prevented me from gaining  accessing to the network in this case.

Companies also need to recognize when they have a problem — and the sooner  they know, the better their chances of minimizing the harm done. The good news is that most  enterprises have an enormous amount of data scattered throughout firewall,  application, router, and log sources that is useful for determining what sorts  of things are going on within their networks. The bad news is that all too few know how to aggregate and put that data to use.

Security  professionals need to put in place the technologies and processes that enable  them access to security logs along with some type of log management to extract  the information required to keep the infrastructure secure.

Better yet, they can employ a Security Information Event Manager (SIEM) for grabbing and correlating data, as  well as a process to integrate security data with identity and access  information. That way, in our hacking incident, a number of alerts would have  been fired off to security managers long before any proprietary data was  accessed.

While it’s true  that security threats have become more menacing, remember that security  defenses also have become more powerful. Make sure you take the necessary  steps to protect your infrastructure and your data.