Hacking is often called the biggest danger to the economic security of the United States.
President Obamahas gone on record as calling the cyber threat “one of the most serious and economic and national security challenges we face as a nation.”
What was once a series of isolated incidents has now become almost common place in Corporate America. By attacking business networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy, say experts.
Many of the economic espionage cases are in the tens or hundreds of millions of dollars, the FBI says, and that can translate into job losses.
“This is stealing American wealth,” Gen. Michael Hayden, former director of the National Security Agency and the CIA, told CNBC. “It’s stealing American jobs. It’s stealing American competitive advantage.”
Every company is at risk. Even big names are not immune — LinkedInwas the victim of hackers in June, and Googlewas attacked in 2011, when hackers gained access to hundreds of user accounts.
“Operation Aurora, which was an attack on Google, I think, was a watershed moment where we suddenly realized that even the best companies with tremendously smart people, great security, are vulnerable to the threat,” cyber security expert Dmitri Alperovitch said.
So how do hackers get in the door? Alperovitch, who once worked for McAfee and is now the co-founder and CTO of the cyber security firm CrowdStrike,compiled a list for CNBC.com.
Click ahead to see the 10 most common ways hackers access corporate computer systems.
By Michelle FoxPosted 6 July 2012
“Spear phishing” — social engineering through email — is one of the most common tactics hackers use when attacking a system, according to Alperovitch.
Cyber spies can get into a network by sending an email or instant message to a targeted victim that will have an attachment or perhaps a link to a website. It will also be customized for the recipient.
For example, “if you are in the sales department, it will ask for information about products,” Alperovitch said.
Once you open the attachment or click on the link, a vulnerability in the system's application such as a word processor or browser will be exploited. Malicious software, known as malware, will then start executing on the machine and open up a communication channel to the hacker to allow them to browse and control the system.
Hackers can also use the infected computer “as a beachhead to get into other machines within that network,” he said.
Alperovitch said that’s how cyber spies were able to hack into Google last year.
If cyber spies are interested in a lot of people within a larger group, they can target a website that’s used by the group or company, Alperovitch said.
The hackers will look for a vulnerability on the website to get in, or access it through spear phishing.
“They will … implant a piece of code on that website so that anyone who comes on that website will be immediately infected,” he explained.
It’s a tactic that is growing in popularity and is a common way to target dissidents, he said. However, it can also affect company or government websites.
Malware can also get onto a computer through a USB key. For instance, someone can slide infected USB keys into packets given out at a conference, Alperovitch said. Once the unsuspecting person plugs the key into his or her machine, malware is installed. It can also be surreptitiously inserted into a computer by a spy on the inside of a company.
Hackers can remotely scan servers to determine vulnerabilities within that system. Once they find a vulnerability, they exploit it by sending a command or data to the server that will cause the application to crash and will then start executing code.
In other words, it is like a potential burglar “looking at your house and seeing your doors unlocked and simply [walking] in,” Alperovitch said.
Typically it’s the smaller companies that get hit this way, Alperovitch said, since most large companies have good security around its system perimeters.
Most companies have the ability for their workers to log in remotely to the corporate computer system, or to access company email through a website. To get into the system, workers need a username and password, which are coveted by hackers.
“If [hackers] can find out the credentials for that user, they can log in [remotely] as that user and access network resources,” Alperovitch said.
To obtain passwords, hackers have various ways to trick users into giving up their credentials. For example, they can send an email asking their target to reset their password. Once the target clicks on the supplied link and enters his or her password, the hacker now has it and will use it to remotely log into the computer system.
Hackers can invade a system by exploiting an open wireless network, or one with easy security. They can literally sit outside a business firm’s physical location and get into the system through the unsecured or poorly secured wifi.
TJ Maxxknows all too well about these dangers. Alperovitch said that’s how hackers got into the retailer’s system several years ago and stole45.7 million credit and debit cards from the company.
Some cyber spies like to troll for victims on third-party sites, like LinkedIn.When they find someone working for a company they want to infiltrate, they attempt to hack into the third party website and steal the employee’s credentials. Since some people tend use the same username and password for both work and other websites, the hacker can now log onto the company website and compromise the system, Alperovitch said.
This is why IT security experts recommend using different user names and passwords for different websites.
When a person enters information on a website, like an email address or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.
Some hackers are able to hijack email accounts by resetting the user’s password without the person’s knowledge. Alperovitch said the execution is quite simple — hackers find out the answers to possible security questions by researching the victim on social networking sites and other places, and use the email company’s reset service to change the password. Once the password is changed, they have unlimited access to its victim’s email account.
Even in a high-tech world, cyber spies have resorted to old-fashioned cloak-and-dagger techniques to infiltrate systems. Spies find ways to get hired by companies, and once inside they try to get into the system. They’ve also been known to bribe an individual already employed by the corporation they’re targeting to hack into the network.