At a glance
Determining "high risk"
“We use the same tools, techniques, tactics that the ‘bad guys’ use. We perform an assessment of an organisation’s security from the position of a malicious attacker. This is called ‘penetration testing’ or a ‘pen test’.
“The goal of the pen test really is to identify all the risks, the threats, the vulnerabilities, and, of course, activities they can take to reduce those, preventing them from becoming the next headline.”
The art of deception
“We’ll typically start with what we call our ‘reconnaissance phase’. This is to gather as much information as we can – email addresses, social media, enumeration, financials and network information.
“We also go down the route of social engineering, otherwise known as the art of deception. It’s basically where we’ll try to convince people to click a link, to open an attachment or to give out some sensitive information. Many of our testers have a wardrobe filled with different uniforms that we use to try to physically gain access to an organisation’s office – trader uniforms, courier uniforms, cleaners.
“Methods we’ve used in the past are things like delivering goods, delivering doughnuts to the tearoom – getting access that way – or hanging out with the smokers at the back of the building, then just tailgating them in that back door as they all go back to work. Our goal, obviously, is just to get into that office environment so we can plug in a device that we can remotely connect to later.”
No business immune from threats
“Cyber attacks are an issue for every business, regardless of size or industry.
“The same risk, threats and vulnerabilities that apply to big business and government apply to small and medium businesses as well. I’d argue that small and medium businesses are more at risk due to the simple fact that they have more to lose. Big businesses can often weather a data breach and have sufficient budgets to cover incidents and continue.
“For small businesses, this could mean the end. We often find small businesses are targeted and their environments used as a launchpad to attack other bigger organisations in an attempt to avoid detection.”
AI attacks on the horizon
“We’re seeing attackers use AI [artificial intelligence] to perform password or ‘brute force’ attacks, gathering data or fingerprinting the targets, then generating passwords and attempting them on different systems.
“We’re also seeing a lot of malware out there that is now using AI. I foresee a big increase in these AI attacks moving forward, but by the same token, we have security companies such as endpoint protection companies. We used to call them antivirus in the old days. They’re now using AI to detect and stop malware.”