How does this hacking thing work, then?

If you’re not in the public eye, you’re not likely to get hacked for fun. Anonymous et al are in it for the oxygen of publicity. Most hackers are in it for the money.

So to understand your risk, you need to follow the money. How can hackers monetise you?

• Firstly, by using you as a resource. If they can take control of some or all of your network, they can use that network for their own purposes – like sending spam, or hosting illegal porn, or launching denial-of-service attacks. They sell these resources on to spammers and other ne’er-do-wells in underground virtual markets.
• Secondly, by using you as a vector. Maybe your clients are more interesting than you are; if your network connects to theirs, or you have access credentials, then you might be easier to compromise than them. Even if your clients are boring, your network might make a good base of operations – and any investigation will start with you, not them.
• Thirdly, by stealing data that has commodity value- credit card numbers, consumers’ personal information, identity documents, email addresses. The same underground markets that trade in compromised resources (so-called “botnets”) also have going rates for credit cards, email addresses and so on.
• Finally, by actual extortion and theft. Stealing your money; encrypting your data and demanding a ransom; seeking money to prevent the revelation of your secrets on the internet; or stealing your IP and selling it on – speculatively or to order.

How do they get in? The answer is “it depends” – but the fact remains that most of the time, they do it through your own actions. I know I keep banging on about this, but that’s because it’s true, and it’s largely ignored. Because we think of information security as a “tech” issue, not a business issue, we keep spending money in the wrong places.

Scary fact of the day: there’s an (allegedly) Iranian hacking group called “Cleaver” that’s attacking targets in, and linked to, the Middle East. What’s interesting about this group isn’t so much their technology, as their social engineering. They’ve created a set of fake LinkedIn profiles, all with 500+ connections, and mostly set up as senior recruitment consultants.

So you get a flattering email from a headhunter, asking you to send a CV in confidence because they have a client who’s asked about you in particular. You check them out on LinkedIn and they look legit, so you put a dossier together and press send. You’re not dumb enough to use your work email address, right? (unlike all those Ashley Madison users…)

So now they have your CV, and your personal email address, and probably your mobile number. As well as everything they can find out about you on LinkedIn, and on Facebook, and on your company’s “About Us: Our Team” page. If you also connected to them, perhaps thinking that would send a not-so-subtle message about your readiness for a pay rise, they also know whom you know. Which they can cross-reference against Facebook, and against records of public speaking engagements and anything else on the web.

That’s not going to make it hard to craft an email containing a link you might click on, or a document you might open, is it? Whether it purports to come from a colleague, or relates to your main hobby, or seems to be about your family – it just has to pass your “strangeness” filter.

The link will take you somewhere apparently innocuous (see point 2 above – they’ll be using someone else’s resources to host it). The document will be similarly anodyne. What’s important is the hidden payload – the malware that your computer or phone installs while your browsing. Unlike malware in common circulation – the scattergun approach of the undirected hacker – this stuff most likely won’t be known to your anti-virus program; if you’re a juicy enough target (pun intended) it might have been written specifically for you.

The malware will be clever, and multi-faceted. It will collect all the data it can – logging keystrokes, copying email and calendar entries, providing remote control of your device, maybe even exfiltrating documents. The hackers will be running software watching for keywords; what they find will shape how they monetise you. It could be anything from conning you into authorising a payment, using your credentials to gain access to a valuable source of data or exploiting your calendar to know when you’re away.

Paranoia sounds like the simple answer but “trust no-one” only works in the movies. Business is all about trust, and it’d take you a week to get through a day’s work if you tried to validate every email and phone call you received. Caution, especially about unsolicited web links and documents, remains extremely important – as does investment in the best available anti-virus and intrusion detection systems. But the key is having robust systems and controls – balancing your ability to get your job done with limits on the damage you could do if suborned.

Double-check what you can, never act in haste, and make effective use of two-man controls and the rule of least privilege.