Rick Robinson

Oct 18th 2017

How Do Hacked Companies Get Hacked?


Cyberattacks make for big headlines. Hacked companies (and other organizations) get hit with a triple whammy. First of all, they are hit with the costs of the attack itself, such as the losses resulting from stolen or exposed confidential data.

Second, they face a public backlash. Individuals who become hacking victims may get sympathy, but hacked organizations rarely do. More often, they suffer a wave of media embarrassment at the least. Along with the headlines may come a loss of customers’ confidence, especially if customer data such as credit card numbers was stolen. Legal consequences are yet another possibility for hacked companies.

Finally, hacked organizations need to upgrade their cybersecurity systems and procedures, and do it on an urgency basis. Like having to call the plumber on Saturday night, emergency assistance does not come cheap.

Behind the Scenes of a Hack

But what actually happens when companies get hacked? What is a hack, anyway? There is no formal technical definition of “hacking,” and no one single way that computers and computer networks get hacked.

Most often, we think in terms of malware — short for malicious software — such as viruses, worms and so forth. But not all cyberattacks involve malware. If an authorized user is tricked into revealing their password to a thief, the thief can then simply log in using the victim’s password, then download, delete or alter data using the normal tools available to legitimate users within the organization.

And, as Kelly Sheridan reports at DARKReading, attacks of this sort are all too common. Human factors are one of the two major causes of major security breaches, or in everyday language, hacks. The term “social engineering” is now applied to the bag of tricks by which cybercriminals use the human factor to gain access to company networks.

One leading type of social engineering is spear phishing. Phishing is the general term for an email that tries to trick the recipient into clicking on a malicious attachment or visiting a malicious webpage. Spear phishing has the added twist that the email is targeted specifically for the intended victim — for example, having the name and email address of a friend or co-worker.

The popularity of social networks has made social engineering attacks easier by making people’s personal connections easier to trace online. And because there is no purely technological solution to human error, social engineering attacks are likely to become even more prominent in the future.

Bad (Cyber) Hygiene

The other leading cause of security breaches is deficiencies in cyber hygiene — failures in the procedures, such as updating software patches, that are designed to protect computers and computer networks against technological malware attacks.

Even good cyber hygiene will not protect against all technological hacking attacks. So-called “zero day” attacks employ malware or system vulnerabilities that security professionals have never before seen, and against which there are thus no established defenses. Zero day threats are what keep security researchers busy. But they are not the only thing that keeps cybersecurity professionals awake at night.

All too often, hacked companies have fallen victim to means of attack that were already known. In these cases, protective measures were available — but the company failed to implement them. One security expert, Roger A. Grimes, writing at InfoWorld, says that “I’ve never come across a fully patched computer. Some critical patch is always missing.”

Looking at cybersecurity challenges in broad perspective, we could say that hacked companies are ultimately victims of complexity. As our computer systems have grown more powerful, they have also become more complex. This opens the way for both ordinary human errors that social engineering can exploit and for institutional errors such as failing to keep software patches fully updated.

And complexity continues to grow. The growth of artificial intelligence and autonomous systems will create both new security challenges and new security opportunities as we enlist cutting-edge technologies as security allies — all of which will ensure that cybersecurity experts face both a challenging and rewarding future.