Security News

Cyber Secrets From An Ethical Hacker

Joshua Crumbaugh has hacked into everything from a bank vault to a Fortune 500 data center. In an interview with CRNtv, he shares the top threats businesses need to be aware of today.

Joshua Crumbaugh has never encountered a network that could keep him out. He’s an ethical hacker who’s gotten his hands on some of the most heavily guarded data in corporate America. And, he said, it’s all because of human error.

“All of the studies are showing that over 90 percent of breaches are tending to start with a phish click, which is an email-based cyberattack. If we are trying to solve a human problem with technical solutions, we are always going to fail,” he said.

One of the easiest ways hackers are finding their ways into a network is through social engineering, said Rumbaugh, who has used the tactic himself to manipulate his way into banks and even move money. These attacks typically involve some sort of psychological manipulation.

“Whoever is targeted will be very strategic. We will know that they’re the No. 1 proper decision-maker for whatever the pretext happens to be, and we will find some sort of leverage that we can address or fix for you, so it creates this ‘us against the world.’ That makes you more likely to trust us,” said Crumbaugh.

Everyday business practices could also be a downfall.

“The example that I love is accounts payable. They are used to every day opening up PDFs that say ‘invoice.’ That could easily be malware instead of a PDF, and they are going to open it because that’s their job. So, if they are not provided with a secure way of opening these things maybe in a Sandbox where they don’t have to worry about a network being compromised, then you will have procedures in place that create more risk.”

And, while Crumbaugh doesn’t expect attacks involving malware to subside, he has noticed another threat on the rise that businesses need to watch.

“One of the things I’m seeing is that in development, particularly web-based development, we are doing a lot more with the DOM: Document Object Model. It is sort of all local on your machine. But the problem is that I see developers do things like “Is Admin = true?” and I can just change it to maybe false or whatever. So, I can go in and manipulate the DOM to do things like privilege escalation and on top of that bypass authentication altogether. I think it will be one of the top vulnerabilities over the next few years.

Crumbaugh shared his secrets in an interview with CRN at The Channel Company’s IT Security University held at XChange 2019 in Denver. Watch CRN’s video for more tips.

Learn More: Cloud Security| Managed Security| Network Security| Internet of Things| Professional Services| Enterprise Applications| Enterprise Opportunities| Threat Management| Current Threats| Data Breaches| Application Development| Application and Platform Security

Advertisement