Just when you think you've got yourself all covered on the security front, an attack comes out of nowhere and bites you on the arse. You think to yourself: How did I not see that coming?
That's where penetration testing, or ethical hacking, comes in. The idea is to get a third party to think (and act) like a hacker to test your organisation's resilience to attack.
And the stakes are high, says Hacklabs senior consultant Jody Melbourne. "Nobody is concerned with targeting websites or going after your database — that's old," Melbourne says. "The real bad guys are trying to steal your IP, your business intelligence or business information. [The criminal] is going after you internal network.
"You make a lot more money if you find out that large corporation A is about to acquire large corporation B in a few months, for example. If you hack some board members of a large corporation and find out all of their secret information, read their emails, then that is far more serious than stealing credit cards."
Melbourne has been employed by both private sector and public sector organisations to test their security, with sometimes alarming results.
He said he's found it "frustratingly easy" to just walk into many organisations. "I just wave my hand and say 'I'm walking in here, it's fine' and walk straight in," Melbourne says. "I'm wearing the right clothes, I'm confident, and I look like I'm supposed to be there."
All it can take then is swapping out a desk phone for a tampered-with handset of the same model. "I plug in a device behind a phone; or I swap out the phone entirely for the exact same model and say 'I'm here to change the phone, there's something wrong with it' and the receptionist says 'OK'."
"That whole network and organisation is compromised with a spy phone that I was able to make for $50," Melbourne says.
Melbourne gave another hypothetical scenario for compromising a network — a hacker dressed like, and acting like, a regular employee just strolls in and connects a Wi-Fi or 3G dongle to an organisation's network.
"[Then] I'm sitting in a hotel room 500 metres away with full access to your internal network reading your executives' emails," Melbourne says. "That's the landscape now."
A network could be compromised with just $100 worth of innocuous-looking hardware that most employees wouldn't even recognise as a threat.
Melbourne said that when engaged by a government department to test their security he was able to compromise the entire agency after gaining access to a computer on its network — with no special tools required.
"A business insider at a corporation might only have mediocre hacking skills, but might actually guess the password of the CEO and get access to all of that information," Melbourne says.
Sign up for Computerworld eNewsletters.