A large majority of the attacks you read about in the newspaper -- stolen data and financial bank heists -- occur because some internal employee was tricked into running malicious code. The malware program then loads a back door which the attacker utilizes to compromise the host environment using the privileges of the unlucky employee.
Lastly, even if you have perfect security (and nobody really does), often the simplest thing a hacker can do is to ask IT or other employees for the access or password they need.
Every professional penetration tester can easily, and laughingly, recount numerous stories about how easy it is to get unauthorized access from a normal corporate employee. I often walk up to the CEO’s executive secretary and say something like, “Hello, my name is Roger Grimes. I’ve been hired by IT to do password penetration test auditing. I need the CEO’s password.”
How often does this work? So far, 100 percent of the time.
I recently told this story while teaching a class. A student who happened to be the security officer at a large firm declared that it wouldn’t work at his company. So, at lunch, with his permission, I went to the CEO’s secretary and asked my question. Did it work? Of course.
Several multi-year studies have shown that more than 60 percent of your workforce will reveal their real passwords to complete strangers on the street for a candy bar or something worth less than $2 -- a pen, a blank CD-ROM, and so on. I could not believe these statistics when I first heard them. But two years later, multiple studies, by different firms, conducted in many different countries, have all come up with the same results.
When developing software or creating a network security plan, stay focused on the primary eight methods of the attacker and plan and defend accordingly. And make sure your employees know not to reveal information to strangers, no matter now politely they ask.