It was really difficult to believe him I must admit. I suspect there was a bit of bravado in his statement that ‘they obtained the required information in 43 seconds’
The guy I was talking to was the director of an ethical hacking business. The ‘ethical’ bit means that they only do it legally, and with the support of the client who has asked them to test their data security systems.
In this case the firm was approached by the IT Director of a Premier League football club. It had just installed a powerful new security and protection system. Top of the range stuff, the very latest in encryption and antivirus protocols. Apparently, this was the best and, as a consequence the most expensive (!), system they could install.
The ethical hackers task (for a decent fee I must advise), was to test the system and obtain sensitive data to demonstrate that they had actually penetrated the new data security fence. They were given 3 days to complete the task.
At the end of Day 1, the hackers presented data to their client showing the names of all the clubs players, and their salary and bonus structures. Clearly the IT man was stunned! All that money and the system didn’t even work!
Well, it seems the system did actually work. The hackers felt the club was very well protected. How on earth then did they get the information on players salaries?
The answer involved a bit of lateral thinking. The Premier League club had the latest and strongest defence system but their lawyers did not. The hackers obtained their information from the servers of the lawyers, a much easier target apparently.
I guess the moral of the story here is that when it comes to assessing risk, you need to think laterally and ensure that all parts of the supply chain and supporting organisations actually have as good a data protection system as you do. This particularly applies to suppliers/customers who operate in less controlled data environments overseas.
So, take care. As the saying goes, ‘there is more than one way to skin a cat’ and it can be done in 43 seconds!