White hat hackers see companies at their worst.\u00a0 It is, after all, their job to expose weaknesses. Network World Editor in Chief John Dix recently chatted with penetration testing expert\u00a0Josh Berry, Senior Technology Manager at Accudata Systems, an IT consulting and integration firm based in Houston, to learn more about the attack techniques he encounters and what he advises clients do to fight back.Let\u2019s start with a thumbnail description of your company\u2019s white hat team.\u00a0Most of us do a little bit of everything, but it involves anything from internal and external vulnerability assessment to network penetration tests, web application tests, penetration tests for mobile applications, wireless testing and social engineering as well.\u00a0 We also have a compliance side of the practice that handles more PCI-DSS, HIPAA, those kinds of things.\u00a0Background-wise, we typically all have a CISSP, the de facto standard security certification, and then on the penetration testing side, I\u2019m an OSCP, which is Offensive Security Certified Professional, which is fairly well regarded for our particular niche. They give you access to a lab and you have to penetrate so many systems within 24 hours and then write a report.\u00a0Who typically hires you folks?We are typically engaged by the IT department, whether it\u2019s information security or another group.\u00a0 A large percentage of our assessments are driven by compliance needs to validate security controls for, say, the credit card industry, data security standard or HIPAA or something else like that.\u00a0 They understand the purpose and goals and there isn\u2019t a lot of explanation needed.Do you also get brought in after a breach?That can happen.\u00a0 Say a customer has had a breach and have taken steps to add more security layers and additional controls. Once those are installed, a lot of times they\u2019ll engage an organization like Accudata to perform testing to validate what they\u2019ve put in place.We had a banking customer, for example, engage us to perform a mobile application assessment before they made it available to customers.\u00a0 We went about testing it and found a flaw where an attacker, had they pushed out this application prior to having it tested, would have been able to transfer money from anyone\u2019s bank or credit card to their own bank or credit card, and they could have done that for every customer in the environment if they wanted to. We see that a lot, where testing is performed before a system goes live, so we can help find an issue before an attacker has the opportunity to.What size organizations typically hire you?It really depends on the company\u2019s compliance requirements.\u00a0 If they accept credit cards as payment for any product or service, it\u2019s a requirement, regardless of their size.\u00a0 But most of our customers are in the mid to large size.Do you ever approach an engagement on a stealth basis, or are you always out front with it? That really depends on the maturity of the organization.\u00a0 There are a lot of things you can get out of penetration tests.\u00a0 For those with less mature security processes, they\u2019re really just looking to find vulnerabilities someone can use to access their systems or data.\u00a0 But for a more mature organization, they might also want to test their ability to detect and respond.\u00a0 In those cases it\u2019s usually more stealth, where we are trying to be slower and quiet and not intentionally set off any alarms.We\u2019ve been banging on security for a long time. When you do this for a large organization, are things more or less buttoned up and are you increasingly looking for smaller holes?Most organizations\u2019 external perimeter is pretty buttoned up.\u00a0 But once you make it inside it\u2019s still pretty weak. It\u2019s a pretty quick operation to go from social engineering to exploit somebody\u2019s workstation, to pivoting in the environment and escalate all the way to an administrator where you can access anything.But the perimeter is more secure, applications are being developed more securely, developers are more knowledgeable about different types of classes of attacks and how to use tools to prevent those.\u00a0 Most organizations still struggle to patch clients, which can be attacked using phishing or other social engineering techniques.\u00a0 They struggle to patch third-party applications throughout the environment.\u00a0 So we still see vulnerabilities we can use to get in, and once we\u2019re inside we can escalate access through third-party applications.\u00a0Another very common way we get in is finding a system or application or device that has a default or a weak password.\u00a0 Large organizations tend to miss a system here or there and forget to change that one default admin account password.Given the environments that you test, would you agree with the idea put forward by some that most organizations have already been breached, that they already have malware inside?Yes.\u00a0 If they haven\u2019t been breached, it\u2019s just because they have stayed off the radar and there are better targets, or they don\u2019t have anything of enough value for an attacker to take the time to bypass their defenses.\u00a0 Through social engineering, every organization is susceptible to being attacked and having a significant compromise.The growing trend is to get better at detecting and responding, to have the mindset that, \u201cAt some point we\u2019re going to be breached or we probably have been, so let\u2019s get better at identifying the indicators of compromise and shut those down before it becomes a problem.\u201d\u00a0 That\u2019s something we\u2019re providing more and more of versus just finding this and that vulnerability.Is social engineering the most common type of attack these days?Yes.\u00a0 In the wild, the most common attacks would be social engineering, typically involving some sort of email phishing campaign where the attacker sends an email that looks like it\u2019s from a legitimate organization, or maybe from the company itself, and gets a user to click on a link.\u00a0 That link either asks them to type in their user name and password or opens up a document or something else that exploits the workstation, and then the attacker goes from there.\u00a0 That\u2019s what is typically used in ransomware attacks.\u00a0 The human element tends to be one of the hardest things to secure.We do social engineering testing as well.\u00a0 For example, we had another banking customer and we had 100 users in scope for a phishing attack.\u00a0 We planned out the scenario, set up the website and crafted the email and sent it out to the 100 users, and then we started tracking who was clicking on it, who is logging in.\u00a0 We quickly got over 100 users.\u00a0 Not everyone clicked, but some of the employees thought what we were proposing was great and forwarded it to others. We actually had something like a 150% percent success rate.\u00a0 That just shows you.Come on, 150%? The percentage rate for clicking on the original email was probably closer to 50%.\u00a0 On most engagements we see 25%-30% actually log in so we can capture credentials, and maybe 20% go through the entire process.\u00a0 Still, in a large organization that\u2019s a really high percentage of users.That\u2019s amazing.\u00a0 What do you recommend to combat that?\u00a0 There\u2019s this discussion about whether security training works, but what do you folks advocate?We certainly advocate providing additional training and what indicators to look, but there is only so much you can do to train your employees.\u00a0 Their jobs aren\u2019t security.\u00a0 Their jobs are in accounting or whatnot, so they can\u2019t be an expert in security.\u00a0 So we also try to give some practical things that can help either prevent or detect these types of attacks.For example, in our tests we often send an email that appears to come from another employee in the company.\u00a0 One of our consultants has had a lot of success with an email that pretends to provide a link to a spreadsheet with everyone\u2019s salary.\u00a0 That\u2019s always good click bait.\u00a0 So we recommend they train employees about what an email from accounting is going to look like.\u00a0 And train them that, if they get an email from accounting, it is never going to contain a link.\u00a0 You tell them to access the accounting page directly.Also, a majority of mail servers won\u2019t allow us to send an email that comes from their own domain, so usually what we do is change it slightly.\u00a0 If it\u2019s company.com we change it to company1.com.\u00a0 So we tell customers to train employees to look at the domain of the company.\u00a0What are corporations most worried about losing? Right now I think most organizations are most concerned about ransomware because it can be fairly devastating.\u00a0 If a couple users of important shares get infected and everything within those shares gets encrypted and you have a poor backup program, that can have a huge impact on the business.You would think that most companies would have adequate backup plans so this wouldn\u2019t be much of an issue. We\u2019ve seen a little bit of everything with backup plans.\u00a0 A lot of organizations have a decent backup strategy in place, but it\u2019s still a big headache and really slows the business down if you have large amounts of files and shares that get encrypted, and now you have to go restore all these things and test and make sure the restore went well, etc. It definitely slows business operations down tremendously.\u00a0 I don\u2019t know that we\u2019ve had any customers pay a ransom, but I\u2019m aware of organizations that have, some with success and some that pay and still get nothing out of it.