Acting like a cybercriminal at least once? Perseus makes it possible. As part of the Perseus Hacking Day on February 23, 2022, our team used every means at its disposal to try to compromise our system and break it down. Did we manage? Let’s find out! Here are three examples of our attempts.
Why have a Perseus Hacking Day?
Our mission is to make cyber risks manageable. Accordingly, we should know about these risks. So why not start with our own company and find out what potential threats Perseus could be exposed to, what vulnerabilities could be used for cyber attacks, or even how much information about employees could be found using social engineering, for example, by sending a deceptively “real” phishing email. We wanted to put our own cyber security to the test because as we all know, there is always room for improvement. The goal was to incorporate the findings into our solutions to increase cyber security for companies.
All members of the Perseus team who wanted to participate were welcome to do so. And many did, which is great because: Cybercrime has many faces, and our team has different skills that go far beyond programming… and of course it should be fun.
Social engineering: the basis for personalized cyber attacks
Time and again, the internet and social media prove to be a valuable treasure trove of personal data – not only for private, but also for corporate information. Social engineering has proven to be one of the most affected ways to gather detailed information about companies and employees that can be used for criminal activities. Attack patterns such as spear phishing or a possible CEO fraud are popular means among cybercriminals. That was reason enough for us to also try to find valuable information about the management team: from contact details to photos to political views. And in some cases, we actually found what we were looking for. But also our own social media channels provided exciting insights when we took a closer look. Now it was a matter of using this information accordingly – and fixing the possible vulnerabilities on our side right away.
Smishing and vishing – the smartphone as a gateway?
We regularly inform our customers about current fraud schemes used by criminal hackers. Two frequently used methods for the exploitation of sensitive data are smishing and vishing, i.e. phishing attempts via SMS, voice mail or phone calls. We didn’t know how our own team members would react to such attempts. So we ran our own smishing/vishing attacks. We tried to get sensitive business data out by calling several team members and parts of our management as well as by sending text messages. Fortunately, we did not succeed. Although we received replies to our messages from the addressed people, they did not share the data the “attacking team” was looking for. That is bad news for cybercriminals, but good news for our company. Incidentally, a phishing attempt by mail was also unsuccessful.
Using DDoS and pentesting to hack the system?
While the methods from the two examples above very much target the human factor, we also put our technical defenses to the test. A frequent attack pattern of cyber attacks is the so-called DDoS attack, in which a high amount of constant requests are directed towards a system until it is overloaded and collapses. As part of the Perseus Hacking Day, we tried to bring our own system down by executing such an attack. The result: The protective layer added by our cloud provider blocked any attempt to compromise the service and prevented any kind of overload.
Another attempt was to use penetration testing, also known as pentesting, to identify security vulnerabilities by simulating a cyber attack. The goal is to uncover possible vulnerabilities in a system, application, or organization, or to obtain general information about a company’s security status.
What we already knew has been confirmed: To execute a cyberattack, programming skills are good, but not necessarily essential. Creativity, analytical thinking and research skills – and the determination to compromise a system – are just as valuable and important. The Perseus Hacking Day proved this, and we can be proud: Not only do our products and services contribute to making the world more cyber-secure every day – our team is also familiar with the dangers from the internet and did not fall for any of the potential attack attempts of the other team members. We were able to fix all of the anomalies right away and thus increase cybersecurity at Perseus a bit more. So we learned quite a lot. This will certainly not be the last Perseus Hacking Day. Checking for potential risks and raising employee awareness to increase cybersecurity in the company are not one-time events, but an ongoing process. We’re staying tuned.