Power!?

In my current journey of Ethical Hacking, I have learned many new skills but the main ones I feel that will further my concentration in I.T are social engineering, masking malware/keylogger into look alike programs, and more importantly an understanding of power and control in the field. First social engineering has brought me to an understanding that not everyone in life, or the world are who they seem they are. Given that maybe 90%+ of the population of people we come to interact with may seem harmless but it’s the little things in life that people don’t pay attention to, which may come back to haunt them.

When I worked in Fidelity, people were being social engineered on a daily basis and most of it was harmless, it was noticeable in businesses that this is becoming a norm. Social engineering such as shoulder surfing, piggybacking, passwords sharing are extremely common in day to day activities. What I did not realize was this was a really bad practice and not just that, but the lack of security enforcement through the I.T team. Nobody honestly cared other than fulfilling their jobs. There was never an issue with any of the mentioned activities but I realized that once something does happen, it could get really ugly, really fast. Jobs could be lost, people could get fired, managers & supervisors could get written up etc.. Further, I have learned that it is not hard at all to hide simple keyloggers into everyday programs such as internet explorer or firefox. There are some keyloggers out in sourceforge.net that will not show up as malware. Also I have noticed friends and family around me fail to be aware of phishing emails and the drive-by malware downloads. They will click on anything and everything that they get in their e-mails. I can say my I.T awareness are much higher than prior to me engaging in the class.

Last but not least, I don’t know if this is considered a power or not, but I’ve come to understand and learn the use of power and self-control in the field. In every job I’ve been at, you are given some type of login and password, whether admin or not, there are an insane amount of information you can get with such logins, I knew before I got laid off, I could of easily disclosed confidential information by being a disgruntled employee and gotten away with it since 95% of workforce was told be laid off. During my last weeks of employment, I was given a final task to break down the entire network of PCs, and was given all types of access physically into secure areas of the building and remotely to reestablish access to other data center sites located in other states. I have learned that given such privileges and access comes with strong desire and will to control it. This was something that was entrusted to me and not something to be abused with. Obviously being disgruntled and all, I did what was the right thing to do, finish my job and understand the limits and boundaries of what I should and shouldn’t do.