YOU ARE AT:AmericasReader Forum: Think like a hacker

Reader Forum: Think like a hacker

Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers, we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editor at: rprescott@rcrwireless.com.

Synopsis: A recent survey “Security Predictions for 2012 from Websense Security Labs” revealed that 19% of companies has fallen victim to an Advanced Persistent Threat and around 37% admit that data has been lost by employees. The headlines are full of stories about security breaches. What can you do to stop your company from becoming another statistic? In this article, Carl Leonard, one of the top security researchers in the field reveals the secrets to thinking like a hacker in order to protect your company. It will cover: analysing how would you attack yourself, identifying weak spots, and what simple things can you do to manage risk. Recognising the threats to which you are susceptible is one step towards designing a secure solution that works for you.

KNOW! KNOW! KNOW! – THINK LIKE A HACKER
From military briefings to sports locker rooms, every team uses an identical strategy: Know your enemy. Predict their moves. Do what they think you won’t do.” Faced with their No 1 opponent – the hacker – today’s IT manager must surely do the same. Decades of experience have taught those generals and coaches how to outwit their adversaries but, in a relatively young industry, how does an IT manager begin to understand, anticipate and block the hacker’s best moves?

KNOW THE PROCESS – HOW WOULD YOU ATTACK YOURSELF?
The survey ”Security Pros and Cons” revealed that 19% of companies have fallen victim to an Advanced Persistent Threat and around 37% admit that data has been lost by employees. With figures like these, it’s time for brutal honesty. If you were given the job of stealing your data, how would you do it?

First, evaluate yourself as a target. What do you have that’s worth stealing? Very obviously, a manufacturer of defence equipment is potentially a juicier target than an online shoe shop BUT it’s not just about money. Anything that can be monetized, from credit card numbers to customer lists, is a valuable commodity to a hacker.

Intellectual property is another prime target. Think about sales projections or marketing plans for 2012 and how much competitors would pay for these confidential documents. Research data? New product development ideas? Financial results? Patent applications? The list is endless and all of it is valuable to someone, somewhere.

The other aspect to ‘knowing the process’ is all about knowing your enemy. What are their preferences? What techniques have they used? Just as a sports coach will study the opponents’ play in the past few games, an IT manager must be aware of how hackers prepare, what resources they have at their disposal and, most importantly, the latest trends. It’s well recognised that the ‘attack surface’ – the range of possible entry points to corporate networks – has grown exponentially and it increases with the purchase of each smartphone, tablet and laptop. Most challengingly, it used to take years for sophisticated malware to hit the common black market. Now it’s a matter of weeks. For around $25 you can buy ready-to-use kits that are pre-tested to dodge traditional defences. It’s clear that companies need to be armed with cutting-edge security solutions to stop data from slipping into the wrong hands.

KNOW YOUR WEAK SPOTS – TECHNOLOGY, PEOPLE AND CULTURE
Finding your weak spots is easy: they’re always right next to the Path of Least Resistance, giving the hacker access at the lowest cost or the lowest risk or in the least amount of time.

Today’s systems are often spread over multiple locations, accessed by thousands of people, via an exploding variety of devices. According to Dan Hubbard, chief technology officer at Websense, anything exposed to the web is vulnerable,** “One thing we know from the explosion of breaches, amplification of advanced malware, and propagation of exploit kits is that the common factor is very simply, the web. As broader adoption of mobile, social and cloud technologies explodes, we will see the bad guys move rapidly to take advantage of this shift.” If the web is a weak spot, the next question is how integrated are your systems? Once ‘in’, can someone roam freely through each database and is the movement of data monitored, logged and checked?

Public wi-fi must count as another weak spot when employees use their tablet or smartphone in a coffee shop or hotel room. In a relaxed environment, possibly out of office hours, are people as security-conscious? Could keystrokes and passwords be intercepted or, more simply, just watched from the next table?

Even after many years of computer literacy amongst employees and suppliers, people will always be a fragile link in any system. They will take material home, forget USB sticks on a train, leave screens logged in for passers-by to see, discuss sensitive issues on social media sites and they are vulnerable to coercion, greed….and economy of truth. Just one employee in a hundred admits** to posting confidential information on a social networking site, but 20% of IT managers say that it has indeed occurred in their organisation. One employee in 50 reveals that they have introduced malware onto the network—but 35% of IT managers have already seen it happen.

Changing social culture is a relatively new weak spot for IT managers to assess. The rise of email, social media and portable personal devices have quickly changed how many people communicate, share information and organise their lives, blurring the distinction between work and personal. Another 2012 prediction* says your social media identity may prove more valuable to cybercriminals than your credit cards. Trust is the basis of social networking, so if a bad guy compromises your log-ins, there is a good chance they can manipulate your friends. The primary blended attack method used in the most advanced attacks will be to go through your social media “friends,” mobile devices and through the cloud.

In 2012, the London Olympics and the US presidential elections are typical of the events that cybercriminals will use to infect users where they are less suspicious e.g. sites designed to look like legitimate news services, Twitter feeds, Facebook posts, LinkedIn updates, YouTube comments and forum conversations. “Many of the business and government attacks in the coming year won’t necessarily be about how complex the code is”, says Dan Hubbard, “but how well they can convincingly lure unsuspecting victims to click.”

KNOW WHAT YOU NEED TO DO – INVESTMENT AND TRAINING
The difficulty in addressing weak spots is in the name. They are spots – not fundamental flaws in design or operation – but some of the most effective remedies are the most obvious and simple.

Better passwords are still the easiest way to improve security. Virtually no investment required but a significant training and education effort is needed if IT managers are to tackle the thorny issues of more complex and frequently-changed passwords, enforcing a single sign-off strategy and even two factor authentication. Certainly better security but look out for irritated users and innumerable calls to the helpdesk!

Sometimes overlooked is the need for basic physical security to offices and data centres. If a visitor can gain access to, for example, hotdesking areas where open network connections are available, can they quickly download data onto a USB stick? There’s no need to hack, scam or beat security if the required data can be simply stolen in a quiet corner of an office.

Routine upgrades and patching should be an essential part of the security regime. It may be classed as maintenance but if a hole needs patching, that’s a weakness ready to be exploited. And when matters reach crisis point, is a CERT (Computer Emergency Response Team) in place or do you have access to their expertise?

Websense’s predictions for 2012* say that traditional defenses have focused on keeping cybercrime and malware out but now, organizations will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection. According to research**, most IT managers are already making multiple changes: over 40% have focused attention internally on testing and overhauling existing policies, implementing new solutions, and imposing new restrictions on users.

In the end, defeating the hacker means knowing where your valuable data lives, when it moves and who is moving it. Research indicates that IT managers are increasingly agreeing with this proposition as nearly a quarter have begun or accelerated a full DLP project.

Remember the third leg of the core strategy – “Do what they think you won’t do”? Hackers are used to exploiting weakness and inconsistency so a comprehensive and integrated DLP solution may be just what they least expect!

* “Security Predictions for 2012 from Websense Security Labs”
**”Security Pros and Cons” – research by Dynamic Markets for Websense (September 2011)

ABOUT AUTHOR