To Stop A Hacker, You Need To Think Like A Hacker

Analysis 1852 views

Hacking is nothing new; in fact, if you search “how to become a hacker,” you will get web-pages of self-help guides and step-by-step instructions. However, there is a new and serious issue related to this pastime: the criminal fraternity that is using it to make money— serious amounts of it.

There is an extensive black market trading illegally obtained sensitive information from e-mail addresses recruited to form botnet armies, to credit card details and identifiable personal information for fraudulent activity. If you have electronic data, there is a good chance that someone somewhere has their eye on swiping it from under your nose.

Why does this happen? It is because criminals know how to “think outside the box” and automatically look for the back door or the hidden weaknesses. It is time we learned how to build our defences on the same basis and use our imaginations as well as technology.

The first step in protecting data is identifying what exactly needs to be secured. After all, there is no point protecting customer databases if that is not where the real target is hidden. To do this, complete a threat modelling exercise:

Who is likely to attack?

For different organisations this will vary, so, for purposes of illustration, consider a pharmaceutical company. It could face a number of different attackers: animal rights activists, disgruntled employees, a competitor and more.

What are they after?

The activist and disgruntled employees may just be focused on causing a nuisance; however, the competitor may have its eye on the latest drug research.

How will they try and get it?

The activist could be intent on causing network downtime by launching a malware attack. The disgruntled employee may use unrevoked access rights to tamper with data and alter systems. The competitor may try to infiltrate systems to access the research or spoof an unsuspecting employee into allowing them entry.

Are we vulnerable?

Only you can answer that—are you? When completing this threat modelling exercise, there are many arguments about who should be responsible, whether it is IT or the CISO. Whoever is directly responsible for security should be the one completing the model. Once the model is completed, thought should be given to the course of actions to be taken as less reactive and more tactical. It is true, you are fighting a battle, but it is the war on which you need to focus.

What’s your game plan?

Organisations continue to underestimate the devious nature of today’s hackers: they do not play by the rules and attack using a known vulnerability. Instead, they look at the wider picture and are happy to attack from the blind side or from behind and will not think twice about hitting below the belt. They are criminals; they will do whatever it takes to deliver the knock-out blow.

The big issue for us, as defenders, is that we do not tend to think like them. We have the rule book and we stick to it. Most of us will regularly patch our systems, employ firewalls and encrypt our data, but it is not enough. Antivirus software protects against known malicious software, but what about unknown? What if someone bypassed your controls? Would you even know they had done it?

To truly protect ourselves, it is time to think like a hacker, in order to stop them in their tracks. We need to consider what goes on in their heads.

Rule One: If at first you don’t succeed, try, try again.

One-step attacks are a distant memory. Today, hackers do not just try the doors and windows to see if they are unlocked. They challenge the very fabric of our defences.

  • A criminal trying the usual entry points will not just walk away when they find them bolted if they want what you have. Instead, they will bombard the system with multiple attacks until, eventually, they force the locks open and storm the network.
  • Just like a virtual game of Jenga, if they are unable to get in today, they may come back tomorrow and try again, as they know your framework is changing day by day or minute by minute. With this popular game, a brick that seems stuck firm during one turn will become loose a couple of turns later as other bricks are moved. The same is true for an organisation’s defences. It stands to reason, therefore, that if the system is secure and then a change is made, you need to make sure it is still secure after making the change.

Rule Two: If at first you don’t succeed, cheat.

With Windows, the operating system of choice, many hackers do not need to waste their efforts cracking alternative systems. They can focus their skills on breaking just this one and, instantly, 99 percent of organisations are vulnerable. If you are in any doubt, type “Crack My Windows Password” into your search engine of choice and gasp with shocked bewilderment at the advice available—then get serious about protecting your organisation.

Time to fight back

You can have the car with the safest record, but if you drive it like you are the only person on the road, all the airbags in the world are not going to stop you from crashing. It is the person behind the wheel who is in control, and the same is true for networks.

  • The first step in securing systems is making sure everyone knows why it’s important and plays their part. After all, there is absolutely no point making sure that the network is completely sealed against an external attack if you are going to let a hacker walk in through the front door. Physical vulnerabilities can make virtual security redundant. It is especially important to ensure that each employee is given security awareness training, because of the proliferation of mobile devices and the surge in work activities being performed on personal devices and vice versa.
  • Someone calling from IT to ask for a password should be a red flag, but most employees would assume this is okay and divulge the information, unless, of course, they know that it should never be requested or provided.
  • Just as we are all warned of phishing e-mails and told not to follow links to protect our personal information, employees should be made aware of similar attack methods mounted against the organisation. For example, your IT department likely does not send links within e-mails for employees to patch or upgrade the desktop, yet this is an increasing attack method to get people to download malware that is gaining traction.

Keep everyone informed of the type of attack that is likely to be mounted against your organisation. Make them aware of what are considered to be the crown jewels outside your four walls. Finally, convince them that they need to play their part and make sure that they know what the penalty is if they do not. Ultimately, a data breach could devastate the organisation and, especially with industrial espionage, the wound could be fatal.

The new rule book

We need to examine and test our systems, buildings and people as though we are a criminal, not the developer or the architect. Criminals use technical, physical and human attacks to achieve their goals. Unless we understand these attacks, we will continue to be hacked. Once you recognise the devious nature of today’s hacker and embrace “thinking like a hacker”, you will have the critical mindset to apply budget and resources to the areas where criminals are most likely to attack your organisation and to counter their methods effectively.

Happy hacking.

Peter Wood is a member of the ISACA conference committee and Chief of Operations at First Base Technologies, an ethical hacking firm in the UK.