If you watch Scorpion on CBS, you will be familiar with Walter. Walter knowns how to think like a hacker. He is one.
In fact, Walter was an malicious as a child. He hacked the government and got up to all sorts of mischief. You may view him as something of a villain, but you would be wrong. Walter may have been on the wrong side of the fence while a child, but now he works for the government and his hacking prowess is being used for good. There is nothing evil or wrong about the ability to hack, it is only how those skills are used that determines whether you are right or wrong.
You should learn how to think like a hacker!
Walter is good at his new job because he is a hacker. He therefore knows exactly how to think like a hacker. While penetration testers and reformed black hat hackers make good white hat hackers, it is possible for a hacking mindset to be developed by anyone. A sysadmin can learn how to think like a hacker!
If you want to determine how secure your network really is, you need to learn how to think like a hacker. You need to take a look at your network as if you were an outsider. Look at it as a whole. Look at the attack surface. Gain an external perspective and see it how a would-be attacker would see it.
A hacker intending on attacking your organization would start with a little research. That person would check the public face of your network, pick up information here and there, get a good picture of your network as a whole, and then use that information when attacking your company.
Take a look at your network with a fresh pair of eyes
If you wanted a new job and had secured an interview, before you attended you would conduct a little research on the company. You would need to find out some basic information. You would likely be asked about the company in the interview.
You would need to take a look at the company website, you would run a few searches through Google, you would take a look at the company’s Twitter and Facebook accounts. You would gather web-based information.
If you really wanted the job you would also gather some information from people as well. You would email anyone you knew who worked at the company and you would ask them about what it is like to work there. You would ask others their opinion of the company.
This is how a hacker would start investigating your company. With that in mind, it would therefore be important to:
- Perform a whois search
- Check to find out what is being said about your company on social media sites
- What employees of the company are saying and sharing online?
- What data does your company voluntarily give away? Do you advertise any aspect of your network structure? How many state-of-the-art servers you have for instance? What software you use? It is much easier to find an exploit if you know what software a company uses!
- Search for your company on Google, Bing, Yahoo, and DuckDuckGo. See what information is revealed, and not just on pages 1-10!
- Use Google hacking tools and see what documents, PDFs, and spreadsheets are available publicly. You may be surprised at what has been indexed!
- Check out the social media profiles of your company employees – Is one member of staff a particular security risk? Do they list every aspect of their life on Facebook? Would they be a likely target of a spear phishing attack? Would a hacker have all the information they need to guess that individual’s password? Over-sharers are often the targets of phishing campaigns. So much can be learned about them online!
Hackers love phishing – it’s so easy to be handed access to data!
If you can find an easy way to hack a company would you choose that? Of course you would! You wouldn’t want to do any more work than you have to, and neither would a hacker. If you wanted to guess a password, you wouldn’t start with “hj&*HUI23YEW(.” “ You would try “QWERTY,” or “password”, or “bigguy”, or “123456” first.
Hackers will similarly start with the easiest route first, and that means trying to take advantage of some people’s naivety when it comes to IT security. Phishing is one of the easiest ways to gain access to login credentials. It is also one of the easiest security vulnerabilities to address. How would your employees deal with a phishing attack?
That is something best not left to chance!
- Send out a regular newsletter to explain common social engineering and phishing techniques that are used by hackers
- Show employees how to identify a phishing email
- Conduct regular phishing email tests. Research shows that the more practice staff members have at identifying phishing emails, the better they become at spotting a scam. When a real phishing email is received, they are more likely to identify it correctly before any damage is done.
- If new IT security policies are introduced, make sure they are explained to employees in person. This will help to make sure that they are read, understood, and their importance is made clear.
What happens when an attack does occur and a system is compromised?
You will no doubt spend an extraordinary amount of time putting defenses in place to repel an attack, but what happens if an attack is successful? Have you put defenses in place that will limit the damage caused or will an attacker manage to go from one device to another once the security perimeter is breached?
Switch and router manufacturers often have scripts that can be used for lockdowns. It is possible to disable unneeded interfaces and services, and restrict public and private addresses. Have you done this? A hacker would check this!
Learn how to think like a hacker and you will be able to make your network more secure
There is a very good reason why organizations spend big bucks on white hat hackers and get them to attempt to break through defenses and find the weak points in systems. If you learn how to think like a hacker you will be helping your organization enormously.
Start thinking like a hacker and view every node and end user as a potential entry point into your network, and it will make it easier for you to design network defenses and keep your equipment and data well secured.