The CBS television show Scorpion introduces us to Walter, who was arrested as a child for hacking into government computers. He is the villain in the series, right? No, not by a long shot. The government now uses Walter’s hacker mindset for good.
To catch a hacker, it pays to think like a hacker. Many think that the best pen testers (penetration testers) are security consultants that were black hats in the past. But the hacker mindset can be cultivated by anyone. As well as using technology to toughen your organization’s defensive posture, take a step back and look at your network as a whole.
What are your attack surfaces? In other words, what public face does your network show? Hackers gather information from lots of different sources and then create an overall view of your network. A little data here, a little data there, and it all adds up to real information that can be used to attack you.
Let’s say you have an interview with XYZ Corporation for a 6-figure job. What sources of information would you use? I would guess you’d explore all of the following:
Hackers approach your network in exactly the same way. This means that you need to consider the following:
Email phishing is an example of social engineering, which can be used for reconnaissance (finding out as much about the target organization as possible) as well as the attack itself. The most successful attackers use social engineering techniques to make network penetration easier. An exquisite account of the variety of social engineering attacks is provided by The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, and Steve Wozniak.
If your organization has a set of policies and procedures for IT services, you are lucky (although you may not always think so). Just the fact that policies exist proves that management buy-in has occurred at some time. It is a good idea to leverage that management blessing of IT security! Here are some ideas:
Remember that whenever a user complains about the rules, at least they are not complaining about you.
This is where defense in depth comes in. Secure each device so that the attacker cannot hop from one device to another with utter abandon. Router and switch manufacturers often have canned scripts for lockdown. These disable unneeded services, restrict private and public addresses, and shut down unneeded interfaces. (More on this in another article.)
In some industries companies pay hackers to look and find security weaknesses. However most companies are understandably reluctant to open their doors to hackers. Instead, why not attempt to think like a hacker and design the most secure network you possibly can.
Changing your worldview can be a real asset when it comes to securing your network. Consider the people in your organization as part of your network and guard against social engineering attacks. Approach each network node as an opportunity for an intruder to penetrate your defenses. When you think like a hacker, your organization will be more secure, and you might even enjoy your job more than ever.
Ultimate System Administrators Toolbox - For any small to medium-sized business, funding and maintaining an IT infrastructure is always a daunting proposition. The first line of defense for a company is the system administrator, the tireless hero who works 24 X 7 X 365 to ensure that the IT infrastructure is always secure. The sys admin toolbox below is a one stop shop, full of IT resources that will come in handy if you are ever hit with a security incident or breach.
Sign-up for email updates...