FROM BAD GUYS TO WHITE HATS

Many think that the best penetration testers are security consultants who were black hats in the past. But the hacker mindset can be cultivated by anyone. First, just take a step back and look at your network as a whole; approach your network as an outsider would. The TV show Scorpion introduces us to Walter, who was arrested as a child for hacking into government computers. But he’s not a villain — not by a long shot. The government now uses Walter’s hacker mind-set for good. On TV and in real life to stop a hacker it pays to think life a hacker.

What are your attack surfaces?

In other words, what public face does your network show? Hackers gather info from various sources to piece together a view of your network. A little data here, a little data there, and it all adds up to real information that can be used to attack you.
Let’s say you have an interview with XYZ Corporation for a six-figure job. What sources of information would you use? I’d guess you’d explore the following:

Web-based information

• The corporate website
• Information gathered from using a search engine
• Social media

People-based information

Email or call someone you know who works for the company. Ask friends, neighbours, and relatives what they know about the organization. Hackers approach a network in exactly the same way. This means you need to consider
the following:

• What can outsiders find out about your network simply by performing a whois or other simple command? You might be surprised.
• Limiting your public footprint is the simplest way to reduce your attack surface.
• What network information does your corporate website reveal?

Let’s say that you have a webpage boasting of your “state-of-the-art XYZ 250 servers with Socrates Super software.” A hacker can search the web for exploits pertaining to that specific software
and hardware. And exploits are out there — many for free and even more for a price. Applying all updates to your software and firmware decreases your attack surface, but it doesn’t eliminate it. A Windows vulnerability has been in the news lately that makes credentials retrievable by attackers. And how long ago was this vulnerability first reported? In 1997!

Perform a simple search on your company’s name periodically to see what kind turns up. Then use Google hacking tools to find what sensitive data might be available publicly for all to see. This will show you a plethora of documents that the web crawler is indexing.

Be on the lookout for information about your organization on social media. It isn’t uncommon for employees to innocently divulge information that could lead to network break-ins. Suppose an employee maintains a Facebook page with the names
of their spouse, children, and pets, along with a mountain of likes and dislikes. Left to their own devices, most people use such things to construct their online usernames and passwords, making the account vulnerable to a brute-force attack. Your
organization’s security policy can help protect against this by requiring passwords to be changed on a regular basis and prescribing password complexity and/or length.

Hackers use email phishing techniques as well and have been known to avail themselves of Facebook and LinkedIn information to create targeted phishing attacks. Keep your ear to the ground by asking users what types of email they receive. Often
users aren’t aware they’ve been phished.

Policy, procedure, and involving people
 

Email phishing is an example of social engineering, which can be used for recon to find out as much about the target organization as possible — as well as the attack itself. The most successful attackers use social engineering techniques to make network penetration easier. An exquisite account of the variety of social engineering attacks is provided by “The Art of Deception: Controlling the Human Element of Security” by Kevin D. Mitnick, William L. Simon, and Steve Wozniak.

Leveraging management buy in for IT security If your organization has a set of policies and procedures for IT services, you are lucky (although you may not always think so). Just the fact that policies exist proves that management buy-in has occurred at some time. It is a good idea to leverage that management blessing of IT security!

Here are a couple ideas: 

• Disseminate a newsletter periodically that describes social engineering attacks, what a phishing email looks like, etc.
• Include an article on some new tech gadget that grabs users’ attention so they’ll actually read the newsletter.
• Make sure new employees are introduced to the policies and procedures personally.
• If you’re in a large organization, schedule a meeting about once a quarter for a slide show and Q&A period. Include information users can apply even outside of the office for their own personal computer security and they’ll pay more attention.
• Remember: whenever a user complains about the rules, at least they’re not complaining about you.
   

Once an attacker gets hold…

This is where defense in depth comes in. Secure each device so that the attacker cannot hop from one device to another with utter abandon. Router and switch manufacturers often have canned scripts for lockdown. These disable unneeded services, restrict private and public addresses, and shut down unneeded interfaces.

Think Like a Bad Guy but Act Like a Good Guy to Win

• In some industries companies pay hackers to look and find security weaknesses. However most companies are understandably reluctant to open their doors to hackers. Instead, why not attempt to think like a hacker and design the most secure network you possibly can?
• Changing your worldview can be a real asset when it comes to securing your network.
• Consider the people in your organization as part of your network and guard against social engineering attacks.
• Approach each network node as an opportunity for anintruder to penetrate your defenses.
• When you think like a hacker, your organization will be more secure — and you might even enjoy your job more than ever.

TitanHQ solutions protect your email and web end users from malware and ransomware, email phishing, spoofing & malicious websites. View product demo's today to see how TitanHQ can protect your organisation from cyberattacks. Set up product demo today.