Many think that the best penetration testers are security consultants who were black hats in the past. But the hacker mindset can be cultivated by anyone. First, just take a step back and look at your network as a whole; approach your network as an outsider would. The TV show Scorpion introduces us to Walter, who was arrested as a child for hacking into government computers. But he’s not a villain — not by a long shot. The government now uses Walter’s hacker mind-set for good. On TV and in real life to stop a hacker it pays to think life a hacker.
In other words, what public face does your network show? Hackers gather info from various sources to piece together a view of your network. A little data here, a little data there, and it all adds up to real information that can be used to attack you.
Let’s say you have an interview with XYZ Corporation for a six-figure job. What sources of information would you use? I’d guess you’d explore the following:
Email or call someone you know who works for the company. Ask friends, neighbours, and relatives what they know about the organization. Hackers approach a network in exactly the same way. This means you need to consider
Let’s say that you have a webpage boasting of your “state-of-the-art XYZ 250 servers with Socrates Super software.” A hacker can search the web for exploits pertaining to that specific software
and hardware. And exploits are out there — many for free and even more for a price. Applying all updates to your software and firmware decreases your attack surface, but it doesn’t eliminate it. A Windows vulnerability has been in the news lately that makes credentials retrievable by attackers. And how long ago was this vulnerability first reported? In 1997!
Perform a simple search on your company’s name periodically to see what kind turns up. Then use Google hacking tools to find what sensitive data might be available publicly for all to see. This will show you a plethora of documents that the web crawler is indexing.
Be on the lookout for information about your organization on social media. It isn’t uncommon for employees to innocently divulge information that could lead to network break-ins. Suppose an employee maintains a Facebook page with the names
of their spouse, children, and pets, along with a mountain of likes and dislikes. Left to their own devices, most people use such things to construct their online usernames and passwords, making the account vulnerable to a brute-force attack. Your
organization’s security policy can help protect against this by requiring passwords to be changed on a regular basis and prescribing password complexity and/or length.
Hackers use email phishing techniques as well and have been known to avail themselves of Facebook and LinkedIn information to create targeted phishing attacks. Keep your ear to the ground by asking users what types of email they receive. Often
users aren’t aware they’ve been phished.
Email phishing is an example of social engineering, which can be used for recon to find out as much about the target organization as possible — as well as the attack itself. The most successful attackers use social engineering techniques to make network penetration easier. An exquisite account of the variety of social engineering attacks is provided by “The Art of Deception: Controlling the Human Element of Security” by Kevin D. Mitnick, William L. Simon, and Steve Wozniak.
Leveraging management buy in for IT security If your organization has a set of policies and procedures for IT services, you are lucky (although you may not always think so). Just the fact that policies exist proves that management buy-in has occurred at some time. It is a good idea to leverage that management blessing of IT security!
Here are a couple ideas:
This is where defense in depth comes in. Secure each device so that the attacker cannot hop from one device to another with utter abandon. Router and switch manufacturersmoften have canned scripts for lockdown. These disable unneeded services, restrict private and public addresses, and shut down unneeded interfaces.
Got tips on how to think like a hacker or stories of times where looking at your network from the outside in helped save your bacon?
Email us at firstname.lastname@example.org