How to think like a hacker
Last Update: 1/26/2019: I've recently become a pentester, so some would call me an ethical hacker, even though I don't like the term. Read more about it here.
I'm a hacker sitting in a dark cyberpunk room looking for gullible guys like you.
You hear about a security breach and you blame it on hackers.
Whose fault is if your password is 123456? Whose fault is if you are so lazy when it comes down to protect your money and your information?
The truth is you bring this upon yourself. I worked hard to learn all I needed to know, sacrificed hours, days and years of my life to learn how to use my full power.
Yes, I'm a criminal mind but you may be an unknowingly accomplice when you're careless and think breaches can never happen to you. Well, I got news for you.
The fact you've never been attacked doesn't necessarily imply you'll never be in the future.
Well, today's your lucky day because I'm an ethical (or white hat, if you like) hacker. What? You thought all hackers were bad, didn't you?
Probably you don't know that most software you use and the Internet itself has been created by ethical hackers.
We're weird guys who try to understand which way a bad guy could compromise your system. We patch all the holes we find before they can be used against you.
You could probably need to hire someone like me one of these days. Do you think this is wasting money? Do you know how much money Sony lost as a consequence of the latest security breach?
Billions of dollars. The harm caused to the company image and the customers' trust goes beyond any possible economic assessment, though, because it's going to last for years.
Do I have your attention now?
If you want to secure your network and your system, you need to think like a bad guy and know how (black hat) hackers work.
Analyze your network
The first stage of an attack is called reconnaissance. The hacker tries to gather information about your company and your network which could facilitate getting access to the system.
Try to hack yourself and see what kind of response and which services you can access from outside your network. You could be surprised by what you find.
Google yourself to make sure no confidential information is available to the general public and, if you find something out there that shouldn't be for all to see, take it down immediately for good.
Some hacks available for Google may allow an attacker to access reserved databases and information, if the system administrator doesn't correctly protect them and doesn't change the default security settings.
For more information about it, you can visit Google Dorks. If you find anything confidential after this search, take the necessary actions immediately.
Another dangerous type of attack is social engineering. Attackers leverage, in this case, on psychological manipulation techniques rather than on technical skills. They try to trick authorized users to reveal their access credentials in several ways (by pretending to be a customer who has forgotten or lost its username and password needed to access its account, or a help desk technician who is updating or verifying the company's systems asking the user for their credentials to install software, etc.). These are only some limited examples, but these guys are pretty ingenious.
How can you prevent this risk? I know, the standard response is to train your employees on company's policies and tell them they don't have to reveal this type of information to anyone, unless A, B or C happens and blah blah blah.
13 pages of a Word document, surely important, which your employees will forget as soon as they leave the room.
The best way to understand where you're at from a security standpoint is to attack your call center yourself by using these techniques. You'll probably get shocked by the results.
I know, you thought a 13 page Word document and a training session would give you a peace of mind, but companies are made up of people and they are the weakest link, in information security.
A document is a waste of time if the people in your company don't fully understand why you're doing this, why it's important and what aftermaths can directly impact them. Unless they share it because this means defending their jobs in the first place.
I know, you thought a 13 page Word document and a training session would give you a peace of mind, but companies are made up of people and they are the weakest link, in information security.
A document is a waste of time if the people in your company don't fully understand why you're doing this, why it's important and what aftermaths can directly impact them. Unless they share it because this means defending their jobs in the first place.
The main point here isn't to learn a document by heart but to make sure the company can keep being in business, as the most harmful breaches led some organizations to close for good.
A good way to prevent from giving away too much information on the network is to restrict the execution of commands like ping or traceroute from outside the network. This solution is commonly implemented by several major corporations.
Intelligence on the network can also be gathered by using public registries and whois or lookup services.
An alternative for UNIX/Linux systems is to run the nslookup command from Terminal (in Windows, from Command Prompt). UNIX/Linux systems also support the whois command.
Close the holes
Don't leave any unused ports or services open. It'd be as if you'd protect your front door with armed guards leaving the back door(s) open.
Any unused service or ports can be used to gain access to the system, so you want to disable them right away.
Password managers can solve this problem both securely and cost-effectively.
There are several products around you could consider to use. I won't endorse any specific products, but I personally used LastPass and KeePass and I think I haven't manually entered a password, or gotten locked out of an account, in years.
Many organization use password rotation, which is a very controversial measure. The problem this method tries to address is the possibility for an attacker to reuse an old password captured over the reconnaissance stage, or to prevent terminated employees to reuse their credentials. Sadly, this method might create more problems than advantages. If passwords aren't robust, changing them periodically might weaken encryption, instead of hardening it.
Many professionals believe this is a bad practice that shouldn't be adopted at all.
If your company has internal developers, they should code having security in mind, in order to minimize the risk of zero-day vulnerabilities.
In other words, attackers analyze the software and its related documentation, looking for potential vulnerabilities and weaknesses overlooked by the developers.
Once they find one, they develop a proof of concept, which could be successfully used to exploit the vulnerabilities and gain access to, or harm, a system.
On the other hand, an automated solution, such as an IDS/IPS system, spits out useful data but you need to have the right people who make sense out of it, professionals who can analyze logs and highlight attack patterns.
Automated solutions can give a false sense of security that can be dangerous.
Information Security is a mindset, not a product, even though it relies on tools.
There are several products around you could consider to use. I won't endorse any specific products, but I personally used LastPass and KeePass and I think I haven't manually entered a password, or gotten locked out of an account, in years.
Many organization use password rotation, which is a very controversial measure. The problem this method tries to address is the possibility for an attacker to reuse an old password captured over the reconnaissance stage, or to prevent terminated employees to reuse their credentials. Sadly, this method might create more problems than advantages. If passwords aren't robust, changing them periodically might weaken encryption, instead of hardening it.
Many professionals believe this is a bad practice that shouldn't be adopted at all.
SQL injection is an often overlooked attack, successful though being quite old, because of sloppy security settings.
To minimize the risk of breaches, your company must be on top of state-of-the-art technology and security implementations as long as possible. For each dollar spent in IT security, bad guys spend one dollar trying to develop exploits.
Don't rely too much on automated solutions.If your company has internal developers, they should code having security in mind, in order to minimize the risk of zero-day vulnerabilities.
In other words, attackers analyze the software and its related documentation, looking for potential vulnerabilities and weaknesses overlooked by the developers.
Once they find one, they develop a proof of concept, which could be successfully used to exploit the vulnerabilities and gain access to, or harm, a system.
On the other hand, an automated solution, such as an IDS/IPS system, spits out useful data but you need to have the right people who make sense out of it, professionals who can analyze logs and highlight attack patterns.
Automated solutions can give a false sense of security that can be dangerous.
Information Security is a mindset, not a product, even though it relies on tools.
Information security professionals must reason like an attacker would and analyze the software for potential vulnerabilities. The fact you have an IDS or IPS installed is important, but it becomes much less helpful if an attacker finds a way to hide or obfuscate its activity.
The biggest problem with security software is the possibility of false positives. A skilled hacker could find a way to disguise its attack like a normal network activity or something different from what it really is.
The best security system relies on email, web firewalls and endpoint protection.
However, these solutions must be supported by a critical thinking and a wide professional experience, vital in order to distinguish what it seems to be going on from what it is actually going on.
Don't overlook disgruntled employees because, being inside the security perimeter, they're the most dangerous attackers.
However, these solutions must be supported by a critical thinking and a wide professional experience, vital in order to distinguish what it seems to be going on from what it is actually going on.
Don't overlook disgruntled employees because, being inside the security perimeter, they're the most dangerous attackers.
Of course, there's much more to say about this topic, but I think or, at least, I hope you got the picture.
So, from now on, when you hear about a security breach, just start wondering: what did they do wrong? What could have been done to prevent this? What do I learn from this?
Hopefully you won't be the next victim.
If you haven't learned anything from all this, you could probably need one like me in the next year or so, so drop me a line.
References:
Comments
Post a Comment