How to think like a hacker
Last Update: 4/27/2017
I'm a hacker sitting in a dark cyberpunk room looking for suckers like you.
13 pages of a Word document, surely important, which your employees will forget as soon as they leave the room.
I know, you thought a 13 page Word document and a training session would give you a peace of mind, but companies are made up of people and they are the weakest link, in information security.
A document is a waste of time if the people in your company don't fully understand why you're doing this, why it's important and what aftermaths can directly impact them. Unless they share it because this means defending their jobs in the first place.
There are several products around you could consider to use. I won't endorse any specific products, but I personally used LastPass and KeePass and I think I haven't manually entered a password, or gotten locked out of an account, in years.
Many organization use password rotation, which is a very controversial measure. The problem this method tries to address is the possibility for an attacker to reuse an old password captured over the reconnaissance stage, or to prevent terminated employees to reuse their credentials. Sadly, this method might create more problems than advantages. If passwords aren't robust, changing them periodically might weaken encryption, instead of hardening it.
Many professionals believe this is a bad practice that shouldn't be adopted at all.
If your company has internal developers, they should code having security in mind, in order to minimize the risk of zero-day vulnerabilities.
In other words, attackers analyze the software and its related documentation, looking for potential vulnerabilities and weaknesses overlooked by the developers.
Once they find one, they develop a proof of concept, which could be successfully used to exploit the vulnerabilities and gain access to, or harm, a system.
On the other hand, an automated solution, such as an IDS/IPS system, spits out useful data but you need to have the right people who make sense out of it, professionals who can analyze logs and highlight attack patterns.
Automated solutions can give a false sense of security that can be dangerous.
Information Security is a mindset, not a product, even though it relies on tools.
However, these solutions must be supported by a critical thinking and a wide professional experience, vital in order to distinguish what it seems to be going on from what it is actually going on.
Don't overlook disgruntled employees because, being inside the security perimeter, they're the most dangerous attackers.