Want to Increase Your Security? Start Thinking Like a Hacker

This post originated on Ivanti
Written by Todd Schell 

Do you ever feel overwhelmed when it comes to updating your software? Not sure where to start and what to do first? Or maybe you’re not sure if the malware protection and other tools and processes you’ve used in the past are still providing the proper security? If so, it may be time to look at your enterprise from the outside and think like a hacker!

What’s of Most Value to an Outsider?
Securing your systems is all about using common sense and applying some simple risk-management principles. So let’s start by talking about value and targets.

You should ask yourself, what is the most valuable business information an outsider would want from my systems? What other valuable information do I have on my systems an attacker would want? It may be easy to identify the key business systems because those are critical to your day-to-day operations—and you should be monitoring them closely already. We automatically assume the hackers will be associated with organized crime, a competitor, or a state entity, so we have prioritized protection around these critical operational systems. 

But what about other systems we often overlook? For example, your human resources (HR) systems contain critical personal data of all your employees. A random hacker gaining access to your intranet may not be able to penetrate your critical systems, but they still may be able to gather social security, date of birth, and other information from a less protected HR system. Keep this in mind as you identify and prioritize data assets in your organization.

How Would a Hacker Try to Gain Access?
Once our potential targets with their valuable data have been prioritized, we need to look at how a hacker would attempt to gain access. Looking at the Verizon 2018 Data Breach Investigations Report (DBIR), we see that our employees continue to be the weakest security links. “Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%).” 

The good news, according to the DBIR, is that more people are aware of the danger of opening attachments or clicking on suspicious website links, and a larger number than ever don’t fall prey to this attack. The bad news of course is that it only takes one employee to click and open the door. 

So, thinking like a hacker, you would want to create a very realistic website or email attachment that may be appealing for your employees to open. To counter this, in addition to continuing your employee security awareness training, you’ll want to make sure these avenues of attack are restricted. Keep the web browsers and internet-facing components such as Flash updated to their latest version, ensuring the reported vulnerabilities are closed. And to cover that email threat, make sure you have a good spam-blocking and malware-detection capability in place.

But we know that hackers will get some malware onto your intranet. It could enter through that curious employee, or maybe via a direct network attack that found a hole in your firewall.

Now what do you do? 

Again, turning to the Verizon 2018 DBIR, the most common file types of ‘first-stage’ malware, i.e., used to initially compromise a system, are: JavaScript (.js), 37.2%; Visual Basic Script (.vbs), 20.8%; MS Office, 14.8%; and PDF, 3.3%. Second-stage malware is typically a full executable of some type, but can be anything based on capabilities of the initial malware. It may be less clear what to do at this point. 

Thinking like a hacker, my malware may attempt to grab a password file, open the firewall, search for keywords in files, encrypt files for ransom, delete log files, and so forth. As the administrator charged with combating all these vectors of attack, you’ll need to take a ‘multi-pronged’ approach as well. 

First, as you did with the browsers, make sure your applications and software add-ons, like Java, are up-to-date. Some of this malware is successful because it exploits a known vulnerability. Second, enforce least privilege in your organization. Most malware break-ins assume the privilege level of the user who let them in the door. The malware will be limited in what it can do if it’s not running with administrator privileges.  And finally, consider running security software that can detect and prevent unknown or unauthorized applications from running. This is often a big step up for most companies, but the addition of application control will stop many malware attacks before they ever get started.

Leverage the Hacker’s Perspective
Thinking like a hacker, you can gain a different perspective on your current security implementation and practices. You’ll probably see much more than the few basic ideas I’ve presented here. It may validate your security program or may propel you in a different direction. Don’t be afraid to challenge the status quo with your new perspective and combat the ‘that’s the way we’ve always done it’ mentality. Oh, and by the way, don’t forget that defense in depth still has its place, which I think we demonstrated in this discussion.