Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Keeping the Hacker Out: Knowing is Half The Battle

Attacks are Persistent, and Hackers have the Advantage. In the Fight Against Cyber Attacks, Knowledge is Power.

Being aware of the methods used by hackers is an important step towards defending attacks on sensitive company data. Knowledge determines how a CEO will defend his ship, and whether or not he can prevent future attacks. Understanding hacker “know-how,” in conjunction with appropriate defense and countermeasures, will help identify potential threats to a company’s network.

Attacks are Persistent, and Hackers have the Advantage. In the Fight Against Cyber Attacks, Knowledge is Power.

Being aware of the methods used by hackers is an important step towards defending attacks on sensitive company data. Knowledge determines how a CEO will defend his ship, and whether or not he can prevent future attacks. Understanding hacker “know-how,” in conjunction with appropriate defense and countermeasures, will help identify potential threats to a company’s network.

Hacks on critical infrastructure are commonplace and companies are left trying to defend their own networks.

Defending Against Hackers

Those responsible for company networks are familiar with web site defacements, denial of service attacks, and executive spear phishing. They may have even come to an understanding that hackers are gathering information and concealing themselves while they are waiting which is also known as footprinting. When a hacker strikes, the cost to a company could potentially be millions of dollars. Not only will it affect the bottom line, but hard-earned reputations could be compromised or destroyed.

Knowledge must be coupled with action—that means countermeasures.

IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure

Security Information Event Management

Security Information and Event management software are indispensable automation tools that determine the severity of threats to a company’s network security, often with real-time, around the clock identification. SIEM also offers a window into the network by providing up to date and correlated reports that assist in compliance initiatives.

Advertisement. Scroll to continue reading.

Such tools correlate events, like alerts about TCP port scans on the firewall, suspected anomalies, and detected intrusions. This information is then passed to the IT department where action is taken.

SIEM is capable of detecting suspicious employee activity which is extremely important. Let’s say a swipe card system identifies an employee entering the company office after business hours in Montreal, then it identifies the same employee entering another company facility 20 miles away. If each entrance occurs within a space of 20 minutes, something is off because it is impossible for one person to travel 20 miles in 20 minutes. Therefore, one can deduce that the card has been cloned unknowingly or with the knowledge of the suspected employee.

One case that I investigated was a computer in a branch office of a fairly large bank that logged on after 8 p.m. We found it strange because most employees are gone by 5 p.m. Because this event alerted us in real-time, we were able to find out soon after that the janitor tried to us the PC to surf and check his email.

In these cases, security has been compromised.

Because events can be detected in real-time, the identity of the employee is suspended, and then efforts are made to contact the employee to gain further information about what just happened. The employee may have been returning to the office to pick up his car keys or other personal items. It is a logical and common daily occurrence. Unfortunately, his card may have been cloned, or the company employee identification database may have been hacked. Luckily, the hacker used the cloned card around the same time the employee did. The employee was unaware of the hack and was innocently trying to get his car keys. A quick conversation with the employee, followed by a study of his login patterns while at work, would determine his innocence, or lead to further investigations. While the example is small, the non-employee 20 miles away could be stealing sensitive data that could cost the company’s reputation as well as millions of dollars.

Intrusion Detection Systems

These systems act like security cameras watching a network. The purpose is to catch a hacker, or disgruntled employee, with their pants down, and automatically cut access to the system and signal an alert.

As with security cameras watching people coming in and out of a department store, IDS inspects all inbound and outbound network activity. From there it watches and identifies suspicious patterns.

There are different means to employ IDS.

Network-based IDS will examine everything coming through the network, while host-based IDS may examine an individual employee computer. Then there are passive systems that will detect a potential security problem and signal an alert. In a reactive system, the IDS react to the suspicious activity by logging off a user. In some cases, the IDS may reprogram the firewall to snag a possible intrusion.

Sharing the experience

While a company might consider one method over the other, the bottom line is what can a company do to make it hard for a hacker to get in? In many cases, an attack is discovered and then investigations begin. By this time the hacker is hidden or has erased any trace of his presence. Companies continue to be victimized.

But what if company investigators had previous knowledge of let’s say Hacker A, and are one step ahead of him or her? One way to stop a hacker is to have a pool of knowledge, or a sharing of information among companies that have been hacked. Called intelligence sharing, the idea is to pool as much information as possible, in collaboration with other companies, and spend as much time learning about hacker defense, as hackers do learning about a company. The real advantage of sharing intelligence is to avoid a breach of security to begin with.

In July, a summit of security leaders met for an Advance Persistent Threats gathering in Washington, D.C. The leaders reinforced what security analysts have been saying for years– attacks are more persistent, and hackers have the advantage. The summit goes on to conclude that even companies who have not been hacked should be preparing for an eventual attack and should join the “club” of those already hacked. The sharing of information is crucial.

A good start would be by attending the yearly Defcon, Blackhat or Bsides etc. conferences where you get to network with other professionals and learn from their experiences while sharing your own.

A full enterprise sharing of information is not likely to emerge any time soon, given that companies are bound by legal restrictions and governing regulations. Although Companies are not forbidden to sharing information, a better framework for sharing is being called for in the United States and Canada.

Information and countermeasure needs to be shared at break-neck speed in order to keep companies one step ahead of attackers.

IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...