Security Experts:

Keeping the Hacker Out: Knowing is Half The Battle

Attacks are Persistent, and Hackers have the Advantage. In the Fight Against Cyber Attacks, Knowledge is Power.

Being aware of the methods used by hackers is an important step towards defending attacks on sensitive company data. Knowledge determines how a CEO will defend his ship, and whether or not he can prevent future attacks. Understanding hacker “know-how,” in conjunction with appropriate defense and countermeasures, will help identify potential threats to a company’s network.

Hacks on critical infrastructure are commonplace and companies are left trying to defend their own networks.

Defending Against Hackers

Those responsible for company networks are familiar with web site defacements, denial of service attacks, and executive spear phishing. They may have even come to an understanding that hackers are gathering information and concealing themselves while they are waiting which is also known as footprinting. When a hacker strikes, the cost to a company could potentially be millions of dollars. Not only will it affect the bottom line, but hard-earned reputations could be compromised or destroyed.

Knowledge must be coupled with action—that means countermeasures.

IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure

Security Information Event Management

Security Information and Event management software are indispensable automation tools that determine the severity of threats to a company's network security, often with real-time, around the clock identification. SIEM also offers a window into the network by providing up to date and correlated reports that assist in compliance initiatives.

Such tools correlate events, like alerts about TCP port scans on the firewall, suspected anomalies, and detected intrusions. This information is then passed to the IT department where action is taken.

SIEM is capable of detecting suspicious employee activity which is extremely important. Let’s say a swipe card system identifies an employee entering the company office after business hours in Montreal, then it identifies the same employee entering another company facility 20 miles away. If each entrance occurs within a space of 20 minutes, something is off because it is impossible for one person to travel 20 miles in 20 minutes. Therefore, one can deduce that the card has been cloned unknowingly or with the knowledge of the suspected employee.

One case that I investigated was a computer in a branch office of a fairly large bank that logged on after 8 p.m. We found it strange because most employees are gone by 5 p.m. Because this event alerted us in real-time, we were able to find out soon after that the janitor tried to us the PC to surf and check his email.

In these cases, security has been compromised.

Because events can be detected in real-time, the identity of the employee is suspended, and then efforts are made to contact the employee to gain further information about what just happened. The employee may have been returning to the office to pick up his car keys or other personal items. It is a logical and common daily occurrence. Unfortunately, his card may have been cloned, or the company employee identification database may have been hacked. Luckily, the hacker used the cloned card around the same time the employee did. The employee was unaware of the hack and was innocently trying to get his car keys. A quick conversation with the employee, followed by a study of his login patterns while at work, would determine his innocence, or lead to further investigations. While the example is small, the non-employee 20 miles away could be stealing sensitive data that could cost the company’s reputation as well as millions of dollars.

Intrusion Detection Systems

These systems act like security cameras watching a network. The purpose is to catch a hacker, or disgruntled employee, with their pants down, and automatically cut access to the system and signal an alert.

As with security cameras watching people coming in and out of a department store, IDS inspects all inbound and outbound network activity. From there it watches and identifies suspicious patterns.

There are different means to employ IDS.

Network-based IDS will examine everything coming through the network, while host-based IDS may examine an individual employee computer. Then there are passive systems that will detect a potential security problem and signal an alert. In a reactive system, the IDS react to the suspicious activity by logging off a user. In some cases, the IDS may reprogram the firewall to snag a possible intrusion.

Sharing the experience

While a company might consider one method over the other, the bottom line is what can a company do to make it hard for a hacker to get in? In many cases, an attack is discovered and then investigations begin. By this time the hacker is hidden or has erased any trace of his presence. Companies continue to be victimized.

But what if company investigators had previous knowledge of let’s say Hacker A, and are one step ahead of him or her? One way to stop a hacker is to have a pool of knowledge, or a sharing of information among companies that have been hacked. Called intelligence sharing, the idea is to pool as much information as possible, in collaboration with other companies, and spend as much time learning about hacker defense, as hackers do learning about a company. The real advantage of sharing intelligence is to avoid a breach of security to begin with.

In July, a summit of security leaders met for an Advance Persistent Threats gathering in Washington, D.C. The leaders reinforced what security analysts have been saying for years-- attacks are more persistent, and hackers have the advantage. The summit goes on to conclude that even companies who have not been hacked should be preparing for an eventual attack and should join the “club” of those already hacked. The sharing of information is crucial.

A good start would be by attending the yearly Defcon, Blackhat or Bsides etc. conferences where you get to network with other professionals and learn from their experiences while sharing your own.

A full enterprise sharing of information is not likely to emerge any time soon, given that companies are bound by legal restrictions and governing regulations. Although Companies are not forbidden to sharing information, a better framework for sharing is being called for in the United States and Canada.

Information and countermeasure needs to be shared at break-neck speed in order to keep companies one step ahead of attackers.

IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure

view counter
Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company's Chief Technology Officer and Certified Ethical Hacker. Prior to joining Digital Locksmiths, he was a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit. Follow Terry on Twitter at @TerryPCutler