Hacking Your Way to Better Security

When Consumer Reports put anti-virus products to the test last month, they did so with a twist: they created new viruses. The response to this has mostly been negative, with AV and anti-spyware vendors crying foul.

What’s been missed in the hoopla, however, is that Consumer Reports did the right thing. Maybe it’s not ethical to introduce new viruses to the world, but any organization hoping to protect its network from intruders should take a cue from Consumer Reports . When thinking about security, start by thinking like an intruder.

This is not novel advice. Scan the bookshelves of any executive’s office, and chances are you’ll see Sun Tzu’s Art of War. One of its most quoted passages? “Know thy enemy and know thyself, find naught in fear for 100 battles.”

The problem for most security pros is figuring out how to “know” hackers and, conversely, how to know their own weaknesses better than those seeking to exploit them.

Hacking is considered a black art. Hackers spend their lives glued to computers and will eventually come up with some new, unusual method for circumventing security. Hackers don’t think or act like the rest of us. That’s the perception.

The reality is altogether different, according to Eric Schultze, chief security architect at security firm Shavlik Technologies. Most hackers follow predictable patterns and most gravitate to the easiest hacks first.

Security Gaps

“The problem is that security pros assess their vulnerabilities using an administrator’s point of view, instead of thinking like someone trying to crack a network, Schultze said.

“As an IT administrator, I know that I use the same password across all networks and applications. It makes my job easier. What I forget is that hackers know this and it makes their job easier too. As a hacker, I know that if I crack one password it might be valid system-wide.”

Schultze pointed out some other admin behaviors that undermine security. “If I’m a hacker and I want to guess passwords, who do I go after?”

That’s right, the answer is, again, administrators. And that’s not just because their passwords are the most valuable, but also because they’re often the easiest to crack.

Most users must change their passwords every month or so. Administrators do not. They have the luxury of leaving their passwords in place indefinitely. Better still, from a hacker’s perspective, many administrator accounts don’t have automatic lockout features turned on; meaning that a hacker can try an infinite number of user-name password combinations until they hit on the one that lets them in.

While understanding your own behavior is important, how do you accomplish this? “It’s hard to do on your own,” cautioned Peter Firstbrook, an analyst with Gartner. “Smart organizations get outside help.”

Firstbrook recommended a few steps for understanding your security profile and, more importantly, your organizational security behaviors. Services like vulnerability assessments and device inventories are essential, while configuration and patch management tools should be used regularly to keep the network up to date.