Hacker school: Beating the hackers starts with knowing what you're up against

Ethical hacker shares ideas on proactive data security

Larry Detar has a job that tech-loving kids only dream of having when they grow up. As the vice president of global services for a company called EC-Council, Albuquerque, N.M., he hacks into networks for a living.

As a Certified Ethical Hacker, Detar conducts vulnerability assessments and penetration tests for financial institutions, government agencies and corporations. He executes code to infiltrate systems. He enters data centers pretending to be a member of the IT staff. He even digs through dumpsters to get to find whatever Achilles' heel exists in a seemingly impenetrable business.

And never once in the last five years since Detar's association with EC-Council did he fail to get at a company's sensitive data.

"That's the state of security," Detar said. "The majority of those access points are open to the 9-to-5ers. Not only the passwords to get into the computer, but the core application that controls the financials for that institution. They have access to everything that's not locked up."

Over the years, Detar has seen some security breaches that would make a TJX executive cringe. The simple fact, however, is that many security holes are avoidable.

While there is to date no security solution that is completely hackproof, Detar and fellow security experts agree that there are definitely some tried-and-true strategies that, when applied, will significantly reduce the odds that hackers will pick your business for their next attack.

1. Training, Training, Training

You can't get enough. Most experts agree that the security of an organization is as good as its weakest link-which is why they emphasize that training and awareness should be implemented at every level.

"Although everybody gives lip service that security starts at the lowest rung, nobody bothers to train that rung of the organization," Detar said.

Basic security training reinforces common sense behaviors, such as Internet safety, regularly installing security updates, file sharing protocols or mobile technology best practices. Yet many breaches occur as the result of carelessness or lack of user education, experts say. One such example is phishing, and there are other socially engineered attacks that can bring down a network by active consent from an unsuspecting user.

"People will get phished if they've never heard about phishing," said Guillaume Lovet, manager for the EMEA Threat Response Team at Fortinet Inc., Sunnyvale, Calif. "That's why social engineering is so cherished by hackers-it's so effective."

2. Encrypt Sensitive Data

Porous networks and mobile devices like BlackBerries and laptops have enabled increased mobility for workers, but have increased exposure to critical data. As a result, companies need solutions for protecting the information, as opposed to protecting the device in which it is stored, experts say.

Paul Kocher, president and chief scientist of San Francisco-based Cryptography Research Inc., said that companies need to protect at-risk data, or get it off their network altogether.

"The main thing encryption does is make it so data itself is no longer the critical thing to protect, but the keys are," he said. "In a way, you can think of encryption as transferring the security properties of an object to something that's easier to manage."

3. Pass On The Passwords

Passwords: easy to write down, impossible to remember. Overreliance on passwords is one of the biggest downfalls for any business' security strategy, no matter how comprehensive, experts say. Why? Because many employees will use the same easy-to-remember password for numerous applications. Or, they will write more difficult-to-remember passwords down and store them "safely" on a Post-It note stuck to the bottom of their keyboard.

To strengthen applications, businesses should start adopting a two-factor authentication system that could require a biological component, or Smart Card as well as a password.

This content continues onto the next page...