Hacker school: Beating the hackers starts with knowing what you're up against

Ethical hacker shares ideas on proactive data security


"We need to move toward two-factor authentication-something you know, something you are," said Tony Kellerman, vice president of security awareness at Boston-based Core Security Technologies Inc. If you're going to rely on passwords, make them complex, "particularly those who have the keys to the castle," he said.

4. Update Your Security Policies

Threats change. And as the security threatscape evolves so, too, should your policies. But these policies won't benefit an organization unless they're understood by all its employees.

"The way all these technologies blend together, you forget what set of disciplines apply," said John Theilens, vice president of technology at Tumbleweed Communications Corp., Redwood City, Calif. "You get this very broad set of tools on your desktop. What's the right way to communicate content? And who's keeping a record of it forever?"

5. Keep An Eye On Third Parties

It's no secret that in a tough economy, businesses will tighten their belts and outsource functions previously occupied by in-house staff. But cutting costs should never be at the expense of security, experts say.

Outside contractors, particularly those with access to the network or privileged information, should receive just as much scrutiny as regular employees, and be subjected to regular audits, security experts say.

"They have a direct pipeline to the bowels of your network. And that inevitably will put your operations at risk," Kellerman said. "If they get polluted, you get polluted."

6. Hack Yourself

"Test the security, not just outside in, but inside out," Kellerman said.

There's no other way to test your strategy than by-well, testing your strategy. Experts recommend that companies need to make it a point to regularly hack into their own systems to determine which devices can be taken over, and what can be done to strengthen those devices.

"You have to know where the vulnerabilities are, and you have to know which of those vulnerabilities are a threat to an organization," Detar said. "Otherwise, why spend $30,000 if all [the hackers] are going to get is an access code for the company Starbucks card?"

Larger organizations might want to invest in an independent security consulting company to conduct penetration tests. Smaller companies can ask members of their IT staff to do it. Once the weak points are detected, organizations then need to remediate all the vulnerabilities.

"One hundred percent hacker-proof security does not really exist. There's always a risk," Kellerman said. "The goal is to reduce that risk and to manage it, to react and to respond. The more layers of protection you have, the better off you are."

---

Class Is In Session

In an effort to help businesses keep their systems hack-resistant, Larry Detar, vice president of global services for EC-Council, helped develop curriculum for Security5, a "hacker course" conceived to "teach the 9-to-5ers the basics about security." That means anyone from custodial staff on up to CEOs.

The goal of the two-day security course is to reduce the occurrence of simple mistakes that can lead to catastrophic security breaches. During the training, Detar emphasizes the fundamentals of security in nine core areas that cover everything from basic security procedures and administering Windows securely to recognizing security threats and attacks, and incident response.

The training provides a way for employees to help hack-proof their businesses by learning how attackers can enter in the first place, while also encouraging workers to think twice before circumventing company security protocol.

"(Employees) think it's going to make it harder for them to get their work done. Or harder to do something that they're used to doing. To keep the boss off their backs, they find a way around the rules," Detar said. "Anything you've heard about the lower level is true. But it's not their fault. Nobody has trained them."

And Security5 is just the beginning. For the aspiring ethical hacker, EC-Council also offers the more advanced certified ethical hacker (CEH) and Computer Hacking Forensic Investigator (CHFI) certifications.

-Stefanie Hoffman

---

It Would Have Helped Hannaford