IT Security: Think Like A Thief

With security threats to information services growing in sophistication, frequency and variety, IT professionals on all sides of the marketplace are realizing an urgent need to reinvent themselves to better anticipate the bewildering variety of attacks that they and their customers face. The problem that they are discovering, is that the systems’ maliciousness and weaknesses exist not only in the software and hardware at their fingertips, but in the minds of those that have access to it.

A good example of this can be seen in just one form of attack: SQL injection, in which destructive code finds its way into a database by way of a vulnerable opening. These vulnerable openings might be the “username” or “password” panels on a login form, or the space for a credit card number on an ecommerce form. It would never occur to the average user to insert anything other than the required information into this panel, but for the bad guys, this panel is as tempting as an open window, or a set of misplaced keys. It is the way in to an unprotected treasure.

It is the mindset that is essential here. Good guys don’t think like bad guys. Therefore, IT defense often appears to be playing a game of catch-up with opportunists who may exist anywhere on the planet, yet who can access a server with ease.

A recent Brighttalk.com webcast featuring data collected by the Ponemon Institute pointed out that U.S. companies reported an average of “$12.7 million in losses to cybercrime,” with “the most costly cybercrimes … caused by denial of services, malicious insiders, and malicious code. These threats account for more than 55 percent of all cybercrime costs.”

The rise of the use of mobile technologies and BYOD serve to compound this problem, given the wide variety of apps, platforms and devices in use, but once again, it is very often the users themselves that are the chief offenders. A classic example of network vulnerability in past years was the act of leaving a password on a sticky-note under the keyboard. A modern variant of this is the free and open use of mobile technologies – part of the BYOD culture that is making its way into the Workplace. Users seldom employ the vigilance required to ensure their devices are clean and impermeable as they connect to their employers’ cloud servers.

As CIO Community Manager John Dodge pointed out recently the results of a survey from Centrify Corp. reveals that “only 43% of employees using mobile devices for work are keenly aware of mobile security. That means 57% are not.” The survey points out that “on average, 45 percent of the enterprise employees surveyed have more than six third-party applications installed on their personal device” and “43 percent have accessed sensitive corporate data on their personal device while on an unsecured public network, such as the airport or a coffee shop.”

These findings point out a disturbing reality for IT security specialists: they not only have to think like bad guys, they also have to think like average, innocent good-guys, for whom password and security protocols are tedious, and in the case of younger professionals, unfettered access to Internet technologies is a given.

DDoS attacks, for example highlight how this weak link can be exploited. One documented case, an attack on a group of U.S. banks in January 2013 was carried out by waves of botnet zombies located around the world. The source of the outbreak was determined to be an innocent general-interest website based in the U.K. that had been poisoned by a web design company based in Turkey. The weak link: an administrative password on the U.K. website.

These events, just a couple of the many thousands that happen every day, reveal a requirement for security specialists to maintain a number of different mindsets – to think like a thief, certainly but to also not overlook the most obvious source of IT vulnerability: the average human being.

This post is brought to you by the Enterprise CIO Forum and HP’s Make It Matter.

By Steve Prentice