IT Security: Think Like A Thief – And An Average Joe, Too

IT Security: Think Like A Thief

With security threats to information services growing in sophistication, frequency and variety, IT professionals on all sides of the marketplace are realizing an urgent need to reinvent themselves to better anticipate the bewildering variety of attacks that they and their customers face. The problem that they are discovering, is that the systems’ maliciousness and weaknesses exist not only in the software and hardware at their fingertips, but in the minds of those that have access to it.

A good example of this can be seen in just one form of attack: SQL injection, in which destructive code finds its way into a database by way of a vulnerable opening. These vulnerable openings might be the “username” or “password” panels on a login form, or the space for a credit card number on an ecommerce form. It would never occur to the average user to insert anything other than the required information into this panel, but for the bad guys, this panel is as tempting as an open window, or a set of misplaced keys. It is the way in to an unprotected treasure.

It is the mindset that is essential here. Good guys don’t think like bad guys. Therefore, IT defense often appears to be playing a game of catch-up with opportunists who may exist anywhere on the planet, yet who can access a server with ease.

A recent webcast featuring data collected by the Ponemon Institute pointed out that U.S. companies reported an average of “$12.7 million in losses to cybercrime,” with “the most costly cybercrimes … caused by denial of services, malicious insiders, and malicious code. These threats account for more than 55 percent of all cybercrime costs.”

The rise of the use of mobile technologies and BYOD serve to compound this problem, given the wide variety of apps, platforms and devices in use, but once again, it is very often the users themselves that are the chief offenders. A classic example of network vulnerability in past years was the act of leaving a password on a sticky-note under the keyboard. A modern variant of this is the free and open use of mobile technologies – part of the BYOD culture that is making its way into the Workplace. Users seldom employ the vigilance required to ensure their devices are clean and impermeable as they connect to their employers’ cloud servers.

As CIO Community Manager John Dodge pointed out recently the results of a survey from Centrify Corp. reveals that “only 43% of employees using mobile devices for work are keenly aware of mobile security. That means 57% are not.” The survey points out that “on average, 45 percent of the enterprise employees surveyed have more than six third-party applications installed on their personal device” and “43 percent have accessed sensitive corporate data on their personal device while on an unsecured public network, such as the airport or a coffee shop.”

These findings point out a disturbing reality for IT security specialists: they not only have to think like bad guys, they also have to think like average, innocent good-guys, for whom password and security protocols are tedious, and in the case of younger professionals, unfettered access to Internet technologies is a given.

DDoS attacks, for example highlight how this weak link can be exploited. One documented case, an attack on a group of U.S. banks in January 2013 was carried out by waves of botnet zombies located around the world. The source of the outbreak was determined to be an innocent general-interest website based in the U.K. that had been poisoned by a web design company based in Turkey. The weak link: an administrative password on the U.K. website.

These events, just a couple of the many thousands that happen every day, reveal a requirement for security specialists to maintain a number of different mindsets – to think like a thief, certainly but to also not overlook the most obvious source of IT vulnerability: the average human being.

This post is brought to you by the Enterprise CIO Forum and HP’s Make It Matter.

By Steve Prentice

Security Breach 10 Useful Cloud Security Tools
Cloud Security Tools Cloud providing vendors need to embed cloud security tools within their infrastructure. They should not emphasize keeping high uptime at the expense of security. Cloud computing has become a business solution for ...
Gary Bernstein
WordPress Website Security You've spent time, effort, and money building your website, so don't let it become outdated and run-down by not taking proper care of it. Here are tips on WordPress Website security, speed, ...
Gary Bernstein
Common DevOps Misconceptions 86% of businesses say it’s important for their company to develop and produce new software fast to win market share and beat the competition, Harvard Business Review reveals. Yet, just 10% of businesses ...
Gilad David Maayan
What Is Cloud Deployment? Cloud deployment is the process of deploying and managing applications, services, and infrastructure in a cloud computing environment. Cloud deployment provides scalability, reliability and accessibility over the internet, and it allows ...
Martin Mendelsohn
The Colonial Pipeline Dilemma The Colonial Pipeline is one of a number of essential energy and infrastructure assets that have been recently targeted by the global ransomware group DarkSide, and other aspiring non-state actors, with ...
More CISOs will have to deliver revenue growth to protect their budgets and grow their careers in 2023 and beyond, and a core part of that will be getting multicloud security right. It’s the most common infrastructure strategy for ...
Tosin Vaithilingam
Navigating Economic Uncertainty: Strategies for IT Leaders and MSPs Lately, it seems that each day brings news of more economic uncertainty. Companies that have been navigating the pandemic for the past two and a half ...
Drew Firment
Stop Focusing on Cloud Adoption and Start Focusing on Cloud Maturity For the past several years, most organizations have made it their priority to shift much of their applications and data from on-premises to the ...
Disaster Plan.png
Answer To Everything.png


Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization. 


(ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees.


CYBRARY Open source Cyber Security learning. The world's largest cyber security community. Cybrary provides free IT training certificates. Courses for beginners, intermediates, and advanced users are available.