IT Security: Think Like A Thief – And An Average Joe, Too

IT Security: Think Like A Thief

With security threats to information services growing in sophistication, frequency and variety, IT professionals on all sides of the marketplace are realizing an urgent need to reinvent themselves to better anticipate the bewildering variety of attacks that they and their customers face. The problem that they are discovering, is that the systems’ maliciousness and weaknesses exist not only in the software and hardware at their fingertips, but in the minds of those that have access to it.

A good example of this can be seen in just one form of attack: SQL injection, in which destructive code finds its way into a database by way of a vulnerable opening. These vulnerable openings might be the “username” or “password” panels on a login form, or the space for a credit card number on an ecommerce form. It would never occur to the average user to insert anything other than the required information into this panel, but for the bad guys, this panel is as tempting as an open window, or a set of misplaced keys. It is the way in to an unprotected treasure.

It is the mindset that is essential here. Good guys don’t think like bad guys. Therefore, IT defense often appears to be playing a game of catch-up with opportunists who may exist anywhere on the planet, yet who can access a server with ease.

A recent Brighttalk.com webcast featuring data collected by the Ponemon Institute pointed out that U.S. companies reported an average of “$12.7 million in losses to cybercrime,” with “the most costly cybercrimes … caused by denial of services, malicious insiders, and malicious code. These threats account for more than 55 percent of all cybercrime costs.”

The rise of the use of mobile technologies and BYOD serve to compound this problem, given the wide variety of apps, platforms and devices in use, but once again, it is very often the users themselves that are the chief offenders. A classic example of network vulnerability in past years was the act of leaving a password on a sticky-note under the keyboard. A modern variant of this is the free and open use of mobile technologies – part of the BYOD culture that is making its way into the Workplace. Users seldom employ the vigilance required to ensure their devices are clean and impermeable as they connect to their employers’ cloud servers.

As CIO Community Manager John Dodge pointed out recently the results of a survey from Centrify Corp. reveals that “only 43% of employees using mobile devices for work are keenly aware of mobile security. That means 57% are not.” The survey points out that “on average, 45 percent of the enterprise employees surveyed have more than six third-party applications installed on their personal device” and “43 percent have accessed sensitive corporate data on their personal device while on an unsecured public network, such as the airport or a coffee shop.”

These findings point out a disturbing reality for IT security specialists: they not only have to think like bad guys, they also have to think like average, innocent good-guys, for whom password and security protocols are tedious, and in the case of younger professionals, unfettered access to Internet technologies is a given.

DDoS attacks, for example highlight how this weak link can be exploited. One documented case, an attack on a group of U.S. banks in January 2013 was carried out by waves of botnet zombies located around the world. The source of the outbreak was determined to be an innocent general-interest website based in the U.K. that had been poisoned by a web design company based in Turkey. The weak link: an administrative password on the U.K. website.

These events, just a couple of the many thousands that happen every day, reveal a requirement for security specialists to maintain a number of different mindsets – to think like a thief, certainly but to also not overlook the most obvious source of IT vulnerability: the average human being.

This post is brought to you by the Enterprise CIO Forum and HP’s Make It Matter.

By Steve Prentice

Gary Taylor
Hybrid Worker Risks Organizations are under pressure to secure their remote workers, but they are also worried about the potential impact on user experience. Can they have it both ways without compromise? The pandemic has ...
James Corbishly
Teams Sprawl in the Remote Workspace As working from home has become the new everyday norm, with more employers embracing the remote-work model as a new and likely permanent fixture of the employment world, there ...
Mitigation Security
Data scraping solutions When people hear the term data scraping, their first thought is often about how companies use this technology for competitive reasons – specifically to pull publicly-available data from millions of websites in ...
Rahul
How to Start Your Cloud Career Cloud computing is the present. And it is the future as well!! In fact, a quote by Chris Howard says, ‘Cloud Computing is a spectrum of things complementing one ...
Rakesh Soni
Multi-tenant clouds are becoming more popular than ever because they're incredibly cost effective and easy to set up. If you're considering switching your business over to a multi-tenant cloud platform, this article is for you ...

SECURITY TRAINING

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.