Whos Looking Inside Your Business?
Some Words of Wisdom from a ‘Certified Ethical Hacker’
Most companies recognize basic security as part of the cost of doing business. However, leaving your information systems exposed is a lot like leaving your front door unlocked 24/7.
Even very small businesses can attract unwanted attention from those with the skills to infiltrate their information systems, including servers, applications, and operating systems. And chances are, if theyve been there, you may not even know it without the help of a forensics expert.
Because many organizations are unaware of the risk of computer attacks, technology security tends to be an afterthought in both small and large companies. Information technology (IT) professionals feel great pressure to maximize functionality and speed, and security controls are often credited with slowing the processes.
However, when the proper security devices and procedures are built into IT systems on the front end, they can become seamless and efficient while also providing far greater protection from hackers and other security risks.
As a certified ethical hacker and certified information systems auditor, I am trained to hack into my clients systems, just as an unauthorized hacker would. An ethical hacker is an individual who is employed with or by an organization and who can be trusted to undertake an attempt to break into networks and/or computer systems to discover and address vulnerabilities in corporate, governmental, and institutional information systems.
Hacking is a felony in the U.S. and most other countries. But when it is done by request and under a contract between an ethical hacker and an organization, it is legal. Ethical hackers help municipalities and other government bodies, businesses, and nonprofit organizations to become more secure.
Whos a Hacker?
Hackers come in many forms, and their intent to harm can vary as well. So-called black-hat hackers break into Web-interface applications to gain access to servers to steal information or vandalize systems. But malicious behavior can also come from people you know by name for instance, disgruntled employees. These individuals can cause public-relations problems, such as defacing your Web site or getting access to credit cards and Social Security numbers.
Hackers target all types of organizations, including professional firms, private and public companies, government, and nonprofit institutions so all need to take security precautions. The good news is that many of these precautions are neither difficult nor expensive to implement.
Fortunately, some of the most common security weaknesses require little to no cost to address.
Using proper password complexity to secure data is a perfect example. Lack of proper passwords or weak passwords are considered low-hanging fruit among hackers. By trying a brute-force-automated attack software that attempts 150 passwords per second, a five-character password can be cracked in less than 24 hours. Default password settings in hardware can also represent an open window to hackers.
Often, the passwords associated with the hardware arent changed after purchase, so the manufacturers default password is the only protection against intrusion. For example, if your firm installs a Cisco router and the password isnt reset, a hacker can easily infiltrate your network because manufacturers default passwords are available to anyone on the Internet.
Poor access controls are also a common weakness within computer networks. Creating policies and procedures to manage access to the network and specific applications is essential to network security. Many organizations fail to eliminate phantom users, such as former employees, from their systems, leaving the door open to individuals who may wish to cause embarrassment or damage.
We encourage clients to implement user ID auditing to ensure that the right people are on the system at any given time, with the right credentials and the appropriate security access.
Trends in Hacking
Another trend in hacking should be of particular concern to smaller businesses, municipalities, and educational institutions. Hackers who want to steal information or create damage at a high-visibility target, like a major corporation, need to do so under the cloak of anonymity to avoid being caught and prosecuted.
To do that, they hack first into smaller, more vulnerable organizations and harvest that sites credentials IP numbers and other identifying information and take on that identity when hacking the primary target. This represents a problem for the smaller organization because the larger company can argue that a lack of proper security allowed the fraud to be committed.
Protecting Your Virtual Assets
A vulnerability assessment is an effective way to protect your organization against hackers and malicious intruders. In a vulnerability assessment, a certified ethical hacker attempts to break into an organizations systems and identify areas of weakness. This results in an analysis and specific recommendations for implementing security technologies, as well as policies and procedures to control and monitor access to the system.
After six months, a followup benchmark analysis is conducted to ensure that all recommendations were implemented and are working properly. The service offers a high return on investment, not to mention peace of mind.
Michelle D. Syc, MsAIT, CISA, CEH, a certified ethical hacker and certified information system auditor, heads the Informa-tion Technology (IT) Assurance Service Group at Kostin, Ruffkess & Co., LLC, with offices in Farmington and New London, Conn., as well as Springfield. She evaluates information systems to identify vulnerabilities and recommends solutions to mitigate security weaknesses; (860) 678-6000;[email protected]