Cyber Intruder. PHOTO: Cybercrime Magazine.

To Protect Your Company, Think Like A Thief

Put yourself in the hacker’s shoes

Aleksandr Yampolskiy

New York City, N.Y. – Oct. 7, 2021

Ransomware, hacks, and data breaches all represent a threat to your business. To stay ahead of those who plan to do you harm, you can’t just think like a defender — you need to think like a cyberthief. Once you understand how thieves identify and infiltrate their targets, you can take more effective steps to stop them. Like any criminal endeavor, the easier you make it for the criminal, the more likely you are to be robbed.

Know What Attackers Are Looking For

Like burglars, cyberthieves start by canvassing the (metaphorical) neighborhood to identify easy targets. Some homes might be poorly lit, while others might have guard dogs lurking outside. Clearly, having the digital equivalent of a guard dog makes you a less attractive target. Next, attackers will look for ways to exploit any security weaknesses they may have found. There are at least four commonly abused paths into your network: unpatched software, weak application security, lax network security, and poor vendor security.

Unpatched and actively exploited software vulnerabilities deliver a veritable open door to thieves. And if the front door to your house is left unlocked, don’t be surprised if a burglar uses it to enter. All software has bugs, of course, but some software has bugs in its network components, or libraries that allow savvy digital criminals to gain unauthorized access to systems and applications. Even major companies often have extremely vulnerable systems running on their networks, some of which have been exposed for years to potentially compromising attacks. Surprisingly, many companies aren’t even aware of all of their internet-facing software and systems.

Weak application security is another notorious and easily exploited entry point, the best-known examples of which are SQL injection attacks. Here, an attacker abuses any search, input, or feedback forms on your website or web application to inject SQL code and make unauthorized data retrievals, configuration alterations, or deletions. This type of attack relies on poor application and database security controls. It has been a popular attack tactic for many years, which explains why it is number one on the OWASP Top 10 list.

Lax network security means having unprotected databases exposed to the internet. This could be due to open remote access ports like telnet and RDP, misconfigured SSL certificates without revocation URLs, or Internet-of-Things (IoT) vulnerabilities better placed behind a firewall or VPN. The attacks here range from data theft to eavesdropping, and can include stealing credit card numbers and other sensitive data.

Given that many companies share data and business workflows with their vendors and even have set up network links and federated trust for authentication, vendor security is often the weakest link in the security chain. Countless thieves have broken into vendors’ networks and used their access to further compromise the networks of that vendor’s partners and customers. One high-profile example was the 2013 Target data breach, in which bad actors broke in through Target’s HVAC vendor’s network, gained access to the Target point of sale network, installed a $2,000 card skimming piece of software and stole Target’s customers’ credit card numbers, debit card numbers, and corresponding PIN codes. Eight years later, these types of attacks are still happening — and still succeeding. The recent Kaseya involved thousands of customer organizations being compromised due to poor security on the part of Kaseya’s MSP software.

A Continuous Approach to Security

Thinking like a thief is more than just attacking weak security technology. There’s a people side to thievery, too. Attackers will choose the most strategic time for their attacks, like the metaphorical “thief in the night.” Obviously, the early hours of the morning are attractive, since there are fewer people around and response times are generally slower, but public holidays are even better. What better time to hack a U.S. system than during the Fourth of July, or a French system during Bastille Day, or an Irish system on St. Patrick’s Day? Are you ready to respond to a Christmas Day attack?

To protect your company, you need a layered approach to security that takes a lesson from policing and even accounting: process is your friend. Standards like SOC2 and ISO 27001 provide a great framework for establishing a good security defense posture.

Conducting an audit is a good starting point. What internet-facing assets do you have? What software applications and open-source libraries are you running? Are they the latest stable and secure versions? Is your software stack vulnerable to SQL injection risks? Are your vendors handling your data securely? These are not one-time questions — they need to be asked and answered continuously. Because audits provide only a point-in-time snapshot, annual or semi-annual audits will never be enough. Simply put, cybercriminals don’t care about your audit cycle.

Physical security relies on people as much as tools — after all, there is no point having CCTV if no one is watching it. Of course, thieves will probably attack when it’s least convenient for you, which means it is important to practice incident response, even responding to attacks that take place on public holidays. Attackers won’t make things easy for you, so it’s important not to make things easy for them, either.

Put Yourself in the Attacker’s Shoes

Cybercriminals are dynamic, clever and opportunistic. They’ll rob you via your weakest links. To protect your company, you need to think like a thief and identify all the ways an attacker might target and exploit your network infrastructure — and that of your vendors. Security is about tools, people, and processes. Protecting your network requires observability, repeatability, depth of protections, and flexibility — and a thorough understanding of the way your enemy thinks.

– Aleksandr Yampolskiy is co-founder and CEO at SecurityScorecard, the leading security rating platform.

Sponsored by SecurityScorecard

SecurityScorecard is the global leader in cybersecurity ratings and the only service with over two million companies continuously rated. Our mission is to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees, and vendors.