Today I run my own IT security business, and most of my erstwhile hacking buddies have well-paid jobs in the IT industry. But some hackers don`t change. Some of our brethren play for higher stakes, like the Iranian hacker who recently compromised some 40 million credit card accounts. What distinguishes malicious hackers from others who change their ways is not the subject of this article, but the fact remains that some grow up to make a living out of exploiting security weaknesses.
Hackers begin by wanting to know everything about computers, and once they have a thorough understanding of its working they look for flaws in the operating system or applications.
Their methods for attacking networks range from taking advantage of simple administration mistakes through to custom-designed exploits.
There are two types of hackers; the first kind is `script kiddies` who don`t know exactly what they are doing, and just run code that others have written to gain access to a server. Secondly there are expert hackers who write their own code to exploit machines and, because of their high level of expertise, are able to exploit vulnerabilities before anyone else knows about them. And you won`t always find evidence of their work.
Evidence lacking
Hacking is an ongoing phenomenon that companies can be unaware of despite its prevalence. Stealing credit card numbers online happens daily - hackers find and exploit weaknesses in web sites that support credit card transactions.
Major companies may not be vulnerable through their own networks but through those of subsidiaries or partners that are not up to speed in their security measures.
For example, in the recent credit card attack, Visa and MasterCard International accounts were compromised through an attack on a third party that was linked to their systems.
Hackers can target branches of access where the data is stored, which can be easier to hack into. The lesson here is that company security extends beyond the firewall; to be secure you must ensure that your partners are secure too.
Recipe for security success
At the same time, you have to realise that no one can guarantee 100% security.
The best way to protect your systems is to get regular vulnerability assessments, do application level testing and set up managed security services. Security is not a once-off thing; it`s a process that needs to be monitored on an ongoing basis.
Companies need a monthly service that checks their networks for specific problem areas and tells them how to fix them. They should run various levels of testing, ranging from single application auditing through to full attack and penetration testing for corporate networks.
In my experience, common flaws include administration mistakes, not updating software, incorrect firewall rules, dial-in numbers that are not efficiently secured and increased use of wireless networks that are not protected in any way whatsoever.
The future looks bleak from a security point of view unless people become more aware of these ongoing problems and actively address them.
There is a huge reliance on IT systems in the corporate sector and today`s more sophisticated hackers are learning the new technology and how to exploit it successfully. Remember: hackers want to learn systems inside out; they crave an understanding of how everything works because it`s a challenge for them.
The confidential data on your network can be an open book for those who know what to look for and how to go about it and the only way to protect your systems is to remain alert at all times.
|
Post a comment
|
Login.
Business Best Practise
