Let’s face it, curiosity often gets the best of us. The desire to click on a file folder, such as the one named ‘Finance’, log in to an unauthorized application, or generally poke around the network in discovery mode is intriguing. Almost daily we hear about hacking stories and wonder how they did it. As it turns out, tapping into this could be a great way to bolster an organization’s security posture and understand its ability to withstand attacks.
Typically, most organizations leave security to the IT security professionals. Organizations hire firms to conduct penetration tests to assess security technologies, processes and their readiness for attack detection and response. Is there an unpatched server on the network that is running a critical business function, or does the helpdesk give out credentials inappropriately when called?
Almost always, these pen tests identify some kind of risk or exposure. Additionally, organizations can use outside services or products to conduct vulnerability scanning. This is intended to find the holes before an attacker is able to make their way into the network. Both approaches have benefits and can help bolster security defenses.
Put on Your Black Hat
But what if, instead of just looking externally and hiring outsiders to do some of these security assessments, an organization were able to turn their internal employees – or at least some of them – loose to become a black-hat wearing, cyber version of James Bond?
Empower your own insiders to engage in exploratory mischief to find the holes and vulnerabilities in your network and security program. Imagine the value that an insider could provide from their security testing activities. For one, insiders understand the business and know where the ‘good stuff’ is located. They see it daily, but now they are empowered to click and attack.
Also, insiders are familiar with your defenses or policies and can work around them to abuse them in ways that an attacker would do if they were to get inside, creating havoc on your network and the data you are trying to protect. And while they may not normally try these activities, your immunity or amnesty program will allow them to help the organization find the holes and gaps.
"Empower your own insiders to engage in exploratory mischief"
A Combined Approach
As part of the ‘attack yourself’ exercise, organizations can complement the people aspect with additional tools or software to help uncover weaknesses. These tools can help companies get beyond the point of looking for software vulnerabilities to actually identifying weaknesses by using techniques like fuzzing, where unexpected and intentionally incorrect inputs are provided to try to cause a device to fail or to allow an attack to succeed.
In addition, these tools can simulate real world applications and attacks to test what the network can withstand beyond the human onslaught.
Could taking advantage of these tools actually help improve your defenses before the attackers find a hole? Could this exercise of hacking yourself actually make organizations more accountable and possibly expose the true strength of network security?
A retailer who passes a PCI DSS audit, for example, may believe they are secure enough to meet compliance requirements and therefore protected. But have they really done a thorough security assessment?
If an organization truly puts on the black hat and tries to breach its systems and their activities succeed, it may create more work in the near term. However, in the end, it will make their networks truly more secure, raise their understanding of their security, and help them identify opportunities for improvement.
About the Author
Fred Kost is vice president of security solutions at Ixia and is responsible for managing the company’s security and applications portfolio. He has over 15 years’ experience in the information security field and speaks frequently on the subject. He has also held leadership positions with companies such as Cisco, Symantec, nCircle, Blue Lane Technologies and Recourse Technologies.