Why You Need to Think Like a Hacker to Keep Your Network Safe

You may not have the resources to employ an army of white-hat hackers to stress test your security infrastructure; most organizations don’t. However, you want to make sure that the resources you do have are used in the most effective way.

It’s smart to invest in security products and spend time developing your capabilities. Cybercrime is more prevalent than ever, and modern attackers have no shortage of methods to choose from. Too often, though, organizations spend heavily on security systems that can detect and prevent the most sophisticated attacks but fail to address basic security best practices. That mistake can prove costly.

How much so?

Consider the story of Roman Seleznev. As one of the most prolific credit card data thieves in history, Seleznev defrauded thousands of financial institutions, to the tune of nearly $170 million. He didn’t do it with the most advanced cyber weapons ever created. He simply chose easy, lucrative targets; he took the path of least resistance.

If you put your hacker mindset hat on, you might see some surprising basic vulnerabilities as well.

The Allure of Low-Hanging Fruit

It’s often said that software engineers and developers are lazy: They build programs to accomplish tasks that they’d rather not do manually. In the same sense, most professional hackers don’t want to work hard to steal data. They’d rather go after the most vulnerable targets.

Rather than focusing on the advanced security capabilities you don’t have, think about how most hackers will actually try to access your network. Sophisticated software and hardware solutions are nice, but if your password security is loose, or your employees don’t utilize VPNs when traveling or don’t follow other straightforward security best practices, those solutions can’t protect you.

Likewise, you may invest in the most expensive security product on the market, but if you don’t go through the process of configuring and maintaining that environment, or you don’t follow the correct protocol for keeping it up-to-date, you make yourself vulnerable.

Modern security professionals love discussing the complexities of advanced persistent threats, but there’s a reason hackers still favor tried-and-true tactics like SQL injection and email phishing. Oftentimes, cybercriminals will notice an apparent crack in an organization’s security and simply see where it takes them. Usually, they’ll discover a dead end, but sometimes they’ll stumble upon something valuable.

CISOs and other security leaders should start with the basics when evaluating their own security posture in order to ensure that would-be hackers have to work hard to steal data.

1. Start with a strategy. Most organizations rely on cloud-based network solutions and view cloud security as a sort of monolithic concept. The reality is that there are nuances in the way infrastructure-as-a-service, software-as-a-service, and platform-as-a-service solutions operate and each requires a distinct way of thinking about security. Someone within your organization should own your security strategy, and that strategy should be based on the cloud model(s) you’re using.

2. Know what your data is worth. Each of the various systems you use captures different kinds of data. It’s up to you to accurately assess the value of all that data and to develop a clear, objective data-governance plan. This plan should account for everything from compliance requirements to shareholder obligations and should identify where information is stored, who has access to it, and how. Data inventory and classification is often a major undertaking, but if you don’t know what you have, you don’t know what you have to lose.

3. Implement and evolve. Security is more than a checklist or a one-time implementation. Cyber threats are constantly evolving, and your security posture should be evolving, too. Know who your users are among your workforce and how their needs may change, and articulate responsibilities in terms that they understand based on the systems and tools they have access to.

When you talk with your team about security, share or create examples that evoke visceral responses from users. Threat modeling should typically revolve around the most common and plausible use cases. Show examples of how hackers have accessed data in the past (there are plenty to choose from), so that employees more aware of their current habits, and how those might be putting the organization at risk. If you have a team of people who constantly think like hackers, you’ll have a network that most hackers will avoid targeting.

Views: 435

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

FireCompass

Forum

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service