Cyber Security: Thinking like a Hacker
Since March, after having COVID 19 making us to work remotely an absolute must and the security gap scandal on Twitter, we would like to mention about Cyber Security topic.
Actually, this broad topic named such as Cyber Security, Internet Security, or Information Security, has been on the front burner for a long time.
For a while, the foundations such as Gartner, Forrester, Mc Kinsey position the Cyber Security topic as one of the five most essential subjects in their trend reports prepared for the next 5 to 10 years.
A sure thing, we know that big research companies exaggerate some topics (like 3D Print or BlockChain) and mostly fictionalize their visions to direct the system. But this time, their foresight is very realistic. Because also in practice on the field, Cyber Security is an important agenda item.
One of the main reasons for that is the software used to have static and monolithic structures transferred to Microservice World. Because together with that transfer, the security issues increased.
Right now, in Microservice, “Key Management” and “Session Management” are very problematic subjects. Though helpful solutions like Hashicorp Vault have arisen, so many Microservice software still on the Alpha level continues to work in live systems that we use every day.
So, What to do?
Although there is countless high technology advice on the internet besides the self-owned production advertisement, finding a real and feasible road map to supply Cyber Security is challenging.
Unfortunately, we, as IT managers, sometimes think about parameters we should not think about and try to behave as “fixers.” As a result, we have these kinds of decisions:
“Let us use Check Point,” ” Lets’ have Firewall in everywhere,” Give access with 2FA and VPN, and if we apply antivirus and updates to those devices the problem can be solved,” “All users connect from the office, no need to use VPN,” “We only do sales on Web. Our ERP system data are not on the Web.”
I will be honest; in past times, I also have said those sentences.
But what is right for everyone is that if there is a compromise to make on security subjects, this decision should belong to the board of management.
IT Professional job is not to help their company with constant self-sacrifice to economize but to generate an effective, sustainable, and agile Cyber Security Policy.
For that, we prepared a Security File, which I believe is a pathfinder.
In the articles, we will post both this week and next week; we will mention the Security principles, strategies, and experiences that are sustainable and make a difference, instead of relaying complicated information given with ITIL, ISACA, and ISC training. Also, we will share a template of a Cyber Security Document.
Establishing the Correct Security Policy
If you want to go through the proper channels related to Cyber Security, you should not start applying the recommendations that you heard from others at once and because you think as “everyone does that”.
Security subject is a severe job, and without a security policy particular for your establishment, you cannot be successful.
The Five Strategies that will be a pathfinder for you to create a successful security policy stated below. In the following week, we will talk about other strategies and applicable practices.
1. Put yourself in the shoes of cyber attackers (Think like a hacker)
While you are making designs on security, you should always think reversely and put yourself in the position of cyber attackers. In this way, you can find out which points are open to being attacked easily and know what you need to prevent these attacks better.
Let’s say you want to steal someone’s data and ask for a ransom to release them. The first step of your created scenario should be to identify the target group that has week security.
As a bicycle thief, focus on a bicycle with the weakest, the easiest to crack the lock. Because what valid for bikes is also % 100 valid for IT infrastructure.
While you are attacking your list of weak, instead of trying to hack them one by one, you should make yourself anonymous and then should use an automated script to leap to other servers.
This process happens in this order:
- Finding devices to use as “Zombi” on the internet with the script (Do not attack from your device)
- The previously prepared “Weak IP” list is scanned from the zombie machines, and the weak servers are infiltrated and connected to the zombies in reverse.
- For the process you will do on Zombies group of scripts are prepared. Database encoding (ransomware), or bitcoin generate scripts.
In case you want to test this fact, make one of the servers’ password 123 accessible on the internet and wait for three days. For sure, you will have an anonymous attack.
2.Security Documents and Short Security Training
Above we told that you should put yourself on the position of cyber attackers. Let me give you information that many of you might know, and those who don’t know might find it very interesting:
“In Turkey, if you need to guess any password combined by four numbers – by thinking reversely -, the Conquest Date of Istanbul (1453) will lead you to success substantially. “
Yes, in Turkey, one of the most used passwords is 1453. You can restrict the passwords that will be used in your company as much as the software allows. However, if the system doesn’t allow to restriction, 1453 will be used as a password for sure.
The way to prevent this is to make your Cyber Security Policy independent from the system. It would be best if you created a “Constant Training and Awareness” environment related to Cyber Security in your establishment.
Before you connect a newly hired employee to the system, if you prepare a written document that indicates passwords, security, and at least the panels that they should not use, you will significantly increase the protection from negative situations that possibly occur.
In the document related to security;
You can explain it by giving simple examples as;
“Do not select these as a password: 0000. 1453, 1234, 11.., 22.., 99..,00..” You can also mention forbidden passwords such as “qaz.”
Besides that, it would be essential and intimidating to state that access vulnerability resulting from using these forbidden passwords will cause the termination of the contract.
For your Cyber Security Policy to stay in the sustainability principle framework and to have continuity, you should repeat the security training in specific periods in your company.
You should also prepare a Main Security Document beside to short security document. We will share our draft security document in our second article.
In the document that you will explain about your whole security policy in detail, the security training which will be given to newly hired employee should take part.
On the internet, there are some platforms giving certifications for online security training. You can use one of those platforms.
The important thing is to make your employees attend these courses in a specific period and keep their knowledge updated.
3. Get the Executives’ Support
Before everything, all small or big establishments should put their Cyber Security Policies written and get the executives’ support.
To get support from executives, definitely use this question:
“If we cannot make out an invoice and our company cannot practice for three days, how much money do we lose?”
In this way, you would present in case of a problem how much the company will lose financially, and you would get the expected support more quickly.
The executive support will remind them that the executives representing the establishment are responsible, not you, for the security policy that is generated by you. Having the support of all shareholders in the decision which you will take makes everyone feel responsible at the end of the day when there is a problem.
I should indicate something here; Talk to executives after you give the final cut for the security policy. If you create the document by adding everyone, you’ll have a perpetual project, but here you should be agile.
When you ask a question, other people always have an idea; however, you are responsible for the master document about security, do not forget that.
4. Hire a CSO (Cyber Security Officer)
Especially the middle or large scaled establishments need a CSO (Cyber Security Officer), a professional who works mainly on that subject with a title.
The person hired for the security will be working to keep the company as the most secure position. Because in case there would be any security breach or any questioning about the decision given within the company in terms of security criteria, he will be counted as failed.
5. Make sure your solutions follow the principle of sustainability
For this, you should continuously review your solutions. You should update your security policies, solutions, and security principles in specific periods by checking worldwide developments.
We have mentioned this in our Sustainability article. Create a structure where sustainability and stakeholders share your entire setup, and everyone is responsible.
Do not say the people who work in Accounting and Finance have no right to speak and do not forget that they can also make “data leakage.”
It is also vital that what former employees can do when they want to harm their old companies. All verbal passwords that are given to the security alarm company and the primary password of your office’s alarm need to be updated continuously.
In our next article, we will talk about remote working, isolation, social engineering, and some technical precautions that should not be forgotten related to Cyber Security.
As the last thing, we will share a draft of the security documentation.