Ever since Black Hat USA wrapped up last week, I’ve been thinking about the irony of attendees going into heightened security mode during the conference itself – like never connecting to open Wi-Fi or encrypting all information stored on your laptop – then likely slipping back into a more lax mode throughout the rest of the year.
You see we’re on guard at events like Black Hat and DEF CON, ready to be pwned at any moment by mischievous hackers. So while these conferences do a great job reminding us of the many emerging methods of hacking – and counteractively, securing – computers, electronics and connected devices, they only come once a year.
But, what if we all acted like Black Hat attendees year-round? Or perhaps more crucially, what if your company acted like a Black Hat attendee every single day, always remaining hyper-vigilant about the latest risks and prepared to mitigate criminal hacks?
Fresh from this year’s Black Hat briefings, here are six ways to make every day a Black Hat day:
1. Set strong physical security. Having a fully-patched laptop protected by a firewall and a 15-character password does you very little good if someone can walk off with it. If you don’t have physical control of your box, you don’t actually have control of your box.
The same goes for your data closets, racked servers, and networking equipment. All it takes is a few minutes in the data center to gain a lot of control over physical systems. And, I’ve personally been part of physical security and penetration tests where I’ve walked right into a data closet, plugged into a switch and gotten an IP address.
Bottom line: Control and track physical access to your equipment. Always lock doors and log access to resources, so people have to sign in and out of sensitive environments. It’s not rocket science, but it’s easy to overlook physical security when you’re focused on locking down your data.
2. Know your network connections. The “art of social engineering” has gained a lot of traction in the InfoSec community. Hackers understand that if they can get people to tell them what they want to know, either directly or indirectly. They don’t even need to steal information.
That principle applies to your network, too. You must know what connections your network is making and exactly why data is leaving or entering.
I used to work with a network admin who visually inspected his data closet every day. If he saw an unfamiliar cable, he’d cut it then and there. That seemed pretty extreme at the time, but much less bizarre today. He knew everything that was supposed to be plugged in and where it was supposed to go. And if it didn’t belong, he got rid of it.
Bottom line: Shut down unused ports on switches. Establish a baseline for your network in terms of data flow – where data is going, how much data is flowing, peak traffic periods, etc. When you know what normal activity looks like, you can more readily identify suspect or malicious behavior.
3. Check your sources. Users today are basically trained to ignore pop-up warnings and advisories, and instead just blindly click through those annoying dialog boxes to reach their final destinations. They do when accepting ELUAs (end-user license agreements) and terms of service, as well as visiting websites. There are literally hundreds of web-based attacks founded on that behavior.
That means that instead of reacting with suspicion when their browser warns them of an invalid security certificate, most users simply click through to the website – and often get hacked in the process.
Bottom line: Educate your users. Let them know that such warnings are designed to secure them, not irritate them. Encourage them to confirm they’ve landed at the right site, and the URL they typed is the URL they meant to type. Make sure your SSL implementations are right. Use an SSL checker to check your SSL trust chains.
4. Plan ahead and prepare. Security pros don’t question if they’ll get hacked; they question what will get hacked and when. You’re in a fight and in a fight, you’re going to get hit. And once you know that, you won’t be stunned into inaction when it happens. You’ll be able to hit back. So expect to get hacked, prepare for it and hit back when it happens.
Bottom line: Be sure that you know where all of your valuable data is, that it’s well protected, and that you’ll know if somebody is doing something with it that they shouldn’t. Know your baselines and have a good way to read your logs. SIEM (security information and event management) tools can give you real-time analysis of security alerts triggered by aberrant behavior associated with network hardware and applications.
5. Build your team. When your network gets hacked – and it will get hacked eventually – your security team must respond immediately and decisively. When it comes down to a breach, you need to know exactly who to turn to, who is the right resource for the task at hand.
Bottom line: Know your team’s operational capabilities. If you require skills that lie outside of the security team, look for them in the rest of the IT department and arrange for security partners to support you during breach events.
6. Learn from your mistakes. Okay, so you’ve been hacked and remediated the breach. Now what? It’s time for an after-action review. Gather everyone involved in the remediation and discuss what worked, what didn’t, how things could be done better next time, and what controls should be implemented to prevent the breach from happening again.
Bottom line: Get the right people involved in the review, including senior or upper management. Make it clear you want to fix problems, not point fingers. And make sure you actually conduct the review after the incident is contained and controlled – not in the middle of remediation.
Erich Diener has worked in information security for the better part of 12 years. What originally started as an “additional duty” in his work as an intelligence analyst for the U.S. Army, quickly became both a full-time job and full-time hobby. Today he is senior security architect at Echopass Corp., which serves many of the world’s largest Fortune 500 companies. He also consults with law firms, health care organizations, schools, and most recently, the U.S. Department of Defense as an IASO/ISSO.