How to Improve Security by Thinking Like a Hacker

Don't Believe Vendors Security Assurances

"Our technology is really secure!" said every vendor ever. Meanwhile, these same vendors have probably released over a dozen critical security patches this year. The ugly truth is that all major operating systems have serious security flaws, even when 'fully patched.' So never rely on a single vendor's assurances of security.

Implement multiple layers of security, so if one layer is compromised, you still have some degree of protection.

Your Employees Are a Major Security Weakness

They're too trusting. They click on dodgy links in emails from strangers. They install software without checking whether it's safe. They use the same password on dozens of web sites, assuming that their favourite passwords will never be leaked. They assume that any available WiFi hotspot is safe to use and that no-one outside of the Government would spy on their Internet traffic.

What can you do to minimise the damage caused by these naïve users? Scan inbound email traffic to filter out virus-laden attachments and some phishing emails. Force users to select passwords that are slightly more complex than normal. Make them change those passwords regularly. If you give them remote access to your corporate systems via untrusted networks, deploy a VPN so your confidential data is encrypted.

Security 'Overkill' Can Be Counterproductive

People write impossibly-long-and-overly-complex-ever-changing-passwords on post-it notes. If you overly restrict who can access your network remotely, employees who need info to do their jobs will export your data through insecure channels (emailing it to themselves, copying to USB sticks, syncing it to the cloud using dropbox etc).

There are good responses to these work-arounds: outbound email filtering to stop data leakage, end-point control, locking down desktops so only IT administrators can install new applications etc. You need these protections, otherwise your security crack-downs will have a host of unintended consequences.

Patch Your Systems Regularly

This doesn't stop your operating systems & applications having serious security holes, but it fills in the better known holes, increasing the level of skill required to successfully attack you.

Monitor Your Servers

Often compromised Internet-facing systems will see a spike to CPU usage, unusual login patterns or unexpected error messages in log files. Keep an eye out for these things. They'll alert you to many a problem.

Use Virtualisation to Keep Different Services Separate

Don't put an email server, a web server and a CRM server on the same operating system installation. Put them in separate virtual machines, so if one installation is compromised, the other services are unaffected.

This approach doesn't just help security. It also improves the reliability of your server apps by stopping one application from dragging down the performance of everything else on the same server.

Encryption Is Your Friend

If you issue your staff with laptops, make sure hard disk encryption is enabled by default. If your employees connect to your systems remotely, make sure they use a VPN to counter packet snipping. Don't use FTP to transfer files, use SFTP instead. If you must store highly confidential data, encrypt it if possible. Your databases should never store passwords in plaintext (Salt them and hash them instead).

Be a Software Minimalist

The more software you have running, the more software security holes you have that can be exploited. So uninstall software that's not needed. Change user privileges so only your IT team can install new software. Pick 'approved applications' rather than allowing a software free-for-all. For example, there's no reason for your organisation to allow staff to pick their own web browser.

Do your staff REALLY need Java and Adobe Flash in their web browsers? Probably not. So get rid of them. Both have a worrying record of creating security holes.

When it comes to your servers, shut off every service that isn't needed.

Don't Forget 'The Enemy Within'

Many of your firm's current employees will leave to work for competitors. A small minority may be tempted to take customer data and trade secrets with them. You should take steps to counter this.

Restrict file permissions so users can only see files that are appropriate to their department, role and seniority.

Make sure the IT department is one of the first to know about staff departures, so departing users' accounts can be locked down and remote-access can be terminated.

Place restrictions on who can install desktop applications so it's hard for users to install backdoors and file syncing tools.

Outbound email filtering can help stop confidential data escaping via email. And outbound email logging/archiving services can prove that data has been stolen – so you can take appropriate action to prevent misuse.

Denial of Service' Attacks Are a Growing Threat

Hackers don't have to penetrate your systems in order to cause you problems. They just have to flood your Internet-facing servers with traffic, knocking them offline.

For small scale attacks, a physical firewall can provide protection. But for larger attacks you may need something more robust. Even if your firewall could handle an infinite amount of traffic, the link between your servers and the Internet couldn't.

The solution is get network-level protection against DoS attacks. DoS mitigation services are able to filter large volumes of malicious traffic (many Gigabits per second of it) allowing the genuine traffic to flow to you unaffected.

No-one Is Secure

Almost no functioning organisation is truly secure. Not even the NSA or GCHQ manage to be truly secure. Just ask Edward Snowdon.

So your REAL task isn't to deliver perfect security. It's to make things secure enough that hackers choose to pick on an easier target.

By implementing the security measures covered in this article, you'll be on your way to keeping your organisation's data safe.