By Nick Merritt, Vice President of Security Products and Services, Halo Security
Business leaders are confronted with headlines every day that detail how sophisticated hackers have become. Their methods are evolving and they’re scanning for vulnerabilities within 15 minutes of disclosure.
Organizations have to get just as smart and just as fast on defense. In many cases, this requires changing the approach. Bringing a hacker’s perspective to the modern organization can help safeguard its most valuable data.
Traditional vulnerability management approaches miss key issues because they’re typically working inside-out, and looking from within the network can change perception. The more effective approach is working outside-in through external testing.
Here’s the technical nuance that many organizations overlook: Where you’re testing from matters.
If you’re testing your system from within your infrastructure, the packets you’re testing go through your access controls. It’s a common, simple oversight with enormous impact. This affects your results and impacts different types of security testing from searching for active services to evaluating web application firewalls.
Even if you’re physically outside the office, you’re creating the same issue if you use a corporate VPN as you test. Testing from within the network doesn’t allow you to see the services or resources that are open to the internet. This is a fundamental part of testing, and a glaring flaw for organizations that don’t work with third parties for external testing.
Payment Card Industry Data Security Standards (PCI DSS) actually requires quarterly external vulnerability scans by an approved scanning vendor. Trying to do this within the network you’re testing is like having blinders on, and you can’t identify external attack vectors that way.
Hackers, on the other hand, are very good at identifying them. Let’s dig deeper on why their perspective is so valuable — to the point where some hackers (ethical ones, of course) are brought into security operations — and how you can use that mentality to shore up your perimeter.
View from the other side of the fence
Security engineers identify the assets most critical to an organization and put tools in place to safeguard them and uncover the risks associated with them.
A hacker’s perspective is far different. It typically starts with a broad view to find the entryway with the least resistance. Once a hacker finds an asset that’s been left unprotected — one that the organization isn’t paying attention to and isn’t deemed particularly valuable — they’ll start moving around the network, chaining more entryways together until they can get to the crown jewels.
Some hackers-turned-pentesters are video gamers who figured out how to cheat the game and build tools to give themselves an advantage, which means they have a mind that reverse engineers what a developer was trying to do. The motivation is often just to see if they can pull it off, not to hurt or take advantage of anyone.
This fresh perspective is so attractive that organizations are actively pursuing reformed hackers to better understand their attack surface, identify where they have vulnerabilities, and ultimately reverse engineer tighter security for their crown jewels. Even the U.S. Department of Defense has invited white-hat hackers to harden its security systems.
This perspective is one a security practitioner rarely has due to inherent bias. When you work for an organization, you become invested in that company and the people you work with. It’s painful for a security engineer to find flaws in the co-workers they’ve connected with and be responsible for identifying their weaknesses. And it’s embarrassing for the co-worker to have their mistakes called out in front of business leaders.
As painful as it may be, it’s important to identify those vulnerabilities using the hacker’s perspective so you avoid the biases and start closing the doors that are left open.
How to think outside-in
The first step in adopting a hacker’s perspective is to do reconnaissance from the outside, because that’s how a hacker would see your network. Find what assets you have, understand how they’re connected to your infrastructure, and look for the weakest links.
Let’s say there’s a bank vault with three doors and inside are 1,000 safe deposit boxes with weak locks. The bank may be thinking about protecting 1,000 boxes, but the hacker knows once they get past one of the three doors they’ll pull off the heist.
Security practitioners are overwhelmed by the number of issues they’re trying to solve (like 1,000 poorly protected devices), which is important, but they’re missing the bigger picture that a hacker always sees.
If you have the independent perspective to point out the vault doors (anything that’s exposed to the internet gives the most access to the most people) you’re leaving open, which comprise your first layer of security, you have a better chance at keeping the hacker from breaching your network in the first place.
About the Author
Nick Merritt is the Vice President of Security Products and Services of Halo Security. He is an elite penetration tester who leads product direction and penetration testing services for Halo Security. He brings more than 15 years of experience in application and network security testing to the company. He has been publicly credited for his contributions to responsible disclosure of zero-day vulnerabilities in mainstream software – including Microsoft. Prior to joining Halo Security, Merritt was an integral member at OneLogin and White Hat Security and served as Security Manager at McAfee. Nick can be reached through HaloSecurity’s Twitter: https://mobile.twitter.com/halohackers and through Halo Security’s website http://halsosecurity.com