Ten Deadly Mistakes to Avoid When You Hack Your Business
Several deadly mistakes can wreak havoc on your ethical hacking outcomes and even your career. Don’t fall victim! Here are some potential pitfalls that you need to be keenly aware of.
Not getting prior approval
Getting documented approval in advance, such as an e-mail, an internal memo, or a formal contract for your ethical hacking efforts — whether it’s from management or from your client — is an absolute must. It’s your Get Out of Jail Free card.
Allow no exceptions here — especially when you’re doing work for clients: Make sure you get a signed copy of this document for your files and for your lawyer.
Assuming that you can find all vulnerabilities during your tests
So many security vulnerabilities exist — known and unknown — that you won’t find them all during your testing. Don’t make any guarantees that you’ll find all the security vulnerabilities in a system. You’ll be starting something that you can’t finish.
If you did well studying probability and statistics in high school or college, you may consider putting together some confidence intervals to show what you truly expect to find.
Stick to the following tenets:
Use good tools.
Get to know your systems and practice honing your techniques.
Assuming that you can eliminate all security vulnerabilities
When it comes to computers, 100 percent, ironclad security is not attainable. You can’t possibly prevent all security vulnerabilities, but you’ll do fine if you uncover the low-hanging fruit and accomplish these tasks:
Follow solid practices.
Patch and harden your systems.
Apply reasonable (cost-justified) security countermeasures.
It’s also important to remember that you’ll have unplanned costs. You may find lots of security problems and will need the budget to plug the holes. Otherwise, you may have gotten over the due diligence hurdle but now have a due care problem on your hands. This is why you need to approach information security from a risk perspective and have all the right people on board.
Performing tests only once
Ethical hacking is a snapshot of your overall state of security. New threats and vulnerabilities surface continually, so you must perform these tests periodically and consistently to make sure you keep up with the latest security defenses for your systems. Develop both short- and long-term plans for carrying out your security tests over the next few months and next few years.
Thinking that you know it all
Even though some in the field of IT would beg to differ, no one working with computers or information security knows it all. Keeping up with all the software versions, hardware models, and emerging technologies, not to mention the associated security threats and vulnerabilities, is impossible. True information security professionals know their limitations — that is, what they don’t know. However, they do know where to get answers.
Running your tests without looking at things from a hacker’s viewpoint
Think about how a malicious outsider or rogue insider can attack your network and computers. Get a fresh perspective and try to think outside the proverbial box.
Study criminal and hacker behaviors and common hack attacks so you know what to test for. There is continual blogging about this subject at Kevin Beaver’s Security Blog. Trade magazines such as Hackin9 and 2600 are good resources as well.
Not testing the right systems
Focus on the systems and operations that matter most. You can hack away all day at a standalone desktop running MS-DOS from a 5 1/4-inch floppy disk with no network card and no hard drive, but does that do any good? Probably not. But you never know. Your biggest risks might be on the seemingly least critical system. Focus on what’s urgent and important.
Not using the right tools
Without the right tools for the task, getting anything done without driving yourself nuts is impossible. Buy commercial tools when you can — they’re usually worth every penny. No security tool does it all, though.
Building your toolbox and getting to know your tools well will save you gobs of effort, and you’ll impress others with your results.
Pounding production systems at the wrong time
One of the best ways to tick off your manager or lose your customer’s trust is to run hack attacks against production systems when everyone is using them. If you try to test a system at the wrong time, expect that critical systems may go down at the absolute worst moment.
Make sure you know the best time to perform your testing. It might be in the middle of the night. This might be reason to justify using security tools and other supporting utilities that can help automate certain ethical hacking tasks.
Outsourcing testing and not staying involved
Outsourcing is great, but you must stay involved throughout the entire process. Don’t hand over the reins of your security testing to a third-party individual or a cloud services provider without following up and staying on top of what’s taking place.
You won’t be doing your manager or customers a favor by staying out of the third-party vendors’ hair. Get in their hair. (But not like a piece of chewing gum — that just makes everything more difficult.) Ask for vulnerability scan reports, formal security assessment reports, and anything else they’re doing that demonstrates that they take security seriously.