Understanding the Need to Hack Your Own Systems - dummies

Understanding the Need to Hack Your Own Systems

By Kevin Beaver, Stuart McClure

To catch a thief, you must think like a thief. That’s the basis for ethical hacking. It’s absolutely critical to know your enemy.

The law of averages works against security. With the increased number and expanding knowledge of hackers, combined with the growing number of system vulnerabilities and other unknowns, the time will come when all computer systems are hacked or compromised in some way. Protecting your systems from the bad guys — and not just the generic vulnerabilities that everyone knows about — is absolutely critical. When you know hacker tricks, you can find out how vulnerable your systems really are.

Hacking preys on weak security practices and undisclosed vulnerabilities. Firewalls, encryption, and virtual private networks (VPNs) can create a false feeling of safety. These security systems often focus on high-level vulnerabilities, such as viruses and traffic through a firewall, without affecting how hackers work. Attacking your own systems to discover vulnerabilities is a big step toward making them more secure. This is the only proven method of greatly hardening your systems from attack. If you don’t identify weaknesses, it’s a matter of time before the vulnerabilities are exploited.

As hackers expand their knowledge, so should you. You must think like them and work like them in order to protect your systems from them. You, as the ethical hacker, must know the activities that hackers carry out and how to stop their efforts. You should know what to look for and how to use that information to thwart hackers’ efforts.

You don’t have to protect your systems from everything. You can’t. The only protection against everything is to unplug your computer systems and lock them away so no one can touch them — not even you. That’s not the best approach to information security and is certainly not good for business. What’s important is to protect your systems from known vulnerabilities and common attacks.

It’s impossible to anticipate all the possible vulnerabilities you’ll have in your systems and business processes. You certainly can’t plan for all possible attacks — especially the ones that are currently unknown. However, the more combinations you try — the more you test whole systems instead of individual units — the better your chances of discovering vulnerabilities that affect your information systems in their entirety.

Don’t take ethical hacking too far, though. It makes little sense to harden your systems from unlikely attacks. For instance, if you don’t have a lot of foot traffic in your office and no internal Web server running, you may not have as much to worry about as an Internet hosting provider would have. Your overall goals as an ethical hacker should be as follows:

  • Hack your systems in a nondestructive fashion.
  • Enumerate vulnerabilities and, if necessary, prove to management that vulnerabilities exist and can be exploited.
  • Apply results to remove the vulnerabilities and better secure your systems.