We’ve all heard the term, “Put yourself in another person’s shoes” or “Walk a mile in their shoes.” Most often, these phrases are used to engender understanding and empathy.
In the case of hackers and cyber-attackers, the exact opposite is true. By thinking like a hacker, and by transporting yourself onto the other side of the keyboard, nonprofit and association IT professionals seek understanding to create walls and barriers.
In order to protect your organization’s data, you need to think like an attacker. This might sound difficult, but the exercise is extremely useful in identifying IT vulnerabilities.
So, how does one start thinking like a cyber-villain?
Think About Value
Turn the tables. Don’t think about what’s most important to your organization (though that should always be a consideration), consider what might be most valuable to a hacker. These might not always be one in the same.
What would be most valuable to a hacker looking to flip stolen information for a profit? If the attacker is ideological rather than cash-driven, what data might they go after? Depending upon the nature of your association, the treasure a cyber-attacker seeks will vary.
The key here is to identify the top targets for hackers, understand the pathways to this information, reach out to a consultant to assess your security in place and fill gaps as soon as possible.
Understand the Hacker Mindset
Hackers are driven by various motivations be they monetary or political or otherwise. However, a common trait among hackers is the intense satisfaction that comes with solving the puzzle and “breaking in” without being noticed.
To better combat hackers, IT security consultants study and learn similarities among their approaches. Most skilled hackers don’t attack an IT system on multiple fronts all at once.
They don’t do carpet bombing attacks.
More than likely, they’ll poke and prod around systems, seeking vulnerabilities to exploit. Remember, the goal is to “break in” without being noticed and to stay in for as long as possible, subtly siphoning valuable information from your system.
Okay, then, so how does this help an IT lead at an association improve security?
By knowing their typical mode of operation, you change your stance: instead of waiting for the red lights to flash and a major event to occur, assume that the hacker is already inside. Instead of waiting for huge red flags, know your system well-enough to identify less obvious probing and prodding.
Always be on the hunt instead of reactionary.
Hacker-Humanity and the Human Gateway
While we tend to think of hackers as anti-social brainiacs operating in dark warehouses, the most skilled cyber-attackers use their social and communication skills to probe human vulnerabilities.
Think email phishing and forged emails. Even telephones.
The point: by thinking like a hacker, you must consider both technological vulnerabilities and human shortcomings and mistakes. While human error letting a hacker in the front door can’t always be avoided, having clearly communicated IT security policies and ongoing training for current and new employees can certainly make it more difficult for even the best hackers.
Remember, hackers often use strong social and communication skills to get in and then use technical skill and tenacity to stay hidden within your infrastructure.
Know Your Footprint
There’s a reason large corporations with big IT budgets hire hackers to combat hackers. In the case of your organization, where having a hacker on the payroll is likely not possible, you and your team need to become the hacker or contract a vendor to be your hacker.
Hackers seeking entry into your infrastructure will footprint, or map, your entire system and all publicly available information about your organization online, including social media, google searches, job boards, etc. Footprinting, while focused on understanding your IT network to uncover vulnerabilities, is also about trying to find information and access points across your organization’s entire digital footprint.
To combat hackers, you need to understand your footprint better than they do. If you have limited resources, focus just on your network; if you have a wider team, divide and conquer, mapping out as much of your association's digital framework as possible.
Know your footprint to catch subtle changes in your network’s behaviors and to identify vulnerabilities before a hacker does.
To counteract hackers, and improve your cyber-security performance, put on your hoodie and start thinking and acting like a hacker.
It’s the first line of defence and very often the most effective one.
Join ATS security expert, Chris Schoenwetter and the NY Society of Association Executives on October 25th at 12pm ET for a webinar to learn the latest methods attackers are using, and uncover the new ways they may be preying on the vulnerabilities in your network.