I’ve spent years being paid to break into networks, systems, and devices; hired to evaluate infrastructure to implement defenses to keep hackers out, and have managed large complex risk management programs to bring it all together. Want to know the secret to the multi-billion dollar industry that forms this cat and mouse game? I call it The Four Ps: Patching, Permissions, People, and Physical access.
The media would have you believe that the electronic world of the information superhighway is one rife with debauchery and despair; one where a single misstep could spell your demise. Well, they’re somewhat right, but not for the reasons you may think.
The world of technical exploitation and hacking is relatively straight-forward. In the rush to get products and services to the market, lapses in quality control and review are often overlooked. This is the breeding ground where vulnerabilities flourish—all of which fall under one of the Four Ps I’ve described above.
All things considered, there is plenty to be worried about out there. Don’t make it more complicated than it needs to be.
Patching or Patch Management includes processes for applying fixes to software and systems after an issues has been identified. Not all patches are security related, but most of the time they include fixes that would prevent a hacker from taking advantage and getting a foothold. Pretty simple, right?
Every Most technology firms expend a lot of time and effort in making their products are secure. When they push out an update, you should most definitely apply it. But, be sure you verify it legit first. You don’t want to fall pray to a hoax that leads you to believe it is a required action (see People below).
In computer-nerd speak, permissions relates to the amount of access and authority you grant to an account on a computer or device. When you log into you iPhone, computer, or even smart-watch, you are performing actions you have permission to complete. You may not always see it, but you are doing so under the premise of an account. When permissions are too permissive (meaning, the account can perform a lot of different things), you open yourself up to a world of hurt should a hacker find a way to take over your account. Permissions should be set so that you can do just the things you need to do under normal conditions. For special circumstances, you can have a more powerful account, one that has more protections around it, but one you may not use too often.
Social engineering is the king of exploitation because of its low barrier of entry, and the ease of use against unsuspecting targets. People are the weakest part of any information system or computer. If you can exploit a person, you can get access to any device they have. Think you’re too smart to fall for it? Randsomware thrives off of people clicking links, downloading malicious software, and having it installed. It’s so potent of a vector that I’ve been able to get people to give me their VPN token over the phone. I have some awesome stories. Also, want some insight into what the Russians did during the 2016 election?
This one is tough. If a hacker has physical access to your computer, it’s not a matter of if, rather when. Having your hard-disk encrypted and not having your computer run 24/7, will significantly reduce risks associated with it.
Has your organization performed a full-scope vulnerability assessment by a trusted, independent third-party? I’m always looking to assist. Please don’t hesitate to reach out and strike up a conversation. Worse-case, you get some neat stories. matt @ odnd dot com
Matt James (CISSP, CISM, CPT, CEH, CNDA) has more than 15 years of experience in cyber security and information technology. He has lead and performed numerous red-team activities against public and private sector entities, to include major Fortune 500 corporations and federal agencies. Medically retired from the Army after injuries sustained during combat operations, Matt resides in the Washington, D.C. area where he is the Director of Cybersecurity and Risk Management for ID.me.