The Best Way to Fend Off Attackers: Think Like a Hacker
David Ting is the Founder and Chief Technology Officer of Imprivata
The recent spate of high-profile security breaches across the healthcare industry has revealed a shift in how attackers are accessing and pilfer patient records and other sensitive information. Most healthcare organization leaders I speak with have taken steps to reinforce their perimeter defenses with firewalls, intrusion detection, deep packet inspection, and other strategies. The hole in their defensive strategy, however, is that perimeter walls are no longer the focus of attacks. Instead, the gatekeepers are the newest targets, and they're being attacked with gusto.
Phishing attacks have evolved into spear phishing attacks and many hackers have morphed into digital snipers who are able to accurately pinpoint, and exploit, the weakest areas in your network's defenses. In order to defend your organization from attack, it is now necessary to think like a hacker: find, observe, and engineer your weakest points in order to serve your purposes. Here are a number of hacker-inspired steps you can take to identify, understand, and change your organization's security weaknesses:
1. Identify your key vulnerability
In healthcare, the biggest vulnerability in your network is often your average user: a user who authenticates into your network many times each day with a password which, if compromised, could expose your entire network. Average users are your organization's gatekeepers - but they're also prime targets for a spear phishing attack. Through social engineering, hackers successfully target individual employees and trick them into divulging their passwords through fake login screens, duplicitous upgrade packages, or 'innocuous' emails that appear to come from co-workers or system administrators. If the right user is duped, the attacker can gain access to your entire system, compromising PHI, your IP, and pecuniary security in the process.
2. Observe and study your key vulnerability
Hackers perform meticulous research before they pounce on their prey. They can observe users' digital behaviors for weeks before identifying the most promising avenue for a successful social attack. Similarly, in order to defend against your vulnerable user behaviors, it's important to understand what causes their vulnerabilities:
- Do your users recycle their passwords?
- Do your users login so often that they automatically provide their credentials without a second thought?
- Do your users have knowledge of phishing or spear phishing techniques, or are they aware of the warning signs of suspicious emails or websites?
- Do your users bring their own devices to work, and are they using those devices securely?
- Do your users keep their passwords on sticky-notes or in unencrypted word files?
- Do your users employ best practices for email-opening and login requests?
- Do your users leave shared workstations unattended, without logging out? Or, do they share their login information with their team members?
One of the easiest ways to answer these questions is to perform internal penetration tests to identify your users' password behaviors. If you engineer a fake phishing attack, how many of your users click through and provide their login credentials? Several CIOs and CISOs who I have talked to who have carried out their own internal phishing attacks find something close to a 30 percent success rate, which is scarily high. Anything more than zero cracks a system's security wide open: there only needs to be one successful attack to undermine an entire system's defenses.
3. Engineer the vulnerability to suit your purposes
Once you identify your key vulnerabilities, consider patching them with social or technological means. Instead of exploiting the vulnerabilities, as a hacker would, you can defend your vulnerabilities by engineering your system so that the vulnerability is diminished or eradicated by changing employee behaviors through targeted technology and educational methods that tackle the heart of your organization's security problems.
- If a lack of understanding of phishing, spear phishing, or social engineering tactics is at the heart of your users' vulnerabilities, consider introducing an internal communications strategy to educate your workforce and combat their lack of knowledge about attackers' techniques.
- If passwords are the biggest pain point (and vulnerability) in your organization's security defenses, consider automating them with a password management tool.
- If repetitive logins cause lax password behaviors, consider migrating away from passwords in favor of other forms of authentication, such as fingerprint biometrics, proximity cards, hard or soft tokens, or a single sign on solution.
- If shared work stations are causing password frustration, password sharing, or other workflow problems that impact security, consider migrating to a virtual desktop environment.
- If BYOD is wreaking havoc with password privacy and in-network security, consider offering secure messaging or token functionalities for your BYOD users.
Regardless of the patches, or solutions, you implement, the simple exercise of putting a hacking hat on while tackling your organization's security issues will make you a more effective and successful security leader.
Why? Because the best leaders never fail to identify, consider, and protect their weakest links.