cyber

The criminals are out there and if you want to protect your important data you better start thinking like a hacker

Call it cyber-espionage, cyber-crime or cyber-warfare. These are merely euphemisms for the art of hacking. And hacking will continue to increase as a threat in the foreseeable future. And law firms are at particular risk given the wealth of information they store.

That said, this is becoming a major issue for in-house legal departments when it comes to risk and compliance strategies. No longer will the old ways of peripheral protection save your data. And GCs need to address this issue with both their board and outside law firms.

Major General Aviv Kochavi, head of Israeli Military Intelligence recently told Business Insider that hacking “will soon be revealed to be the biggest revolution in warfare, more than gunpowder and the utilization of air power in the last century.”

Although Kochavi’s focus was on cyber-warfare, the techniques used by hackers working as state agents or spies are the same used by criminals.

A chief information officer from a major U.S. firm declined to even discuss this subject because he felt just talking or identifying the firm would be a lapse in security.

Criminal hackers can be classified into a few broad categories each with their own set of motivations and objectives. Black Hat hackers are often enticed by the illicit profits of credit card and bank fraud. Hacktivists (such as those affiliated with Anonymous) wage distributed denial of service attacks on their targets for social and philosophical purposes. In bringing attention to their cause, they inflict a vigilante justice on those they disagree with. This results in lost profits due to recovery expenses in addition to incalculable losses due to damaged business reputation.

Although an understanding of what motivates hackers gives insight into the type of person who would hack into your system and steal your information, understanding how the hacker operates gives the security professional insight into how to protect their system from attack.

In December of last year, it was revealed NSA spy Edward Snowden attended a Certified Ethical Hacking course in India. Although CEH is regarded as the premier ethical hacking course, all professional hacking courses train information security professionals to think like a hacker and to follow a hacking methodology in order to mitigate vulnerabilities in their systems.

Professional hackers will follow a methodology to gather information and focus their attack on their target with their specific goals in mind. Starting with reconnaissance, a hacker will use public sources of information and Google in an attempt to build a schematic of their target to understand it and identify weaknesses. Once a solid overview of the target is realized, the hacker will then scan the various IP addresses discovered in reconnaissance to determine what ports are open on the systems before determining what services are running on the specific ports.

With the services identified, the hacker can then find the vulnerabilities from a number of sources such as NIST’s National Vulnerability Database and organize their attack vectors before launching the attack. Depending on the motivation, the hacker may leave a backdoor into the system so they could re-enter it and own it at will or they may cover their tracks by removing any evidence they were there.

Similar to hackers, IT staff can be an odd bunch. They often view the systems under their management with a reverence and respect they rarely give to the end-user. As hackers are here to stay, it is increasingly evident that organizations need to stay on top of the latest attacks, vulnerabilities and exploits in order to keep the attacks at bay.

IT departments and staff can not mitigate all the threats of cyber attacks, however, taking steps to educate the IT staff to look at the systems not from a position of ego but as a vulnerable system susceptible to attack—and actually have them attack it—they can be empowered to fix the issues before a hacker forces the issue by taking the system from them.

Article by:

[mk_employees style=”boxed” column=”2″ box_blur=”false” count=”0″ employees=”313″ offset=”0″ description=”false” order=”ASC” orderby=”menu_order”]