The old adage "Information is power" is more true than ever for the corporate world. Even the release of very general information about a company (for example, an upcoming merger between company A and company B) can have a profound impact on a company. For example, in the case of a corporate merger, if confidential information about a proposed merger is leaked to the press or other companies, the merger could be in jeopardy. In today's corporate environment, these basic principles can have a dramatic impact on the security of the organization. Developers who implement security measures must be mindful of not only the complex security techniques but also the basic, commonsense concepts that apply to any discussion of confidentiality and security.
Protecting resources from the hacker
In today's corporate world, what we are protecting and from whom we are protecting it is important. The corporate world no longer revolves around written information as the medium of documentation; it revolves around digital information. Spies no longer wear trench coats and exchange information in dark alleys. Nowadays, spies are more often than not sitting in front of a computer screen. This new type of spy is called a hacker. He is trained in technology and willing to use it for a price. The hacker personality takes many forms and spans a wide range. Today's hacker profiles include:
- A disgruntled employee who releases viruses into the system before he quits his job.
- A teenager who uses the high school's computer to hack into an organization that somebody told him about in church.
Hackers no longer belong to a club that meets in the basement of a home. They are people who belong to newsgroups. The hacker has evolved over time from the computer amateur to the computer professional. The hacker now practices social engineering. To the hacker, the goal is an organization's Information Technology (IT) department. The IT department should be ready and expecting such attacks.
Hack attacks: different scenarios
Many company resources need protection from hack attacks, including e-mail messages, network addresses, lists of employees, and confidential documents describing technology. Any of these items may lead to other items that a hacker can use for intrusion. For example, a person's e-mail could contain a personal note along with the user's name. This personal information can be re-used to try to break a person's password. For instance, the password may be a pet's name, a favorite sports team, and the like. In another example, the user (or hacker that knows the username) may go to a site that gives the option 'send me my password' when the user has forgotten the password. If the attacker can impersonate an SMTP server and the user's e-mail address, the attacker can receive e-mails addressed to the user. E-mails receiving passwords are sometimes not password protected and can be sniffed.
Another means of attack is when the hacker sends an e-mail posing as the IT department and requests that the person install a new software patch in his computer. Once the person installs the patch, the computer is no longer secure - the attacker owns it. Like spies, the best hackers are those who are never caught and never heard of. They don't have a "hacker" license plate or an "I hack for a living" t-shirt. Appearance-wise, they blend in with their targets. The best hackers look like the people working in the IT department of an organization. They may even walk into the company carrying a fake badge and wearing a company shirt, and use a conference room just as if they worked there.
A common attack employed by hackers is the call-in approach: A hacker may impersonate an IT technician calling a salesperson, especially one offsite, and say that he needs to remotely install some software. If the salesperson believes the hacker, then the hacker can easily install any harmful software he wants. Another type of call-in is the hacker impersonating a salesperson to the IT technician, where the hacker tells the IT technician that his or her password is no longer working and the IT technician walks the hacker through logging on to the salesperson's machine.
Weapons against attack
The two most important weapons a company has against hackers, spies, and attacks are:
- Adequate security training for staff
- A secure infrastructure in place that allows the organization to adequately meet
Potential threats
The better IT professionals understand hackers, security measures, and potential attacks, the better the IT professionals are prepared to handle threats. Even a simple attack can do great damage if the IT professional is not prepared to handle it.
There have been many instances where organizations were hacked but were never aware of it until it was too late. An organization should work hard to ensure that its information and resources are protected because it is the resources and information that make the organization. A recurrent problem I have observed through the years across companies and organizations is confidential information received by one person (director, vice president, and so on) not being secured. In order for information to be secure, each individual within the organization needs to understand how and what needs protection. To understand how information can be secured, you need to understand the security principles that form the foundation (or "pillars") of security.