Think for a moment about the possibility of your company's infrastructure being in the crosshairs of a serious malicious hacker. How valuable would information about your infrastructure be? Do you really know how much sensitive information is publicly accessible or easily obtainable with a little creativity? How can you stop hacker theft of this information?
The first step in any serious hacker's attack is reconnaissance on a target. Let's look at a few of the more common techniques and learn how to stop hacker theft.
Often there will be a surprising amount of sensitive information about your company sitting on the Web, waiting for someone to stumble upon it. Have you ever searched IT forums for your domain name? Try it! All too often, technical employees will post questions or answers to public forums, mentioning specific equipment in use at the company, and they'll use their work email address! Ouch! Obviously, they aren't thinking about the "black hat" who would love to find out what type of firewall or server you own without having to touch your network.
To avoid this scenario, enforce an employee awareness training program and risk assessment policies that require enterprise users to use a non-work email address to post any information to a public forum. Make sure employees know that the company's name should never be used in such postings. They'll still get their questions answered, but your infrastructure details won't be posted for the world to see.
Another place hackers go for information about your technical staff are online databases of IP address and website registrants. There are actually four databases, each containing this type of information for various parts of the world. Checkout the Whois section of ARIN.net, and see if your company's domain name lists the name, email, or phone number of your technical staff. Ideally, you should provide generic information in these fields to prevent a hacker from assuming the identity of such staff to coerce your users into divulging their passwords or other sensitive information.
One man's trash is another man's treasure … literally! Dumpster diving is an old, dirty but still fruitful information-gathering technique by which an attacker peruses your trash, looking for Social Security numbers, phone numbers, userIDs, IP addresses and passwords. A employee awareness training program should be diligently enforced, showing employees how to properly destroy media containing any information that could be used for the wrong reason. You may think this is unnecessary, but I encourage you to audit the contents of a trash can near one of your network printers, especially in an IT area. Would you be comfortable handing over the findings to a hacker?
About the author
Vernon Habersetzer, president of security seminar and consulting company i.e.security, has many years of in-the-trenches security experience in healthcare and retail environments.
HACKER ATTACK TECHNIQUES AND TACTICS
Introduction: Hacker attack tactics
How to stop hacker theft
Hacker system fingerprinting, probing
Using network intrusion detection tools
Avoid physical security threats
Authentication system security weaknesses
Improve your access request process
Social engineering hacker attack tactics
Secure remote access points
Securing your Web sever
Wireless security basics
How to tell if you've been hacked