Problem solve Get help with specific problems with your technologies, process and projects.

How to stop hacker theft: Employee awareness, risk assessment policies

In the first of a six-part primer on thinking like a hacker, security managers are encouraged to examine publicly available information and discarded data.

Think for a moment about the possibility of your company's infrastructure being in the crosshairs of a serious malicious hacker. How valuable would information about your infrastructure be? Do you really know how much sensitive information is publicly accessible or easily obtainable with a little creativity? How can you stop hacker theft of this information?

The first step in any serious hacker's attack is reconnaissance on a target. Let's look at a few of the more common techniques and learn how to stop hacker theft.

Often there will be a surprising amount of sensitive information about your company sitting on the Web, waiting for someone to stumble upon it. Have you ever searched IT forums for your domain name? Try it! All too often, technical employees will post questions or answers to public forums, mentioning specific equipment in use at the company, and they'll use their work email address! Ouch! Obviously, they aren't thinking about the "black hat" who would love to find out what type of firewall or server you own without having to touch your network.

To avoid this scenario, enforce an employee awareness training program and risk assessment policies that require enterprise users to use a non-work email address to post any information to a public forum. Make sure employees know that the company's name should never be used in such postings. They'll still get their questions answered, but your infrastructure details won't be posted for the world to see.

Another place hackers go for information about your technical staff are online databases of IP address and website registrants. There are actually four databases, each containing this type of information for various parts of the world. Checkout the Whois section of, and see if your company's domain name lists the name, email, or phone number of your technical staff. Ideally, you should provide generic information in these fields to prevent a hacker from assuming the identity of such staff to coerce your users into divulging their passwords or other sensitive information.

One man's trash is another man's treasure … literally! Dumpster diving is an old, dirty but still fruitful information-gathering technique by which an attacker peruses your trash, looking for Social Security numbers, phone numbers, userIDs, IP addresses and passwords. A employee awareness training program should be diligently enforced, showing employees how to properly destroy media containing any information that could be used for the wrong reason. You may think this is unnecessary, but I encourage you to audit the contents of a trash can near one of your network printers, especially in an IT area. Would you be comfortable handing over the findings to a hacker?

About the author
Vernon Habersetzer, president of security seminar and consulting company, has many years of in-the-trenches security experience in healthcare and retail environments.


  Introduction: Hacker attack tactics
  How to stop hacker theft
  Hacker system fingerprinting, probing
  Using network intrusion detection tools
  Avoid physical security threats
  Authentication system security weaknesses
  Improve your access request process
  Social engineering hacker attack tactics
  Secure remote access points
  Securing your Web sever
  Wireless security basics
  How to tell if you've been hacked

This was last published in January 2005

Dig Deeper on Data security strategies and governance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.