Written by Reut Hackmon, Chief Security Advisor at Cybrella.io Israel
Hacking is simply manipulating an administrative or technological procedure, finding a loophole in it, and exploiting it so that it behaves differently for your own benefit. While that may sound simple, successful hackers exhibit creative ways of thinking and acting. To be able to defend your organization, you have to learn your attackers’ thoughts and techniques, and aspire to become even better than them. By doing so, you can become a “white-hat hacker” who “hacks for protection” on behalf of your organization.
I am sure that you have experienced the following at least once in your life. After knowing something perfectly well, you get an idea of how to unacceptably change its behavior by manipulating a little step on the way. This is the way of the hacker.
That’s why learning the very minor details of a target is crucial, and might be the most important phase when targeting a system, product or procedure. The learning phase will include thorough information gathering regarding any aspect of the system:
• Technologies: types, versions, vendors
• Steps and requirements
• Input handling and resulting responses
• Human involvement
• Business concerns of the administrator/organization
“To be able to defend your organization, you have to learn your attackers’ thoughts and techniques, and aspire to become even better than them.”
More questions and issues will come to mind depending on the target system. They all must be thoroughly explored to extinguish any doubt. Asking the right questions, and being creative in generating those questions, is part of the hacker’s way of thinking “outside the box.”
In light of that, the very first defense for any organization (and even individual) is to minimize the information that might be accessible by others. That’s why security advisors debug organizations for minor exposures that seem harmless, such as the server header in a server response. Security specialists know that it’s the little things that motivate an attacker to build massive attacks that can cause a lot of damage.
Motivated attackers don’t accept no for an answer. They probably have the financial and other recourses necessary to penetrate their target. When one tries to disclose protected information, the hacker tries to break into any system that protects it, or better yet, find a way around it.
The hacker always believes that anything can be breached. That’s why implementing protections shouldn’t end right there, but should be followed by asking creative questions – questions that a hacker would ask herself when reaching an obstacle. What can I find out about this technology I am facing? Are there any known vulnerabilities? Are there important configurations that might have been ignored by the IT administrator? Are there guidelines that the programmers didn’t take into consideration?
There are even more questions that a creative attacker would ask, and she will invest great time and effort to find the answers. Many of these answers are available on the network, so searching and finding them is a great skill to develop. Mastering search engines’ algorithms and connecting to the right forums and online communities that share valuable information about technologies and vulnerabilities are all inseparable and necessary for successful hacking activities.
White-hat hacking for protection is recommended for any organization, office or start-up. You should regularly implement hacking activities and explore various development or protection techniques. Proactive white-hat hacking is one of the best ways of assuring maximum immunity to malicious hackers that might target your organization.