Whats been missed in the hoopla, however, is that Consumer Reports did the right thing. Maybe its not ethical to introduce new viruses to the world, but any organization hoping to protect its network from intruders should take a cue from Consumer Reports . When thinking about security, start by thinking like an intruder.
This is not novel advice. Scan the bookshelves of any executives office, and chances are youll see Sun Tzus Art of War. One of its most quoted passages? Know thy enemy and know thyself, find naught in fear for 100 battles.
Hacking is considered a black art. Hackers spend their lives glued to computers and will eventually come up with some new, unusual method for circumventing security. Hackers dont think or act like the rest of us. Thats the perception.
The reality is altogether different, according to Eric Schultze, chief security architect at security firm Shavlik Technologies. Most hackers follow predictable patterns and most gravitate to the easiest hacks first.
The problem is that security pros assess their vulnerabilities using an administrators point of view, instead of thinking like someone trying to crack a network, Schultze said.
As an IT administrator, I know that I use the same password across all networks and applications. It makes my job easier. What I forget is that hackers know this and it makes their job easier too. As a hacker, I know that if I crack one password it might be valid system-wide.
Schultze pointed out some other admin behaviors that undermine security. If Im a hacker and I want to guess passwords, who do I go after?
Thats right, the answer is, again, administrators. And thats not just because their passwords are the most valuable, but also because theyre often the easiest to crack.
Most users must change their passwords every month or so. Administrators do not. They have the luxury of leaving their passwords in place indefinitely. Better still, from a hackers perspective, many administrator accounts dont have automatic lockout features turned on; meaning that a hacker can try an infinite number of user-name password combinations until they hit on the one that lets them in.
While understanding your own behavior is important, how do you accomplish this? Its hard to do on your own, cautioned Peter Firstbrook, an analyst with Gartner. Smart organizations get outside help.
Firstbrook recommended a few steps for understanding your security profile and, more importantly, your organizational security behaviors. Services like vulnerability assessments and device inventories are essential, while configuration and patch management tools should be used regularly to keep the network up to date.