Security rule No. 1: Assume you're hacked

Accept that your company's IT system have been compromised -- then get to work defending them

1 2 Page 2
Page 2 of 2

Second, the best way to prevent hacking is to lock down workstations and servers and to allow only pre-approved software run on them. Most IT departments have no idea about what is and isn't running on all the computers under their control. Use a software inventory or an application control program to learn what is running, review each active program, approve what is needed, and prevent the rest from running. If you can't take this step, then it's probably a losing battle -- but there are other lesser successful mitigations.

Key among those techniques is to actively monitor network traffic and research large amounts of data headed out to unknown destinations or between computers that should not be communicating. Hackers often copy data internally to a centralized computer before compressing and shipping it off to an external site. There are many tools, as well as data leak detection and prevention products, that can assist with these types of measurements and alerting.

As always, I'm a big fan of honeypot computers, which simply sit there not doing anything, waiting to alert you when someone attempts to log on. Hackers may be good, but I've yet to meet one that could hack without at least attempting to log on.

Some companies insert "red herring" data elements around their network that can help in alerting them to data that has been leaked to the outside. Sometimes it's as simple as creating a few fake email addresses that are never used legitimately. Other red herring schemes go so far as to make entire fake records, fake projects, and even fake companies.

One enterprise I consulted for sold fish for a living. Their internal databases contained a fully documented, non-existent buyer. The fake company was given an unused phone number (registered to the parent company, in the parent company's name) and mailing address that belonged to accounting subsidiary. But none of this information existed outside of the company's internal databases.

One day out of the blue, the sham company received emails and phone calls from a competitor. During the ensuring investigation, they found a sophisticated, custom-written Trojan program that had been installed on their main database server. The program had been around for so long that the IT folks had accidentally made it part of their "gold image" for creating database servers. Now they have strong change control and a list of every program running on every server and workstation.

Even if you're not really hacked, you should act as if you were and decide what you would do differently in your company to stop the hackers. Really, that's what we all should be doing every day anyway.

This story, "Security rule No. 1: Assume you're hacked," was originally published at Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
8 pitfalls that undermine security program success