Security rule No. 1: Assume you’re hacked

A recent Forbes magazine article advised readers to assume that their companies have been hacked. Some readers have asked me to weigh in, and here’s my assessment: The article is slightly hyperbolic, but all in all, it’s a pretty accurate assessment. Most companies are actively hacked, and their sensitive data is being stolen and leaked to outsiders.

Many readers might find such statements inaccurate and unsupported, and they may wonder where is the documented evidence to back up these gross claims. True, there is no survey data to prove the conclusion. Surveys and interviews can only measure known hacking incidents; it’s hard to measure the known unknowns. But in this case, there is strong anecdotal evidence.

[ Keep up on the day’s tech news headlines with InfoWorld’s Today’s Headlines: First Look newsletter. | Learn how to secure your systems with Roger Grimes’ Security Adviser blog and newsletter, both from InfoWorld. ]

I’m not certain precisely when it happened, but during the past two or three years, I found that all the companies I worked with were being hacked. It’s more than my own personal experience. Ask any computer security consultant who works in the field across a large number of clients and they will tell you the same thing: “Yes, every company is hacked!”

Now, the level of hacking may differ among the different-size companies. Every company is hacked in a sense that they probably have one or computers that have a remotely controllable Trojan/bot/zombie malware program installed. If the company is of sufficient size or in an industry with extremely valuable data (for example, one that competes against foreign companies, law firms, or the defense industry), it’s likely a malicious hacker has installed various backdoor programs and has sent volumes of sensitive data to other locations. In the large companies I visit, the hackers set up programs that automatically look for new files and directories and send only the changed information to the remote site. Little do those companies know that they have a free offsite backup service.

Every company I’ve dealt with has had dozens of big security vulnerabilities. The IT employees that I interview admit that their company’s defenses are unevenly applied and that they know of many more major security holes that I haven’t found in my limited review. Rarely are these security issues new; most are several years old and well known by IT management.

There’s a chance that your company is not hacked, but in today’s uber-active crimeware environment, it’s unlikely. If you aren’t hacked, you’re either extremely good (with full management support and resources) or lucky.

So how should that change your behavior and tactics? First, as strange as it sounds, it’s probably not a bad thing to communicate to IT senior management, if you haven’t already done so. If they react in a bad way, pull out this column (or the Forbes story), and list all the major security issues that have remained unfixed for years in the company.

Second, the best way to prevent hacking is to lock down workstations and servers and to allow only pre-approved software run on them. Most IT departments have no idea about what is and isn’t running on all the computers under their control. Use a software inventory or an application control program to learn what is running, review each active program, approve what is needed, and prevent the rest from running. If you can’t take this step, then it’s probably a losing battle — but there are other lesser successful mitigations.

Key among those techniques is to actively monitor network traffic and research large amounts of data headed out to unknown destinations or between computers that should not be communicating. Hackers often copy data internally to a centralized computer before compressing and shipping it off to an external site. There are many tools, as well as data leak detection and prevention products, that can assist with these types of measurements and alerting.

As always, I’m a big fan of honeypot computers, which simply sit there not doing anything, waiting to alert you when someone attempts to log on. Hackers may be good, but I’ve yet to meet one that could hack without at least attempting to log on.

Some companies insert “red herring” data elements around their network that can help in alerting them to data that has been leaked to the outside. Sometimes it’s as simple as creating a few fake email addresses that are never used legitimately. Other red herring schemes go so far as to make entire fake records, fake projects, and even fake companies.

One enterprise I consulted for sold fish for a living. Their internal databases contained a fully documented, non-existent buyer. The fake company was given an unused phone number (registered to the parent company, in the parent company’s name) and mailing address that belonged to accounting subsidiary. But none of this information existed outside of the company’s internal databases.

One day out of the blue, the sham company received emails and phone calls from a competitor. During the ensuring investigation, they found a sophisticated, custom-written Trojan program that had been installed on their main database server. The program had been around for so long that the IT folks had accidentally made it part of their “gold image” for creating database servers. Now they have strong change control and a list of every program running on every server and workstation.

Even if you’re not really hacked, you should act as if you were and decide what you would do differently in your company to stop the hackers. Really, that’s what we all should be doing every day anyway.

This story, “Security rule No. 1: Assume you’re hacked,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.