How To Think Like a Hacker

Recently, the Westcon Group began offering educational seminars on IT security for its VAR customers as part of a larger effort to promote opportunities in security solutions and services. The distributor's seminars feature Bryant Tow, president of InfraGard's Middle Tennessee Chapter, as keynote speaker. Tow offers VARBusiness an inside look at his "Anatomy of a Hacker" seminar and explains how solution providers should mount a counterattack against cyberthreats.

VB: What's the objective of the seminar?
Tow: We go through how a black hat, or a hacker, thinks,how they find vulnerabilities, how they break into systems, how they gather information, and what kind of information they target, etc. The key is that human error is almost always the root cause of the hack...We're trying to show the basic things that people can do to protect themselves and manage their risk factors better. The seminars have been successful because we're finding that a lot of people aren't aware of the common vulnerabilities and mistakes.

VB: What are the top errors people make that open the door for hackers?
Tow: I'd say the top three are passwords, patches, and installing and upgrading security software. People use simple passwords that can be decoded easily. There's a free password-hacking tool called Rainbow Crack that's out on the Web. Luckily, search engines like Google and Yahoo have blocked it. Also, people forget to apply software patches to their infrastructures. That's how so many companies were infected with the e-mail viruses [last] summer. They could have protected themselves better if they had applied, say, their Microsoft patches quickly...And lastly, people have to actually install security measures like firewalls and make sure they're upgraded consistently.

VB: What seems to be the most common source of hacks or cyberattacks these days?
Tow: We're certainly seeing a surge in viruses and malicious content on e-mail because it's the quickest way to infect multiple users and networks. Often, a lot of these attacks come from disgruntled employees inside the company.

id
unit-1659132512259
type
Sponsored post

VB: Have you seen any company or product in the market today that has taken security technology to the next level?
Tow: We're vendor-agnostic. Plus, technology isn't the most important part of the equation. There are a lot of security products out there that are basically useless. For example, intrusion detection is really a failed technology. It's analogous to airport security. You go through the metal-detector checks before the gates, but you're already in the airport. [Similarly], intrusion detection can alert you to an intruder after they're already in the network, but if there's nobody managing the system and nothing to stop the hack, then it's useless.

VB: So what's the answer for companies looking to fortify their infrastructures, and what can solution providers do to help?
Tow: We need to start with a security strategy first and then move on to looking at purchasing the security products behind it. That's everything from management, human-resources regulations, data protocols and public records. It also means identifying the risks for a particular company. If you don't have a policy or strategy in place for security, then the technology won't be as effective.