After many years in the IT industry, I’ve discovered a hacker doesn’t always fit the stereotype. Instead, according to the FBI, the most common hacker is probably sitting at the desk next to you, right now.

This is someone who gets to work early, takes his or her turn cleaning out the office fridge, tells funny stories at lunch and, at some point, makes a very dumb move. It often starts when this hacker-next-door sees a file directory or workstation that’s just too juicy to pass by, like one named ‘Salary Comparison’. It’s simply too tempting NOT to peek inside.

In other words, curiosity is one scenario motivating the most common hacker. Another is revenge and, of course, increasingly on the rise is industrial espionage.

What organisation has time to do professional, in-depth background checks on every temping IT consultant? Often this part-time help is called upon when times are tough, and corners are most easily cut during a recession. The result is people who get easy access to the most sensitive and impenetrable systems.

No matter what the reason, internal hacker attacks make up 70% of all security breaches according to the FBI. The next question is: how do these attackers get access to critical systems?

The answer: all too easily. Once that hacker-next-door decides to break into a target system, their next stop is a search engine. A few key words later, and anyone can discover that the most common ­ and effective ­ type of hack into a target system is to become what’s called a ‘script kiddie’.

Script kiddies use default lists of privileged passwords, or the super-user/administrative codes built into every piece of hardware and software. Have you ever noticed the ‘Administrator’ ID next to your name when you login to your workstation? That’s a privileged user and password, a backdoor into your system built by the manufacturer. It cannot be disabled or destroyed.

Let’s turn back to our hacker-next-door who wants to access the salary comparison workstation. They don’t know who owns this workstation, but they can search to find what the default Administrator passwords are for this type of standard business PC.

If the built-in default doesn’t work, the would-be hacker may try simple passwords like CompanyName123. You’d be stunned how often these basic passwords - also available as mini computer programs on the web ­ are the fastest way into any organisation’s data.

Once the hacker enters a target system with a privileged password, the evil-doer now has more access to data than the system’s legitimate users. At one company, for example, a disgruntled IT professional changed every password on the network.
All software had to be reloaded. The company was basically shut down for days.

Meanwhile, the angry ex-employee denied all knowledge of the incident. And who could prosecute him? The deed was done under an anonymous identity, the Administrator.

So there you have it: the most common hacker is actually someone working in your business today, a non-professional trouble-maker who ­ when tempted ­ can easily find his or her way into your organisation’s most sensitive data.

This leads to another question I am commonly asked: why do most enterprises leave their privileged passwords, the keys to their kingdom, open and unmanaged?

The reason is simple. Manually changing these codes is extremely time-consuming, so these back doors generally stay open.

Visit professional hacker sites, and their biggest complaint about script kiddies is not that they exist but that once these amateurs do something flagrant and dumb with
privileged passwords, these wonderful secret passages into a company’s data get closed to the professionals.

Of course, there are automated ways to securely change privileged passwords in ‘digital vaults’, which ties an individual ID to a shared one ­ this very software is now being used by many security-savvy enterprises around the world.

Until these products become standard tools in most enterprises, however, I’d keep a close eye on the folks around you. You never know who is privileged to your information.

Calum Macleod is European director of Cyber-Ark Software, cyber-ark.com

Outsourcing danger

Outsource your code and you’re more likely to be hacked. Organisations that admitted to being frequently hacked all outsource at least some of their coding practice, with 90% outsourcing more than a third, according to a report by Quocirca and supported by Fortify Software.

The hacker’s future looks rosy, with 78% saying that it is important for them to outsource software development due to the cost benefit.

But security is being left out in the cold as companies fail to build in security when they outsource the development of their critical applications.

A staggering 60% of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications.

Yet statistics show that the software application layer is where most hackers are accessing critical data.

According to NIST (National Institute of Standards and Technology), 92% of vulnerabilities affecting computer networks are contained in software applications.

As organisations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control.

You need to make sure when applications are designed that they are constantly checked for vulnerabilities. Use application security software to do this automatically.

Rob Rachwald, Fortify Software (Fortify.com)

Securing data on the move

How do you stop mobile data getting into the wrong hands?

• Encrypt your data on every device you carry, if it’s sensitive. As everyone now uses their own personal devices to link into the corporate network be sure you can accommodate every type of file.

• Buy a software product that can detect devices trying to connect to the enterprise and sync with corporate data.

• Make sure the encryption software you invest in does not slow down your system.

• Never leave data security up to the end user. It is imperative that this is controlled and managed centrally. This can also reduce TCO (total cost of ownership) as machines don’t need to be locked down or bought into the office to update them.

• Corporate governance now requires you to have security and prove it. Use software that includes a central management console ¬ that way every machine is protected and can be tracked.

Follow these steps and you will be able to roll out a sustainable security policy for all end points and devices.

Peter Mitteregger, CREDANT Technologies (credant.com)