Be secure: Think like bad guys

ORLANDO - Security managers at last week's InfoSec World conference say they're combating the risks posed by outsider attacks and insider exploits by thinking - and sometimes acting - like hackers.

JP Morgan Chase, The Hartford Financial Services Group, the Mayo Foundation and Maven Security Consulting detailed procedures that call for stealing a page from the hacker playbook. These methods include war driving on wireless LANs (WLAN), phishing to test network security and teaching hacking techniques to software developers as a form of training.

Jack Mogren, senior network security architect at Mayo, the Rochester, Minn., healthcare organization, said he war drives to find security holes in his wireless network, which will grow this year from 1,300 to 1,700 Cisco Aironet access points.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

ORLANDO - Security managers at last week's InfoSec World conference say they're combating the risks posed by outsider attacks and insider exploits by thinking - and sometimes acting - like hackers.

JP Morgan Chase, The Hartford Financial Services Group, the Mayo Foundation and Maven Security Consulting detailed procedures that call for stealing a page from the hacker playbook. These methods include war driving on wireless LANs (WLAN), phishing to test network security and teaching hacking techniques to software developers as a form of training.

Jack Mogren, senior network security architect at Mayo, the Rochester, Minn., healthcare organization, said he war drives to find security holes in his wireless network, which will grow this year from 1,300 to 1,700 Cisco Aironet access points.

"I hop in my Jeep and drive around the buildings doing wireless scans," said Mogren, holding up an antenna based on a tin can that he bought for $18 on eBay. The setup may be simple - a laptop running NetStumbler or other WLAN sniffer software and a jerry-rigged antenna - but it's identical to what a hacker would use. And it works.

He can detect rogue access points that employees - many who are researchers - may have installed without authorization. When he finds security holes, the Mayo Foundation's IT staff takes steps to ensure the proper equipment - with the appropriate authentication and encryption controls - is put in place.

Ethical phishing catches on

The Hartford, which has 35,000 employees, also is using stealth tactics in nabbing the bad apples in its midst.

"[Y]our employees are your biggest threat," said Matthew Fiddler, assistant director for information security at The Hartford in Connecticut, who spoke on security issues. "We had one guy tunneling porn, a lot of porn - 53 megs."

Based on suspicions, The Hartford's IT staff swept the employee's desktop computer to remotely scoop up the porn evidence using the forensics tool, Encase Enterprise Edition , which can remotely monitor and capture data without the employee knowing.

"He doesn't work for Hartford anymore," Fiddler said. The advantage of using the remote data-capture tool is that it saves IT staff from traveling. "I was having to send guys out to California to do a black-bag job, but now we can do it with a WAN."

In another case, The Hartford suspected an employee had posted intellectual property on an online message board. The Hartford couldn't initially pinpoint the source of these posts other than a single e-mail address. So staff decided to use a tactic based on phishing - sending an e-mail to lure someone to a fake Web site - to draw out the perpetrator.

Fiddler said he heard about the tactic from CNA Financial, which did something similar.

Hartford staff embedded a hidden 1x1 pixel image in thee-mail, a "hidden webbug." Then they spoofed an outside e-mail address to send the webbugged e-mail to the address associated with the leaked company information.

Because The Hartford told its intrusion-detection system to respond if it detected the hidden webbug, the system flagged the recipient of the e-mail by IP address inside the corporate network when the e-mail was downloaded. "We hooked our phish," Fiddler said.