If You Build It, Secure It: Think Like a Hacker
Jane Alexander | November 16, 2015
Strategies from other industries can be relevant and helpful for manufacturing operations, as can learning from the missteps of others.
In information security (InfoSec), there are two schools of thought:
• Take a defensive posture. This includes configuring firewalls, coding to standards, and implementing software that you “set and forget” such as antivirus products or software to ensure password strength is up to par, i.e., checking the boxes.
• Think like a hacker and try to break into your own system. You find out how people have been hacking into similar systems and try the technique on your own environment, i.e., take a clear-box approach–look at how a system is built and where it is served and then try to exploit its vulnerabilities.
Which strategy has your organization implemented? According to Dennis Egen, president and founder of the Philadelphia-based technology and security company Engine Room (engineroomtech.com), many in management positions can’t answer this question. Noting that it’s imperative for manufacturers to begin thinking like hackers when it comes to protecting information and keeping data secure, he offered the following insight based on the experience of other sectors.
Knowledge is power
Egen encourages managers to educate themselves. He said the first few items on your technology to-do list are:
• Know where all your data are.
• Identify who has access to the data.
• Classify your data as high risk (or not).
• Bring in an outside party to understand your system inside and out.
• Create a plan and a specific scope of work so you know what technology partners you need (and don’t need).
“With these small steps,” Engine Room’s Egen advised, “you won’t become the company that stored 500,000 customer emails and passwords in plain text on its server. That’s a start.”
As Egen explained it, a successful InfoSec function relies heavily on something that most managers understand well: solid governance.
“Organizations need a framework for evaluating third-party providers of information technology (IT) development and security,” he said. “And they need a process to ensure that departments inside their organizations follow strict processes and protocols when making technology decisions or purchases.”
Part of this governance process is simply asking the right questions. Managers and executives should set up a meeting with their top technology staffers and ask the following:
• Do we have an InfoSec function? To whom does it report?
• What does our security function look like?
• How do we vet third-party technology providers? How do we know they are doing things the right way?
• Do we have gateways and forced check-ins to get something done, such as a code review before any new websites are launched?
“Starting this basic dialogue,” Egen observed, “will get the ball rolling and ensure you don’t stall in your quest to provide the highest level of information security possible. “
Look and learn
While imitation may be the sincerest form of flattery, it can also be an effective approach to information-security initiatives. Egen highlighted several models from other sectors that manufacturers might be able to leverage.
“Government and the defense and financial-services sectors do InfoSec well,” he said. “They have the best practices. Managers and technology teams in other types of operations can learn a lot from them.”
The Building Security in Maturity Model (BSIMM) is another helpful resource. According to Egen, it can show how information security in your company compares with others and help you take steps to evolve and get better.
As an example of an effective industry-specific security measure that manufacturers might consider, he pointed to the concept of “vaulting” used by convenience stores and retailers. Rather than store credit-card numbers from transactions or loyalty programs on site, those operations protect this sensitive information from hackers by placing them in off-site “vaults.”
Avoid common mistakes
The most common mistake Egen sees is a consequence of managers allowing themselves to be overwhelmed by what they perceive as a cumbersome, intimidating process. Subsequently, they ignore the entire issue of information security and hope nothing happens. As he described the situation, “Too many managers say ‘our system is too old,’ or ‘we could never do that.’ But that is never the case.” His advice for these managers is simple: Don’t let “perfect” be the enemy of the greater good.
As your organization embarks on its InfoSec journey—and, according to Egen, it is very much a journey—remember the following:
• InfoSec is a continuous-improvement opportunity (just like life); start where you are and get better.
• Don’t become deflated. Keep the momentum going.
• Break through the politics and get people on board.
• Moreover, recognize that mistakes aren’t technical; they’re management errors.
• To avoid these mistakes:
• Always look at how to control scope; you don’t have to do it all yourself.
• Get experts in the room; do your due diligence.
• Take necessary precautions–you can’t afford not to.
• Don’t let perfect be the enemy of the greater good (this advice warrants repeating).
“In short,” Egen said, “do what’s needed, then take it to the next level and really think like a hacker.”
Dennis Egen is president and founder of Engine Room (engineroomtech.com), a technology and security firm based in Philadelphia. Engine Room helps clients mitigate risks by identifying and addressing vulnerabilities before they can be exploited. Egen can be reached at firstname.lastname@example.org.
Dennis Egen emphasizes several points regarding the people-side of information security:
• As he reminds his clients, technology is built by and for people. The downside to this is if a human created a technology, a human being can hack into it. Thus, one of the most effective things a company can do with regard to its information security arrangements is to have a real person take what is known about the system and try to break it from the inside out. “This clear-box approach,” Egen said, “requires skill and expertise that you may or may not have on your tech team.” That, in itself, could be important information for managers to know.
• A culture that is focused on educating personnel is also important. After all, the technology is for your staff. Egen encourages organizations to explain their InfoSec initiatives to employees through lunch-and-learn events and other internal communications vehicles—and to convey the information in a way that is easy for everyone to understand. “Managers are often surprised,” he said, “at how willing staff members are to follow the rules and ask questions when doing something technology related.”
• People’s commitment is critical. As Egen noted, “Senior management, not just compliance personnel, must be on board for an information-security initiative to be successful, just as they must be on board for other crucial initiatives of the business.”