The Hacker Mindset

What is a hacker?

In order to discuss the hacker mindset, we should first understand what a hacker is. Let’s see what Google says:

“A person who uses computers to gain unauthorized access to data.”

That is a fair start, right? This is what most people understand a hacker to be. I’m going to modify this a little to what I understand a hacker to be:

"A hacker is a person who manipulates the environment (technology, humans, or other systems) to achieve a desired goal."

Computers are the first thing we think of in terms of hacking. However, social engineers can manipulate someone at a company into performing some action that creates a back door into a computer system or network. The social engineer, while likely a proficient hacker who guided the worker to perform the operation, never themselves touched a computer system. In this example, the social engineer manipulated (or hacked) the person on the other end of the phone line. A hacker is able to manipulate their environment to achieve a desired outcome that may go against what a company, manufacturer, or a person’s values intended.

A hacker can be in any field. A medic in combat may have to create a solution in the moment to save someone’s life. A parkour runner will take a more direct path to their destination than the typical person, traversing whatever obstacles fall in their path. A car racer may add forced induction such as turbos or superchargers to increase horsepower in order to give themselves an advantage in a race. A hardware hacker may want to play Xbox games on a PlayStation and finds a way to manipulate their environment Xbox in order to enable this. Each of these are examples of the hacker mindset.

InfoTech and InfoSec

According to CompTIA, “Information technology is a broad term that involves the use of technology to communicate, transfer data and process information.”

So working in the field of IT, a person’s job is to ensure the ability of employees to accomplish those tasks, while preventing those not authorized from accessing their information. This is information security. Managing an IT infrastructure is a balance of confidentiality, integrity, and availability, regardless of whether the job is specifically cybersecurity. You serve the employees by ensuring they have what they need to do their job. You provide the best customer service you can. You work to ensure your IT systems keep everything protected and you work within a budget.

Next, it is important to think of how an attacker may try to gain access. Which of your systems have weaknesses? How would you approach an attack on your company?

Hacker Mindset Importance

Building and growing an IT infrastructure involves maintaining the hacker mindset. Let’s ask questions as we consider what we are maintaining: "If I were an intruder, I would try and exploit this system this way. Is this system vulnerable to such an attack?" Or, "how might the current way this system is set up be vulnerable to attack?"

We are faced with the difficulty of balancing security and availability. As long as employees need access to information and systems, there are going to be vulnerabilities.

Physical

Example scenario: a facility has a perimeter fence with barbed wire up top, cameras, and guards at the entrance. The hacker mindset says that someone may be able to cut the fence or go under it. Perhaps there is a place where the cameras cannot see that an intruder could get in under the cover of darkness. There could be badges that enable employees to access certain areas. Is it possible that a copy of that badge could be made by just being close enough to a person with a badge cloning device?

People

How certain are you that the company staff would question someone who they do not know? Is the company massive and new faces are common and thus are less likely to question a stranger's presence? Or is it a small company with a tight-knit group of people who know who is supposed to be there and who isn’t? Do your employees care enough about the company to try and keep it safe or is it a place where people do not care?

In a previous post, I discussed social engineering and topics such as phishing emails and password security. Does the company have regular practice for its employees to understand what emails are real and what are phishing attempts? What about auditing passwords and educating employees on reusing passwords from other personal accounts?

Do the employees understand that a seemingly non-important piece of information can be combined with other bits of seemingly “non-important” information to create a real threat for the company?

If an employee found a flash drive on the ground in the parking lot, would they plug it into their work computer out of curiosity? Do they know the dangers of doing that?

IT Policies & Procedures

Part of securing the IT infrastructure involves planning for the insider threat. What happens if an employee is terminated? There should be procedures in place to ensure access is disabled to systems and facilities. Are there audit procedures in place to ensure that the people who have access still work for the company? What about privilege creep caused by employees moving from one job to another within the company and retaining access privileges they are no longer authorized to have?

Wireless Technologies

What can be done from the parking lot of the facility? What is visible to the outside world when it comes to wireless technology and could someone access the main network safely from a distance? Think like an attacker. Maintain the hacker mindset.

Mobile Devices & Laptops

Employees who work in the field or from home may need laptops or tablets to complete their job. Are the storage drives encrypted? Can you perform a remote wipe on a stolen iPad? What are some other possibilities of a compromised piece of equipment? You may be confident in how you have locked down the device. An unsuspected situation could arise if the device is unlocked and the storage drive is unencrypted. Do employees connect their work devices to unsecured networks such as coffee shops or fast food which make their computers and company information vulnerable?

Web Server/Printers

Could an attacker access the company’s main network by compromising a public-facing web server and pivoting to the main network? Could hacking a network-available printer give an attacker access to other useful computer information?

The Dark Web

Are there compromised credentials or other important information for your company available for sale on the dark web? Data breaches are common. The company you are trying to defend may not have compromised information out there for the world; but another company may. In "Pivot Points/Lateral Movement" below, I discuss the 2013 Target breach. Could a compromised personal account of an employee give an attacker credentials to access the company network? Do the employees know about haveibeenpwned.com?

Shodan/OSINT

Shodan is a program that crawls the Internet, searching for anything that is connected to the Internet. This could enable you an outside perspective looking in that shows what devices are visible to the Internet, without ever scanning the company's network. With the hacker mindset, this could be passive reconnaissance to find potential attack vectors.

Similarly, open-source intelligence (OSINT) could be used to passively learn about your company as well. Do the employees take pictures with their badges and post them to social media? Think like a hacker.

Outside Organization Access

Firefighters may have some form of building access keys to your company's building, depending on the design and building regulations. This is another possible vulnerability, should the keys become compromised. Do these outside organizations have regular security audits? Just because you are security-minded, doesn't mean that any other organizations are security-minded. Similarly, compromised firefighter elevator keys may enable unauthorized access to certain floors of a building (shout out to Deviant Ollam (check out his Defcon Elevator Hacking video for more info)). What could an attacker have access to if they reached these areas?

Physical Ports

If an attacker entered your building, can they connect to the network by plugging into an Ethernet port in a conference room? Remember, you have the hacker mindset and you are looking for potential attack vectors. Are USB ports enabled on computers, enabling an attacker to plug in a USB rubber ducky (bad USB) with malware on it? Perhaps it is possible to plug in that rubber ducky, but the antivirus intercepts and prevents that malware from running.

Pivot Points/Lateral Movement

In 2013, attackers infiltrated an HVAC company (heating, ventilation, air conditioning) to access Target's network, resulting in huge monetary losses (costing Target over $200 million dollars) and compromised customer data (40+ million customers' data). The attackers didn't need access to the target network (no pun intended). Target's network would have likely stopped the attacker, but the HVAC company computers lacked the same security controls which enabled movement of the attacker onto Target's network. According to the reports, the HVAC company was using a free version of Malwarebytes to secure their equipment. With Target's HVAC system being part of their main network, this created an entry point for the attacker. Are you aware of possible points that could be where attackers could pivot or move laterally through your network to the desired point?

IoT devices and embedded systems may lack the security desired for the rest of the network. If any of these devices have access to the network, how may these devices be used to gain an initial foothold on the network and potentially become a pivot point for an attacker to move to other systems? Often, these systems use less secure protocols and may even be running old operating system versions that prevent them from being patched and secured. Are these systems isolated from the main network? Even air-gapping systems is not 100% secure. Think about the air-gapped computers that controlled the centrifuges in Iran that were compromised by an insider loading Stuxnet via USB flash drive! Think like a hacker.

Summary

This is not a comprehensive list of possible attack vectors. These are merely some ideas of possible attack vectors that an organization may face. By thinking like a hacker, you consider how you would approach a system to manipulate it to perform something it was not intended to do. It is important to ask questions like these along the way as you work to maintain your IT infrastructure. Keeping your company running smoothly means keeping your program secure. Think like a hacker. Have that mindset that questions how the current setup may lead to a breach. Just because something works doesn't mean that it is secure. You may get away with insecure configurations for a little while but these points are eventually going to become points of attack. Don't wait find out how these points will be exploited. Be proactive. Be the best IT support you can be & maintain the hacker mindset.

Thank you for reading!