Stop Avoiding Hacks! Fight Them, And Google Knows How!by QA Engineer on September 29, 2015
Let’s face it, we don’t live in a world where our resources, after being put online can be hacked. It’s more of a “when will we be hacked” kind of thing. But the bigger picture in does not necessarily has to be that way. The problem simply lies in the fact that businesses, security professionals, online resources and hackers are trapped in an endless loop.
There are people responsible for online security who constantly test software to determine new breaches. Their goal is to break software order to ensure located entry points will be fixed. And there are hackers who are doing pretty much the same thing, but with a different purpose – personal gain.
And so, with every new software release this loops starts all over again. Let’s say Windows 12 was released yesterday. It was pen and security tested and considered quite safe. But, as soon as it hits the web the real test will begin. Talented hackers will be doing their best to break the new OS and they will succeed eventually. With better tools, newer software, through phishing techniques or whatever – they will break it. And, as soon as they do patches will be created to cover these breaches. What will that lead to? That’s right, new hack attempts. This is the loop.
But is there really no way out?
More than protection: the battle continues, and it’s time to fight back!
Google has recently published curious research on its security blog. This work is a shared effort that involved Google’s own fraud & abuse group as well as teams from six large universities. Together they have studied actual anatomy of what seems to be cybercrime in its purest form. The research paper covered and analyzed such aspects of malicious online activity as:
- Click fraud
- Credit card information theft
To be honest, no jaw-dropping, game-changing revelation was neither found nor published in the research, however, there were several great new thoughts presented and exposed to the public. The conclusion Google’s team has made is that simply protecting what’s yours is not enough for a company that wishes to protect its users/clients/employees. Cybercrime should be fought and the strike shout hit those exact places where it really hurts. How to do so? Here are several tips.
Use the dark side to your advantage!
Checking and updating security is great. But how do we test it? We penetration test against imaginary, (although quite possible) threats. However Google advises businesses to know their game a little bit better. Try out infiltration of numerous black markets hosted online, places that are actually inhabited with hackers and criminals who will eventually try taking a bite of your own business if you don’t know how to stop them.
You will be able to see hijacked data, bot-operated accounts, etc. More importantly your experts will get how the thing works from the inside. And knowledge is power. Build your defenses accordingly.
Next step: attack is possible
After locating your enemy’s soft belly it is time to strike. In our case your enemy’s soft belly is your own software’s weaknesses. However it’s not always your fault solutions you use are weak. Researches actually show that in most cases third-party integrated code serves as the doorway inside your own data storages. You can’t test software that belongs to other people, right? Try making your army bigger.
Host bounties for bugs and make the internet work for you. The very same hackers that were already on the job may even consider giving away their results to you, instead of selling them elsewhere. It’s really a double wing for you, as a business. And, in the long-run, you will have quite a portfolio of skilled people to choose from if you decide to hire some of them permanently.
And remember: online resources are never 100% safe, but you can try your best to transform your one into the first impenetrable fortress.