Slideshow 6 Network Security Tips from an Ethical Hacker

Published
  • January 19 2016, 6:00am EST

6 Network Security Tips from an Ethical Hacker

Aaron Hayden is an information systems analyst with CliftonLarsonAllen, a large certified public accounting firm. He’s also an ethical hacker, one of 40 in the organization. And they are 100 percent successful hacking any business, except a bank. Here is what he and his colleagues can do easily to employee’s computers in healthcare and almost any other industry. (Photo: Fotolia)

Phishing at the Top

If a hacker is good at phishing, which is the art of fooling an unsuspecting individual into giving someone else his or her network credentials, the hacker will have a success rate of 100 percent, Hayden told a large audience during the 2015 AHIMA Convention. He recently phished a CEO after sending an email purportedly from the CFO that paved the way for getting the CEO’s computer credentials, and took control of her machine. (Photo: Fotolia)

Content Continues Below


Assume Identity

Once in control of one computer, a hacker can assume the identity of the person being attacked. If the person is an administrator, Hayden can install software to read the database password on the computer, as well as passwords from other computers on the network. Once in a network, a hacker can establish persistence—a home—and inject code into startup processes to stay in the network. One university, Hayden said, had 8,000 routable addresses that he could see. (Photo: Fotolia)

Another Trick

Once he controls a computer, Hayden can send a false announcement from HR announcing changes to the company’s health insurance plan, and get employees to fill out new forms with the carrot of getting a Starbucks gift card when finished. The card doesn’t work, but the gambit does take over your computer. (Photo: Fotolia)

Weak Passwords

Password guessing is one of the easiest ways of initially penetrating a large network. Believe it or not, if the month is August 2015, there is decent chance that, somewhere on the network, there will be a required password that is “August 2015.” (Photo: Fotolia)

Content Continues Below


Poor Training

Hacking techniques work well in healthcare for many reasons, Hayden said. Employees are readily tricked and need more training; there are too many passwords to manage (with physicians being the worst at managing them); some employees are reluctant to change passwords according to policy; hackers assume a known identity; and incident response is rarely practiced and almost never tested. (Photo: Fotolia)

In No Hurry

Hackers also take their time, creating queries in a network and pulling little bits of data over time and encrypting the data so it is not detected. Those little bits of data that you don’t know the hacker has can add up over time to be a giant load of data. “You can empower employees, train them and make them more vigilant,” Hayden said. “Propose structural accountability to doctors, and you will be more secure.” (Photo: Fotolia)