Criminal Minds: Thinking Like a Hacker Makes Good Data Governance Sense

By Andy Green

What can you learn from reading the exploits of the most successful hacking ring ever brought to justice?

The U.S. Attorney’s Office in New Jersey has unsealed its indictment against a mostly Russian gang of cyber-criminals—one American co-conspirator was also named—that is alleged to have snatched more than 160 million credit card numbers over seven years, resulting in more than $300 million in losses. In scanning through the indictment, I was left with the strong impression that this group had a rock-solid business model, excelled at executing its plans, and was actually good at following IT security principles—better than its victims.

According to the government’s investigation—based heavily on chat sessions between the hacking principals—stolen credit card numbers were sold through wholesale networks. U.S. numbers would go for $10, Canadian for $15 and European for $50. The hacking gang, which the government more accurately referred to as an organization, would offer bulk discounts. The distribution network would then resell stolen data through its channels to end users.

By the way, this hacking organization did not take credit card payments for its services—only bank wire transfers and Western Union. Good move on its part, don’t you know, because credit card numbers are vulnerable to theft.

The hack craft was a little more advanced than the common cyber thief’s. It relied heavily on SQL injection attacks to break into websites, rather than brute-force password guessing. The retailer, banking and credit card company victims validate yet again the stats from Verizon’s Data Breach Investigations Report on the most heavily hacked sectors. In a few cases, the hackers chose retailers based on the type of point of sale or POS equipment, because they could install specially configured software sniffers to vacuum up unencrypted card numbers. And yet again, these mostly food and clothing retailers were PCI-compliant.

After breaking in, the hackers then had the more complex problem of where to find the credit card number and other personal identifying data. In hack terminology, this is known as post exploitation. To get a better understanding of post-exploitation methodology, you’ll need go over to the dark, or at least the gray, side. So I decided to take a look through the archives of Defcon—“the world’s longest-running and largest underground hacking conference.”

I came across a good presentation on this subject written by two penetration testers. They note that the job of the hacker is to “hide in plain site”; in bold red letters on one of their slides is the command, “Don’t be an anomaly.” Another slide points out that getting root access is not necessarily a desirable goal for a hacker because it’s also a user level that is most likely audited.

This is generally solid advice, but of course the hackers can’t know ahead of time the long-term average behaviors of users, and there is software that can spot atypical file access patterns.

Anyway, the two pen testers suggest you come in as an ordinary user and selectively hijack credentials and sessions. So which user should a hacker pick? Their overall advice is to “know the target environment,” then learn “who has access to what” and find out “where is the data.”

Where have I seen these words before?

Obviously, this is core IT data-governance wisdom that every system administrator should be applying daily. It’s perhaps a bit counter-intuitive that we have pen testers to thank for making a solid governance case in a presentation on post-exploitation techniques. But in the upside-down world of hacking, it’s the cyber thieves who are doing a better job than the targeted companies at seeing the value in the data and applying good IT practices.

I have—and you should have as well—little patience for those who want to scrimp on data governance as part of a security mitigation program. Ultimately, you want to be better than a cyber-gang at really knowing your data.

Andy Green offers his Technology Insights for Network Computing Architects, Inc. Learn more about NCA at


Strategic Link is the NWCUA’s wholly-owned service corporation, using the power of aggregation to provide the Association’s member credit unions with exclusive high-quality, competitively-priced products and discounted services. Contact Director of Strategic Partnerships Craig Reed today to find out how Strategic Link can help your credit union save money while meeting its goals in 2013 and beyond:

Posted in Article Post.