As stated in Part 1 of this series last month, when it comes to the architecture of mission critical systems for any organization, the power and network infrastructure layers need to be reliable, redundant, and resilient. Those are the three R's you need to remember if you are working on building or maintaining any mission-critical applications.
We need to address all the software running the facility as well.
Understanding the need to properly monitor systems
Cyber-attacks, cyber-terrorism and natural disasters cannot be anticipated when they will occur. They can and will occur anytime and usually when someone is not anticipating anything except another routine day at the office.
The big question to all executives running mission-critical facilities is, “When cyber intrusions occur, are you even aware that something just happened?” Chances are you may not be, depending on the type of attack that is leveled.
In a study done earlier this year by Verizon, it found that software being used by different corporate facilities did not necessarily reveal each intrusion at the time it actually happened. That is very disappointing on several levels.
You need to know if something has happened in order to take evasive and corrective action in a timely manner. If you are unaware anything happened for several months, how much damage has occurred in that long period of time? That time lag is unacceptable.
This shows the true effectiveness of all anti-virus/cybersafety software out there at this time: It is not 100-percent effective. Those organizations which have put up these software-based defenses have not created the ultimate security, but instead have created an electronic Maginot line, which they believe is keeping them safe. In reality, it isn’t.
How much time goes by before you realize you have been hit?
According to the 2016 Verizon Study on intrusions, the percentage of cases in which an attacker is able to compromise the target organization within minutes is 93 percent. Seven percent of the breaches go undiscovered for over a year. When you look at that number (7 percent for over a year), how can you say your software defenses are adequate?
Also reported, 63 percent of confirmed data breaches involved leveraging weak, default or stolen passwords. The study also found that 99.9 percent of breaches were carried out by exploiting a known vulnerability that had been identified for more than a year. Just 3 percent of compromises were detected within minutes, and only 17 percent in days. Eighty-three percent took weeks or more to discover.
Weeks to discover! Still trust your software as being impermeable?
The study is a wake-up call to everyone utilizing software-based systems. You need to review your systems again. Find out if you have the best defense you can have or if you need to re-arrange what you have and maybe buy more updated protection.
Organizations also need to enforce better adherence to any password policies and their administration with all employees as well as contractors if they were given access to any system.
Poor passwords, non-adherence to password policies (like changing them every 30–60 days), immediately locking out user-IDs where the person has left the company, and other administrator functions must be accomplished and not left unattended.
It is not like the people trying to hack into your systems are super-software developers. Their computer skills might be average, but their social engineering skills may be able to con your average employees. Here is a perfect scenario:
A hacker wants to break into your company’s software systems. What is the goal? Maybe at first, just to get in and then be able to brag to his (or her) hacker buddies, “Hey, I broke into XYZ’s software systems.”
Once Hacker 1 gets in, Hacker 2, 3, and 4 try to emulate the break-in. Maybe Hacker 1 shares some pertinent info to make it easy, or they might put up the challenge of, “Hey, if I got in, you should be able to get in.”
How do we get in? First, we find out some valid numbers. Maybe you still have some dial-up connections. I try to find a valid phone number. How can I find that? Usually companies have gotten blocks of numbers from the phone companies. Maybe the area code and exchange for the main corporate number is 212.665.1000. Chances are, the phone company gave them the next 400 lines into the central office (665.1000 to 655.1399). All I need to do is start dialing each number and I start to get an idea of people, responsibilities and where the dial-up numbers are (maybe it is a block of 50 numbers—665.1300 to 665.1349).
Once I find out where the dial-up numbers start, I find out who the systems administrator is (an easy task) and I start making phone calls to employees. I find out Tom Smith is XYZ’s systems administrator from his profile on LinkedIn. He wants to make sure any corporate recruiter looking for a systems administrator would know he has “the right stuff” for the opportunity the recruiter is trying to fill, so he lists all the systems he has configured, their operating system versions, and what software he is currently managing (great for me; now I know what XYZ is running).
So I call someone else up at XYZ and identify myself as Roger Brown, the assistant systems administrator under Tom Smith, and request they give us their password and user ID because we just updated the master database and we need to make sure everyone gets their user ID updated so they do not have any downtime Monday when we cut over the new database.
Sounds very critical and a “must answer” type of request. Many people, especially if they want to avoid the anticipated Monday rush to “call up systems to find out why their user ID isn’t working,” will gladly help Roger, “the assistant systems administrator” with their user ID and password. They may even thank him for thinking of them so they don’t come in Monday and waste a half-day of downtime because they did not do this pre-cutover precaution.
So now “Roger” has a valid user ID and password to access the system. See how simple that was?
It’s not like Roger (well the hacker going under Roger’s name) is that great a software expert, he just talked his way into getting a valid user ID and password, which he can now use to do anything he wants with the system. If he gets good at this, maybe he goes for several valid user IDs at once because then, even if one is detected, he still has several others that are still valid. Plus, if users talk between themselves and ask about Roger, the other user says, “Oh yes, I worked with Roger yesterday on this Password thing.” This gives Roger and his actions even more credibility as being a valid call.
Another strong candidate for breaking into your systems may be a disgruntled or recently let-go employee. If they know you (or whoever your systems administrators are) are lax in doing your job in restricting their access to the systems, they may just go back and break in to do a lot of damage (e.g., stealing the customer list, damaging the customer list, changing software around and any other thing to get some payback from your organization).
Most organizations lock out employees as soon as they announce they are leaving, so they don’t go back and damage anything. From an employee perspective, creating some systems damage like denial-of-service may be their “last hurrah” in getting back at the company for whatever injustice they think was put on them.
Many organizations have updated their policies, their systems, and hired more qualified security people to combat these cyberattacks, but there are still many organizations wide open for attacks. This is an area you have to spend money on.
Editor’s Note: Carlini will be addressing the International Drone Expo in Los Angeles, CA (in December) on this critical and timely topic: