View the original article on http://www.ifsecglobal.com/author.asp?section_id=3030&doc_id=559682&
By Terry Cutler. Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company’s Chief Technology Officer and Certified Ethical Hacker. You can follow him on Twitter @terrypcutler.
I am a Certified Ethical Hacker, which basically means I get paid by companies to hack into their networks.
My company, Digital Locksmiths, was hired by a manufacturing firm in 2011 to try and expose any security vulnerabilities that might be lurking in the ether.
A company’s external infrastructure — including web servers, domain name servers, email servers, VPN access points, perimeter firewalls, and any other applications publicly accessible from the Internet — is typically considered the primary target of security attacks. So that’s where we start.
Our methods include cracking passwords and eavesdropping as well as using keystroke loggers, sniffers, denial-of-service, and remote controls. In this case, I tried attacking the firewall systems with every trick in our digital lock picker’s toolkit, but to no avail: The network was locked tight, so to speak.
So I told myself, “Screw it. I’m going in.” You see, companies that have an impenetrable wall against external attacks are often surprisingly open to insider threats. Hackers are able to expose these vulnerabilities by exploiting one simple fact: Most people will respond in a highly predictable way to a particular situation.
First, I did a little recon on Google Earth and Street View to familiarize myself with the physical perimeter of the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a button-down shirt.
I hopped into my truck and drove over to the facility. Doing my best to look sharpish, I walked into the front lobby and said to the receptionist: “This is really embarrassing, and I don’t usually ask for this type of favor, but I wonder if I could use your washroom? I knew I’d regret ordering that super-sized drink!”
She smiled — a good sign — and buzzed me in. Once I was inside the men’s room and had confirmed it was unoccupied, I yanked two USB keys out of my pocket and dropped one on top of the metal toilet paper holder in each stall.
I quickly gave myself a thumbs-up in the mirror, strolled back to the lobby and flashed the receptionist a big smile as I walked out the door.
I drove back to my office and waited, because as soon as someone plugged one of my USBs into a computer, a program on the flash drive would auto run and execute a remote connection to my computer.
This would give me instant access and the ability to ‘pass the hash.’ Note that I’m not talking about the good ol’ college days here — we’re essentially taking the encrypted credentials for the computer’s owner and passing them to the company’s own server, mimicking a real, normal login.
In a short time, my computer sprang to life: With the ability now to log into the company’s network, I was poised to unleash all kinds of mayhem — from extracting user names and passwords to opening and interacting with files on the compromised system, to taking screenshots of current activity on a user’s desktop.
Needless to say, company management was horrified to learn how easily I had hacked into their system, simply by exploiting how people react in certain situations.
My ‘Big Gulp’ ruse was a success because, by and large, people are inclined to be helpful. And it’s true — curiosity does kill the cat. Nine times out of ten a person who finds a random USB stick will wonder what’s on the thing and plug it in to find out. (In fact, my backup plan should my men’s-room story have failed was to tell the receptionist that someone dropped this USB stick on the floor and hand it to her.)
Defending against modern attackers This episode underscores the fact that security involves more than just protection of your network’s firewall. Internal threats are real — and they aren’t all necessarily the work of a disgruntled employee.
Employees need to understand that security threats can be triggered in numerous ways and trained on how to protect against possible security threats that may be masquerading as something perfectly innocuous — like the guy next door. A simple policy like mandating only one type of USB device for internal use might have prevented me from gaining accessing to the network in this case.
Companies also need to recognize when they have a problem — and the sooner they know, the better their chances of minimizing the harm done. The good news is that most enterprises have an enormous amount of data scattered throughout firewall, application, router, and log sources that is useful for determining what sorts of things are going on within their networks. The bad news is that all too few know how to aggregate and put that data to use.
Security professionals need to put in place the technologies and processes that enable them access to security logs along with some type of log management to extract the information required to keep the infrastructure secure.
Better yet, they can employ a Security Information Event Manager (SIEM) for grabbing and correlating data, as well as a process to integrate security data with identity and access information. That way, in our hacking incident, a number of alerts would have been fired off to security managers long before any proprietary data was accessed.
While it’s true that security threats have become more menacing, remember that security defenses also have become more powerful. Make sure you take the necessary steps to protect your infrastructure and your data.