In movies you see some guy sitting at his computer banging away at the keys and creating sophisticated algorithms that can go around advanced cyber security measures or can crack strong passwords or anything else that looks really cool for the camera. The reality is (and not as glamorous) that hackers can shop for hacking tools online. Or better yet, they can ask you how to get into your system and you will tell them.
Social engineering, if you are not familiar with the term, means basically a “con game” to get information needed to access networks/equipment. In other words, they rely on our “weakness” called trust. Other examples of social engineering are:
- Shoulder Surfing – Looking over someone’s shoulder to get their credentials. Now that we have cell phones with great cameras it is not necessary for them to remember what you typed. The hacker can record a video of you entering your credentials and figure it out later. Google Glass makes it even easier.
- Dumpster Diving – We throw away a lot of information that can help a hacker. It is not just user credentials. It could be who a contact person is that can get them access to sensitive areas and insider information to help them find a way in.
- We Are Predictable – Social engineers rely on our natural inclination to choose passwords that are relevant to us.
- I Am Supposed To Be Here – Hackers know that first impression carry a lot of weight. They will come in as though they belong and get access by looking the part. Once inside they can plug a USB drive, “work” on the copy machine, swap out a phone with an altered handset, etc. For less than $100 they can own your network.
Today you don’t have to be a code genius to start a hacking career. You can buy what you need. There is a huge cyber black market that sells not only data but hacking tools. These tools can be had for anywhere from $50 and up. You can even rent tools. To be honest, this is the first I have heard of renting tools, but I found it in this article http://complex.foreignpolicy.com/posts/2014/03/24/black_market_for_malware_and_cyber_weapons_is_thriving.
Cybercrime is a growing segment, so much so that it is surpassing the illegal drug trade. Silk Road (How the Feds Took Down the Silk Road Drug Wonderland – http://www.wired.com/2013/11/silk-road/) was a site that originally started out as a drug trafficking site and in some cases murder-for-hire. They added hacking tools and stolen login credentials for sale because of the how lucrative this market has become.
An article from RAND Corp (Black Markets for Hackers Are Increasingly Sophisticated, Specialized and Maturing – http://www.rand.org/news/press/2014/03/25.html) said this “In certain respects, cybercrime can be more lucrative and easier to carry out than the illegal drug trade.” Juniper Networks concluded in a RAND Corp/Juniper Networks report …” that the “Cyber Black Market” is more profitable than the global illegal drug trade.” (ZDNET Article – Hackonomics: ‘Cyber Black Market’ more profitable than illegal drug trade – http://www.zdnet.com/hackonomics-cyber-black-market-more-profitable-than-illegal-drug-trade-7000027729/).
What does this mean to the control community?
- We do our share to help protect our greatest asset… Our customer
- We must protect our brand/credibility from a breachOur customer’s IT networks and building control networks cross paths which could be an security issue
- Control system security is typically weak… What can we do to strengthen it
- “…social engineering relies on people’s inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.” (http://searchsecurity.techtarget.com/definition/social-engineering)What this means is hackers/social engineers are well aware that building control networks and corporate networks intersect and the security of control networks are generally weak. They also know that control systems, PCs are typically physically exposed and accessible. The hacker/social engineer could enter a building (acting like they belong there) and plug a USB drive into the control system PC and leave. More than likely the control system is connected to the customer’s network so at their leisure they can punch into the corporate network for days on end searching away unobstructed.
As control system integrators, we need to stretch our thinking past what we think is good security. Firewalls and antivirus are good, but all it takes is a person (you or your customer) giving another person (the social engineer) access/credentials and they have circumvented all of the security measures. Physical access has also got to become a part of the “shield”. Anyone (coder or purchaser in the black market) that can plug a USB drive into a PC can launch software that will give them unrestricted access to the corporate network.
A report from Mandiant (https://www.mandiant.com/threat-landscape/) had these stats:
- 100% of breaches involved stolen credentials
- 100% of victims have up-to-date antivirus software
- 63% of breaches are reported by third parties
- 243 is the median number of days advanced attacker are on the network before being detected
As this report shows breaches occurred not from a guy like in the movies banging away on his keyboard, but simply by capturing, buying, or trickery to gain someone’s valid credentials. Security hardware and software is not the only thing needed to combat the “bad guys”. Education, staying up-to-date on the latest threats and oh yeah… A little bit of paranoia.
It also doesn’t hurt to have an evil bit.