The cybersecurity landscape is often filled with a plethora of tools which companies can avail themselves of to protect against malicious activities. Organizations are facing an ever-increasing challenge in protecting their systems, data, and infrastructure against online cyber threats. Ransomware attacks are rapidly increasing with small to midsize businesses more frequently the targets of these attacks.
In the “Art of War” author Sun Tzu states that “To know your enemy, you must become your enemy”. Within the cybersecurity battlefield this is most often achieved via penetration testing where a skilled team of experts using past efforts of Advance Persistent Threats (APTs) attempts to discover and exploit vulnerabilities. These “Red Teams” follow a cyber kill chain that involves research into their target from open-source locations trying to build a picture of their target so they may find the best attack vectors. Most of these tests focus on the technical side of the attack at the team probe systems looking for weaknesses, communications channels left open, outdated software, and equipment with known vulnerabilities.
A good penetration test also focuses on one of the greatest weaknesses of an organization, which is email. A phishing test simulates malicious emails to test the human factor and any cyber awareness training provided. More often than not some percentage of users fall for the phishing test and click links or opens attached files. This data is tracked to improve training with the hope of decreasing that percentage of failure while relying on technology and end point protection tools to stop any real-world failures.
These standard penetration tests are performed most often because they are required by some form of governance and/or compliance rule. They generate a report listing findings in a variety of categories from “critical” to “informational” and are meant to guide an organization’s cybersecurity planning. But are they missing a key component by only testing the human factor with phishing or online attacks?
I am a strong believer in penetration testing beyond the bits and into the physical, human, and administrative functions of an organization. Moving to how the company operates and what weaknesses can be found outside of online connections. Most organizations focus their cybersecurity strategies and budgets on how to protect themselves from the outside of the organization. A determined adversary would use all methods of attack to include gaining entrance into a facility. Are organizations training their users to protect their information systems via a strong understanding of the physical aspects of attack?
Ever notice while in line at your favorite coffee establishment how many people are wearing lanyards with company badges attached? Many contain Radio-Frequency Identification which broadcasts a low frequency signal to gain access to a facility, room, or other security enabled system. These signals can be copied and used against an organization to gain access without proper authorization.
Perhaps someone wearing a brown outfit approaches a secure door carrying a large load of boxes following an unsuspecting employee into the building. Many people would “do the right thing” and hold the door for this hard-working individual.
More direct would be just walking in and asking for access. This example was used when our team was asked to test a municipality for their cybersecurity. A team member approached town hall wearing a nice polo with logo (ours in fact) and stated they were from “IT” and needed to conduct a computer inventory. The only question asked was what was required from the person behind the counter to which a calming and reassuring response of I would like to be escorted and shown the systems.
An escort was acquired, and the tour began with hopes of simply recovering information such as log in credentials during the tour. What happened was much more telling with a kind employee asking if the penetration team member worked for the by name IT company. When our team member stated yes, while wearing our company polo, the request was made to support this person with their malfunctioning email account. The team member was led into an office, provided full access to a computer system, and then asked quite politely if the employee needed to “be there” or could they go about their work elsewhere. Approval to leave was granted and, alas, both the employee and person doing the escorting left our member alone in the office with access to the system, keys on the desk and the common access card with pin provided. Full access withing 30 minutes of walking into the town hall.
This doesn’t mean every organization is at immediate risk for these types of intrusions or attack vectors, however, it should highlight the need to ensure they are tested to provide greater confidence in protecting against them. Simply gaining access meant the ability to see WiFi access information on bulletin boards or passwords near keyboards but also where the communications closets were located, how they were secured and more. An adversary is going to use any means to gather intelligence on their target. No organization is immune to attack so all efforts should be taken to protect your information systems.
Penetration testing is based on the principle of attacking as an intruder would, to think like your “enemy”. My recommendation is always to always think “beyond the bits” and to fully incorporate all avenues of attack that can be used against the organization. The path to cybersecurity starts with a conversation, so open a dialogue about how your organization can test itself against threat actors today.