While Halloween only comes around once a year, organizations are constantly encountering situations that are downright scary. In honor of Halloween we thought readers might get a thrill out of a few frightful, but true, cyber tales as experienced by cyber security expert and SANS Institute Instructor, Dr. Eric Cole.
Invasion of the System Snatchers
Consider this dreadful example. It is a seemingly beautiful afternoon and Dr. Cole is leaving to play golf (something he rarely has the opportunity to do). As he's getting ready he receives a call from his client; they are in panic mode after having just received a call from the FBI alerting them that they have had a system compromised by an APT (gasp!). He rushes to meet his client onsite (so much for playing golf) and they begin the dreaded search (if you want to find a needle in a haystack, you first have to reduce the amount of hay). This gruesome task, which led to the identification of the compromised boxes, required them to perform painfully-strict outbound packets while sorting the traffic based on outbound connections, length of the connection and size of the data leaving the organization.
[ For more frightening tales about awareness read: Social engineering stories]
How scary is this:two of the compromised boxes were another foreign adversary that they did not even realize compromised their network while the other system was an administrator who was running an illegal NetFlix video store from the company's data center! Perhaps the most gruesome part of this tale is this was a Fortune 50 organization that had no clue what was happening on their network -- very frightening!
I Know What You Did....At The Mall
Consider this next tale. An organization wants to ensure better security and protection after a laptop is stolen from an employees car while he is shopping at the mall. While full disk encryption could help protect data from a stolen laptop, the CIO asked that the incident be investigated to determine exactly what happened. After speaking with the user he confirmed the car was locked and the laptop left on the back seat. Seems harmless, but wait& upon additional questioning the user began to appear very uncomfortable. Finally, following some hesitation, he admitted the car was a convertible and the top was left down as he went into the mall. It does not happen often, but Dr. Cole was speechless. Perhaps the most frightening thing about this tale is people who use this logic are given access to sensitive corporate data. How terrifying is that!!
If you dare to read on, here's another laptop horror story. This particular organization is very concerned about protecting the data on their laptops; therefore, they decide to install full disk ("on the fly") encryption on all laptops. They spent several months evaluating products and installing the software. Despite doing what they believed to be their due diligence, they overlooked one extremely disturbing software feature -- when the user logs in, it unlocks the keys that enable the data on the hard drive to be decrypted and read (how scary is that!). Essentially the strength of the system is based on the robustness and protection of the user's password.
Before being deployed to the entire organization they wanted Dr. Cole and his team to test things out to verify the software was very robust. A file was included on the encrypted hard drive; the goal was to see if Dr. Cole and his team could figure out the content of the file. The first thing the team did when they got back to the lab was turn on the system. The system booted up and, much to everyone's surprise, auto login was enabled (gasp!). The system automatically logged in the user and they were able to easily look at the screen and all data, including the file -- how terrifying! Within 60 seconds Dr. Cole and his team successfully broke in merely by turning on the system. Through misconfiguration the full disk encryption provided no protection. Now that is scary!!
While Halloween will soon be gone, it is terrifying to know these frightening tales will continue to play out in organizations around the globe. To keep your company from becoming a house of horrors, educating end users is a great place to start. Organizations must wake up and realize the importance of the human element. Otherwise these gruesome tales will continue. If you work to change a persons habits through heightened awareness you will minimize risks.
Dr. Eric Cole is a SANS faculty fellow and course author, and founder of Secure Anchor Consulting.