Welcome to the latest installment of Security Sessions, a regular feature focused on security-related issues, policies and procedures. In prior columns I have discussed some of the various threats to our critical infrastructure automation systems and ways in which exploitable vulnerabilities can be eliminated or at least mitigated. The problem is that all of the latest high-tech security toys and gadgets can be made ineffective because of poor employee training and bad security habits. The fact is, the two most prevalent ways for attackers to gain entry into our computer systems are by means of our email usage and the way we browse the Web. These days, most companies have developed (or purchased) personnel policies regarding proper email etiquette and have articulated the kinds of websites that can be visited on company time and using company equipment. These policies need to be kept updated to ensure that they address the ever-morphing methods used by attackers to exploit these tools. – Tim.
William T. (Tim) Shaw
PhD, CISSP / CIEH / CPT
In previous columns, I have stated that employee training and awareness programs can be one of the most effective tools for preventing successful cyber compromises and attacks. I firmly believe in that statement. Unfortunately too many organizations either figure that “IT” is responsible for cyber security, and so no one else needs to be involved; or they provide some level of one-time, lackluster training at the time an employee is hired, and then never again. If they have cyber security policies it is often left up to the employee to hunt them down and read them (although they will be punished for breaking them – always good to keep a small herd of scapegoats handy!)
Because of this, potential attackers are still able to use cheep tricks and social engineering ploys to prey on those organizations. Every couple of months it seems like the evil hacker community devises yet another strategy and technique to break into our systems. The latest worm to be loosed on the Internet makes the news. Some researcher publishes a list of new vulnerabilities identified in software we all use and depend upon. And yet these things are far less likely to be the basis for a cyber compromise than the lack of proper cyber security training and having good security-related procedures.
A few years back many of us received those badly written and misspelled letters from people in Nigeria offering to wire a bazillion dollars into our back accounts if only we could provide them with the banking information. I guess some people actually fell for those amateurish scams. Today people receive emails purporting to be from their own bank or brokerage firm claiming to need account information and passwords verified. These emails usually include the correct corporate logos and have undergone spelling and grammar checks. They are far more professional then those creepy letters, but no less fake, and many people fall for them and reveal personal information that results in identity theft, or at least an empty bank account. Those ‘phishing’ scams are not specific or directed. You may get one even if you don’t do business with the bank or brokerage firm in question. They go out in a shotgun manner to every email address the attacker can get their hands on.
A far more dangerous form of phishing, and one that may be used against your organization, is called ‘spear phishing’. This is when the attacks are directed at a specific set of people and incorporate specialized information that gives them a semblance of authenticity. An example might be an email that arrives in an employee’s in-box that has your company logo and is apparently from a company executive, including showing his/ her photo, correct email address and phone number (available via public sources such as annual reports.)
The email might make mention of a recent event known to the employees (and probably made public in a press release.) The email includes a “link” to take the employee to a company web page with “important information”. The odds are greatly in favor of the employee clicking the link and, as a result, getting malware injected into their browser, which then downloads and installs a root kit from the attacker’s system. With some proper training and an awareness program, the odds can be reversed.
Another variation on the spear-phishing scam is something called ‘whaling’ where the targets of the pointedly focused phishing attacks are corporate executives. It is always interesting to see that in far too many organizations, the executives tend to feel empowered to ignore the very same policies and procedures to which they insist that their employees adhere. In some cases they just expect the IT folks to ensure that nothing bad can happen, so they don’t have to worry about ‘that cyber security stuff’.
Having been a C-level executive in the past, I realize that there are many demands on your time and that you constantly have a full schedule. Taking time to review and refresh yourself on good cyber security practices is just one of the things demanding your attention. But because of this – and the strong likelihood of being able to find a lot of public information about corporate executives – those executives tend to fall for phishing scams at a rate that is much higher than among their employees. Better still, from the viewpoint of the attacker many executives are lax about keeping their computers properly updated and virus scanned, and their own IT groups don’t tend to press the issue. Similarly, their computers may be given broad access in the corporate network and probably can access systems containing financial information, personnel information and corporate intellectual property. In other words, the perfect place for a cyber attacker to establish a beachhead!
As with email, there are similar and related issues regarding web browsing. Aside from the fact that employees shouldn’t be messing around on the Internet when they ought to be working, there is a distinct possibility of letting an attacker establish a beachhead in your corporate network if an employee goes to questionable web sites. On-line gambling and pornographic web sites are well known to be major sources of cyber infection. Just by visiting such a site an employee’s computer could be infected with a root kit or other malware. Worse, there are web sites that appear fully legitimate but that exist mainly to infect visitors with root kits and add them to huge networks of similarly infected computers around the world (so called ‘botnets’ or ‘zombie networks’) controlled by organized crime. If employees understand the implications – and the consequences – of unsafe web browsing, they are less likely to engage in such activity.
In most organizations the computers of employees will be behind a corporate firewall that ‘hides’ them from the Internet using a technique called network address translation, or NAT. It is actually quite difficult to find and attack those computers from across the Internet. It usually requires going through a series of attacks, starting with your Internet-facing systems (i.e., email and web server) and then digging deeper into your company network. But if you make an outgoing connection to another computer out on the Internet, by browsing to them or clicking on a hyper-link in an email, you establish a communication session that can be exploited. I like to describe this using an old myth about vampires. That is, they can’t enter your home unless you invite them in, but if you do invite them in, you are likely to be bitten. The same is true with malicious web sites.
Employees need to know about phishing and spear phishing and whaling attacks and about evil web sites. Knowledge is power, and they can use that power to avoid being the ‘dumb schmuck that let hackers into our network.’ Of course, there are technical mechanisms and tools that can be used to reduce the likelihood of bad things happening even if an employee DOES fall for a phishing scam. But they cost money, require IT support and maintenance and are far from perfect. A little employee cyber security training might be a more cost-effective solution.
Another subject that needs to be part of comprehensive employee cyber security training is an understanding of social engineering techniques, of which spear phishing and whaling are just two examples. But that will have to be the subject matter for a future column... Tim.
About the Author
Dr. Shaw is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (C|EH) a Certified Penetration Tester (CPT) and has been active in industrial automation for more than 35 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Shaw is a prolific writer of papers and articles on a wide range of technical topics has also contributed to several other books and teaches several courses for the ISA and participates in several committees. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw4@verizon.net.