Guest Blog // Selected Security Content Provided By Sophos
What's This?
02:46 PM
Dark Reading
Dark Reading
Security Insights

Porous Network Perimeters Sometimes Caused By People

What a trespassing jet skier and the Citadel Trojan have in common

Maybe it's a stretch, but I see definite parallels in the recent news stories about Daniel Castillo, the jet skier who successfully evaded John F. Kennedy International Airport's $100 million security system, and this week's discovery of a man-in-the-browser attack using the Citadel Trojan that had compromised the virtual private network (VPN) of a major international airport hub.

The common factors that bind both events? Insufficient security measures and inattentive employees.

In Castillo's case, and according to this report on, his watercraft apparently ran out of fuel while jet skiing in a coastal inlet on Long Island. Unable to summon help on his own, the 31-year-old opted to ditch his craft and swim to the nearest lights on the horizon -- in this case the runway lights of JFK International Airport.

Once he made it to land, he then scaled an eight-foot barbed wire perimeter fence and walked undetected through the airport's perimeter intrusion detection system and across two runways before finally being stopped and detained by an employee in Delta's terminal three.

What followed was predictable: Castillo was charged with trespassing, and the Port Authority -- which manages the airport -- issued an obligatory statement promising an "expedited review of the incident and a complete investigation to determine how (its) perimeter intrusion detection system could be improved. "

In the case of the Citadel Trojan, which was announced by security vendor Trusteer, the attack was serious enough, according to CSO, to prompt the airport to shut down the VPN, essentially leaving 5,000 employees without outside access to the network and attracting the attention of federal agencies.

While Trusteer officials would not name the airport or its location, they acknowledged it's a major international hub.

As is the case in similar such attacks, the bad guys don't target, in this case, a VPN perimeter directly. Instead, they infect endpoint devices (smartphones, tablets, or laptops) of employees and then steal the employee's credentials for accessing internal applications.

As Trusteer affirms, it's that first step -- infecting an employee device -- that enables the breach. Hackers use tactics like social engineering, where employees are forwarded to a website and infected with a drive-by download. Or they're guided to a malicious website, a legitimate site that's been infected, or, more frequently, an email that asks you to download a patch to combat a virus found on your system.

However it's done, once the device is infected, the enterprise firewall comes down and the bad guys can access information and resources associated with that account at will.

So what are the takeaways from these incidents? Let's take up the JFK incident first.

• The human element. Even closed-circuit cameras -- the kind used by the PIDS system -- need employees to monitor them. As the investigation proceeds, it's pure conjecture, of course, to say employees assigned to watch the monitors were inattentive or absent from their posts. But I have little doubt it will prove to be a contributing factor.

• The technology component. This breach strongly suggests that no matter how much you spend on your perimeter security -- whether it's a few thousand dollars or even a million -- it's still no guarantee that it won't be breached and employees won't ultimately be proved to be at least partially or wholly accountable for its shortcomings.

• Pen testing. Penetration testing -- at least in this case -- shouldn't be limited to network testing alone. Castillo's "trespass" is prima facie evidence that in spite of hoping for the best and believing you've done all you can from a technology outlay to protect your perimeter, it can still fall short of your security requirements.

As for the Citadel Trojan, let's extract chapter and verse from the IT security handbook, abridged:

• Mobile security. Make sure you have technology in place that can enforce password complexity, encryption, patch status, and locate/erase devices in the event of loss.

• Enforce an acceptable user policy. Ensure your organization gives clear guidance to users in your acceptable use policy on what devices are allowed and what they are required to do to use them for work.

• The weakest link. The weakest link in your endpoint security is your employees. Make them aware of social engineering threats and encourage them not to click on links for downloadable software just because an email directs them to, or to go to some site they've never been to previously just because one of their peers or friends has suggested it. It always ends badly for the employee as well as the enterprise. Or, in the case of bring your own device (BYOD), make sure they think before they click to protect your data -- as well as theirs.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.