Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Hacking Critical Infrastructure Companies -- A Pen Tester's View

At the RSA Conference, a penetration tester outlines some of the elements of a successful attack on energy companies

Dramatic attacks can have simple beginnings, even when the target is a critical infrastructure company.

RSA Conference 2014
Click here for more articles about the RSA Conference.

This is certainly true if Andrew Whitaker's experience is any indication. Whitaker is director of penetration-testing services for Knowledge Consulting Group. A the RSA Conference last week in San Francisco, he took the stage and described the ways pen testers pwn, con, and otherwise sneak their way past security.

For Whitaker, it starts with phishing emails targeting SCADA engineers.

"We go after you because you know how to get into the industrial control systems, and we want to find out how are you getting in there," he told attendees. "I could try to brute-force your login credentials, but it's so much easier just to ask."

How much easier? According to Whitaker, 18 percent of the people fall for these password phishing requests -- not an insignificant number, considering the fact that an attacker needs only one set of account credentials to access a network. It could start off with the spoofing of a login page for Microsoft Outlook Web Access, for example.

The email would include a link to the spoofed page and pretend to come from a system administrator requesting the user follow the link and log on for some reason. When a user does that, his or her username and password would be captured.

The most effective phishing emails are short and sweet, he explains.

"What we've discovered is that when you do really long phishing emails, if somebody knows the sys admin, they are going to read it and go, that doesn't sound like him at all," he says. "So keeping it short [and] to the point has been far more effective."

That is far from a shock to Rohyt Belani, CEO of security firm PhishMe.

"The most effective phishing emails take a tone of authority and instill a sense of urgency -- for example, threatening to lock a user account if the password is not reset," he told Dark Reading in an interview. "Based on our experience training more than 5 million users, phishing emails that create urgency by threatening negative consequences are 20 to 25 percent more effective than emails that offer the recipient some kind of reward."

When training to spot phishers, most organizations focus on technical details, such as recognizing malicious URLs and headers, Belani says. While that's important, the first step should be to instill a healthy dose of suspicion.

"Users should first ask themselves whether they tried to reset their password, and, if not, view the email with suspicion," he says, adding employees should notify the IT department if the email is questionable. "It's possible that an attacker is trying to reset their account, but this is most likely a phishing email."

But the social engineering employed by Whitaker's pen testers did not end with clever emails; it continued from there as needed to include pen testers getting inside the building using fake employee badges and ruses, such as pretending to be support staff for a company performing network monitoring for one of its targets. Then there was always the prospect of sneaking in the door behind employees smoking outside.

"For me, I don't smoke anymore. I used to," Whitaker says. "But I will smoke in order to hack into your building."

Once inside, the pen testers were able to wander around buildings. Getting around can be tricky, but a good supply of canned air can help.

"You guys know those doors that have the badge access, but then on the other side there is a sensor, so when someone's coming up, it senses them and then automatically unlocks the door? Well, this is an old pen-tester secret -- you take the can of air and you just spray it along the crack of the door. It triggers the sensor, and now you can get in," Whitaker says.

The ultimate goal, of course, is to get access to the SCADA network.

"We'll target the SCADA engineers," he explains. "We just spy on them. We'll spend an entire day ... just monitoring that engineer. We want to find out how they are getting in. We may take screenshots. We may inject keyloggers."

The bottom line, he says, is that critical infrastructure companies need to do three things: secure their people, involve their people, and invest in their people.

"I would not have been able to get in most of the time if the phishing attacks didn't work," he says. "I would not be able to get in if I did not see the people making these mistakes."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.