Cyber Security - Assessment - The First Step
|Author: John Gilbert, AKA Cyber Security Consultant|
Date: Friday, June 8th, 2018
I signed the visitor log and waited with my coworker in the entranceway of a large utility provider. The receptionist was cordial but very thorough in checking our work order documents and our ID badges, suspended by lanyards from our necks. The newly-installed security cameras gazed down impressively as our escort arrived. “I’ve been expecting you!” Off we went to inspect the two server rooms, one of which contained the controls to a major section of infrastructure. My colleague and I became experts at the company’s information network and physical security systems, taking pictures and detailed notes the entire time. Before long, we were back on the road home and celebrating a successful day’s work. Unfortunately for the company, we had been lying the whole time.
Penetration testing, or ‘pentesting’ as it is often called, is really just a modern term for the venerable old art of breaking and entering. In the world of cybersecurity, however, it is a legal and effective way for companies to see if their security measures work. In this case, the utility company’s corporate headquarters had hired us to assess the security at one of its facilities. Our team spent two weeks combing over their information network from the outside, looking for a traditional way to ‘hack’ in using the Internet. No luck. Fortunately, we found out from simple Internet searches that the company was undergoing a 3rd party audit by a large, national company that does such things. It was then a simple task to print up a fake work order on the company letter head, and print out some ID badges bearing the audit company’s logo. With about $5 worth of paper and ink, we gained access to the company’s most sensitive and critical areas.
Prevention of incidents like this start with a simple security assessment or audit. Recently, the Department of Defense has started requiring at least a reasonable[FK1] level of compliance with the new standard NIST 800-171. This is not merely another ‘check-the-box’ compliance requirement that generates yet another binder full of useless information that will sit on the production office shelf, collecting dust. It is, in reality, an investment with a real return – full of action items that can help to keep processes up, keep the network clear, and keep employees working on customer business instead of putting out fires.
Take the above example. While the utility company was complying with NIST 800-171 items that require visitors to be escorted, visitor logs to be kept, and access to the server rooms to be monitored at all times, a simple assessment beforehand would have shown deficiencies in other NIST-required areas:
- Vetting 3rd party IT workers
- Review and approval of publicly available information
Assessing compliance with NIST 800-171 earlier, a relatively simple and painless task, would have prevented my team from lying our way in to their networks. While I was in their facility that day, incidentally, I dropped a handful of USB thumb drives containing a simulated virus. Employees found these and plugged them into their computers. A quick NIST 800-171 assessment would have pointed out they also had no policy governing the use of removable media, to include ‘found’ thumb drives.
I went back to the utility company the next night and used my new knowledge of their security systems to climb a fence, break in, and defeat the lock to their main server room – despite there being a security guard on duty inside. At my fingertips were the controls to shut off utilities to 200,000 customers. At my whim I could have destroyed all of the equipment, too. Of course, I did nothing but ‘simulate’ these things for my report. From the report the company learned that the return on the investment is real, and so is the damage that can be caused by non-compliance, even for companies who are not in the DoD supply chain.
Advantage Kentucky Alliance has been working with our network of affiliates to put together some critical Cyber Security services. To inquire about these services, or any of our broad array of service, contact Kurt Felten, our marketing specialist, and have him set up a time for you to meet with one of our experts. Kurt can be reached at (606) 620-0076 or via email at firstname.lastname@example.org. You can also see our AKA website for more information. Just go to www.AdvantageKY.org.
No Headlines for this category
No Featured Articles for this category
Note: documents in Portable Document Format (PDF) require Adobe Acrobat Reader 5.0 or higher to view,
download Adobe Acrobat Reader.
Note: documents in Excel format (XLS) require Microsoft Viewer,
Note: documents in Word format (DOC) require Microsoft Viewer,
Note: documents in Powerpoint format (PPT) require Microsoft Viewer,
Note: documents in Quicktime Movie format [MOV] require Apple Quicktime,