To protect a company’s crown jewels from a cyber attack, a security expert will have to think and act like a hacker. Sometimes, he or she must realise that the first point of attack is not digital, but physical.
Social engineering can be used to do this, said Paula Januszkiewicz, founder and CEO of Cqure and a seasoned penetration tester. She is not shy to say that she finds ways to get into places where she isn’t allowed. Recounting a project where she was testing the security of a financial house, she managed to slip into the office without being stopped or checked. While a trader stepped away from his desk, she sat down, inserted a USB drive and downloaded company information. No one asked her any questions even though she was a stranger. She had successfully penetrated the company.
Her modus operandi: In the lift lobby of the office building where the financial house was located, she appeared helpless, fumbling in her handbag, pretending to search for the office pass that should let her through the electronic gantry. She is holding up traffic in front of the gantry doing this, until an executive walked up to help, scanning his pass for her and for himself to pass through to get to the lift.
When the lift door opened, the executive let her walk out first, and used his pass again to click her through the door to the office. He was under the impression she was staff. Once inside, she walked around as if she belonged, even making conversations with other people there. An opportunity opened, a trader had stepped away from his desk without powering down his computer as he was supposed to. She sat down, inserted a USB drive and downloaded the company’s data.
Januszkiewicz, who spoke about this on Day 2 at RSA Conference 2019 Asia Pacific & Japan in her keynote, “Think and Act Like A Hacker To Protect Your Company’s Assets,” has been practising this method for 10 years without being caught. Her learning point: social engineering is common in cyber attacks and can begin with a physical illegal intrusion. Employees should be attentive, checking out strangers. Office rules such as preventing tailgating and powering down computers when not at the desk must be strictly followed. They are as important as the digital tools used in securing IT systems and data.
This was some of the gems on security protection and defence that surfaced on Day 2 of RSAC 2019 APJ. The eternal challenge for cyber security professionals is to keep up with the old as well as the new threats that are more sophisticated, advanced and nimble. The bad guys are always looking for vulnerabilities and new ways to adapt to the cyber protection and defence systems.
The keynote panel on “The Five Most Dangerous New Attack Techniques and How to Counter Them” highlighted some old and several new developments that cyber security professionals should be aware of. The panelists, all from the SANS Institute, comprised Robert Lee, My-Ngoc Nguyen and Stephen Sims.
Some threats are focussed on processes that have not been followed or maintained regularly, they said. Systems that were supposed to be patched were not. Software and asset inventories were not properly maintained which meant that no one knew when the security has been patched or updated. All these led to data breaches
They also highlighted that supply chains are coming under heavy attack. Suppliers for large companies are increasingly being targeted. Once the hackers get into their IT systems, they use it as a launching pad to get into the larger companies they serve. Often the malware are in stealth mode, learning the behaviour of users and network, waiting for the right moment to strike.
Meanwhile, the panelists pointed out that the hackers are also using AI leveraging machine learning to see how the phishing scams can be “taught” to be smart to bypass defences.
Hackers are also targeting industrial systems, specifically the safety systems. Their aim is to harm people. Such attacks are already being seen in Europe and the Middle East. The intent was not to take down the safety system but to “break” it so that it compromises the safety environment for people, said the panelists.
Day 2 discussions were broad covering several themes including threats in mobile and Internet of Things and industrial systems; the use of AI in cybersecurity; fake news and image manipulation. Many of the sessions were not only informative but provided many tips useful for security practitioners.
To end an exciting day, Strobes, a startup from India, won the RSAC 2019 APJ Launch Pad innovation challenge for its business to connect developers, security professionals and automated scanners to find, prioritise and respond to vulnerabilities speedily. Its prize is kiosk space in the US Early Stage Expo at RSA Conference 2020 in San Francisco. Strobes was among three finalists who pitched their ideas to investors in front of a live audience. It was a fun evening starting with cocktails which might have somewhat lubricated the entrepreneurs’ pitches.
The Launch Pad is RSA Conference’s innovation programme to help cybersecurity startups to move from pilot or stealth to proof of concept and scale. This is the first time it is held here. Innovation is close to RSA Conference’s heart as it seeks to support entrepreneurs develop fresh solutions to make an impact in the cybersecurity space.