A Pen Testing Expert Shares the Secret Ways He Gains Access to Businesses
Steve Stasiukonis’ company, Secure Network Technologies, does all kinds of pen testing. When we say all, we mean it—Secure Network has even successfully “shipped” a person in a FedEx box to demonstrate the vulnerabilities of a company being threatened by an activist group. They created a special container, supplying it with a life support system and a periscope. Then, they wrapped a van with vinyl to look like a FedEx truck and donned the appropriate uniform. It was just “like Oceans 11,” Steve says. Needless to say, his team was successful.
Read on to find out some other entertaining stories Steve shared with us, along with his thoughts as to why cybercrime is booming.
Q: In the first part of our interview, you were talking about pen testing and how you find your way into companies’ networks. Can you finish talking about some of the more unexpected ways you find access?
A: Sure. Believe it or not, war dialing and testing the analog or VoIP environment is still a valid concern. We still dial thousands of phone numbers from companies and we still find vulnerabilities. We find alarm systems to the building, we find heating and ventilation systems, we find all sorts of different infrastructure items, everything from MRI machines to fish tanks. Believe it or not, there's stuff out there that's connected that's still a concern, and if you gain access to that and it happens to be tethered to the internal network, it's a slow ride but it's still a viable way of getting inside that network. We still dial every desktop and handset. But you know what, if you get access to a VoIP system and if you pen test it and you're able to compromise the call manager, you can turn a company into your telecom provider -- and a lot of bad guys do that. They leverage it for all different purposes. You know, they could sell that service; they can use that for communication. Typically, the result is a giant phone bill at the end. It's another loss. Last but not least, social engineering is a vector that has to be tested -- specifically end-users, you know, end point baiting, and dropping thumb drives.
We also test the physical security of getting into a building. In fact, we just broke into a building overseas in Asia. We had to defeat a facial character recognition system and it wasn't terribly difficult. It simply took a little bit of a knowledge intelligence gathering about the people that work there, identifying the receptionist and who she was, identifying some of the leadership in the building and then spoofing an email as if we were the leadership, to the receptionist to tell that our person was going to show up. And then he just walks right by the facial recognition system. And they greeted him and let him in the building. He went back inside there, I think two or three times, and then he put our system in for us to toggle into their network remotely. Now we had access to the inside of their system and their network. We found the facial recognition system and defeated the controls on that so we could add our users if we'd like. So, social engineering is very powerful. It takes a lot of effort. But once again, it’s leveraging the user's path of least resistance.
Q: Why do you think cybercrime has exploded over the past few years?
A: I think there are two reasons for that. It doesn't take much to become a hacker. If you want to become a ransomware hacker, there are probably hundreds, maybe thousands, of applications that you can download. To make malware, you just change a couple little things on the exploit that you're building. I think the combination of crimeware applications and cryptocurrency has helped. In the past, you had to find a money mule to do a wire -- and that does still happen. But the advent of Bitcoin and this pseudo-anonymous currency have really made things explode. Ransomware is a perfect example. Nobody's asking for MasterCard and Visa. Heck, they don't even want cash. They want Bitcoin or some other form of digital currency.
Q: Is there anything else regarding protecting your company that we haven't talked about?
A: The most common weakness is the users. And I'm very passionate about this, but don’t give that monolithic garbage training you just click through and then call it a day because you've met the requirement. Make it relevant not to just the business but to them as people. You've got to train the users so that they understand that when they go home, not to let a breach happen by clicking on stuff. It affects them at home as well.
If somebody hacks their personal email -- some hacker in some other country, whether he makes $300 or $3,000, he's content. Make the training relevant to the user personally as well as for what they're doing at work because they don't have an IT group at home.
Q: So, your best friend owned a midsize business, what advice would you give him or her?
A: Take everything seriously. The first thing that you may want to do is buy insurance. Look at what your business policy covers and ask a lot of real specific questions, like if this happened, what would you do for me or if this happens, how will you take care of this? Everybody looks at their policy and they see a component about cyber threat or cyber theft or a crime and they make too many assumptions. Talk to your agent and ask a lot of very difficult questions and find out whether you need to buy more coverage.
The second thing is to make sure your attorney is versed in cyber law and understands what's happening. A lot of lawyers today are trying to play catch up. If something happens, you need somebody who's really well versed in this area.
Then another thing is to spend some money -- I know it's hard – on the technology that protects your users and protects your perimeter. If a crime happens, it will also help you figure out what happened.
It's nice to have tools that you can look back and say, wow, he went here, he did this. Now we know he took this or he was into this system. Most people don't have anything that can give you an idea of what just went down. All those ones and zeros that are being tracked that you can kind of put the crime back together and figure out what happened.
Q: One last question: What's the most damaging or craziest thing you've seen happen to a business?
A: This happened about two months ago. A company got locked up and ransomed. What happened was that the hacker found a remote desktop opened up on their perimeter, got access to the inside of their network, finds their predominant business system, encrypts it, and then goes through and encrypts every other server and most of the desktops. Then, he leaves a ransom note.
In less than 24 hours, another hacker – a different hacker -- found that same avenue in. They encrypted all the stuff from the previous hacker and left a second ransom note on another system. So, now this company is going to pay to decrypt the system. We told them don't do it; we think there's something wrong here. We don't see a pattern. We're not seeing the same encryption and we're not seeing the same variant. For some reason, they fought us tooth and nail. Then we confirmed it; if they had paid the ransom from the second hacker, they'd have nothing but more encrypted data and they'd then have to pay another hacker to get access to their systems. It tells you how many bad guys are out there, that they're stepping on each other.