In The Art of War, Sun Tsu wrote, "The supreme art of war is to subdue the enemy without fighting." Most people do not see it yet, but we are well into World War III, and there are no signs that it will end any time soon. Different from past world wars, this war is one where information is the prize. Nation-states and bad actors globally are aggressively targeting government defenses, businesses and consumers. No one is immune, and there is no doubt you have been compromised, even with the most sophisticated preventative measures. In the words of my long-time friend Patrick Pocalyko, EVP of North America at CyberHat
, "No matter how much money spent, or the solutions deployed on security infrastructure, you will not keep determined hackers and crackers from breaching the perimeter. However, forward-thinking security professionals understand this and know how to limit the damage and restrict how hackers move once inside."
For the past several years, I have worked with dozens of technology vendors, government agencies and other organizations to assess and identify security gaps within their infrastructure. While no one is immune, there are several best practices that can reduce your chances of a damaging breach. More importantly, they can help you keep your job, finances and reputation. For enterprises, the average damage from a data breach is greater than $2.7M and, in many cases, can take 8-10 months to fully recover from.
A uniform and a printer are often the keys to the kingdom
Late last year, a large healthcare chain retained my team to provide both physical and cybersecurity "Red Team" gap-analysis assessments on over 240 facilities within its network. A big part of our analysis was testing the habits and security incident response practices of the hospital employees and its contractor workforce. Over several weeks our team was able to penetrate every building, department and area within the organization, including morgues, emergency rooms, records, power plants and even maternity wards. One of our team members was able to talk his way into the newborn nursery—part of our presentation to the board was a video of him waving at the cameras while surrounded by newborn babies. It resulted in an epiphany for us, as well as the hospital. We were not detected once by employees or their security teams. Successful infiltration methods included "tailgating" (following employees through a door after they used their access cards) and going through smoking doors (where people prop open a door during a smoke break). Beyond that, never underestimate the power of a uniform and a convincing story.
From a cybersecurity perspective, the first exploit we took advantage of was the organization's printer infrastructure. We used it to gain access to the organization’s network, and also compromised them to simulate corporate espionage. In a few cases, we were able to use the printer ports to gain access to sensitive network areas within the facility. In other instances, we were able to leverage an Open Source software program (downloaded from GitHub) to exploit printer languages like PS, PJL and PCL. Once in, not only could we create havoc in the network, but we demonstrated how we could have simultaneously printed every document sent to the printer on our own printers over 3,000 miles away—all without being detected.
HP's Secure Business Solutions
is doing an excellent job of leading the charge in printer security. HP has made considerable investments and progress in solutions that protect customers not only every time they boot or get online, but also within their printer networks. Unfortunately, HP is one of the only companies that currently recognizes the importance of printer security, and is seeking to mitigate these vulnerabilities with security solutions.
Datacenter security requires planning and attention to small details
At a minimum, organizations must practice good datacenter rack and cable hygiene. In another example, my team was retained by a financial services organization to identify potential vulnerabilities within its datacenter. Rack and cable hygiene typically refers to how servers are deployed, cooled, operated etc. Cable hygiene is not just aesthetic—it’s a great way to track and understand where cables originate and terminate, and, importantly, why. During our investigation, we discovered one cable that seemed to go nowhere. Upon further sleuthing, we found that someone was using it to send sensitive financial information outside of the company. Most attacks originate from the inside, and this was one that cut to the heart of the company. Another security challenge this organization faced was a lack of in-house incident response (IR) processes. For years it outsourced its IR program to a large service provider. In the end, this resulted in a delay in response times, increased expenses for monitoring and a considerable investment in security software that ultimately failed the organization when it needed it the most. Security monitoring and security operations centers (SOCs) are essential tools for most companies, but CSOs cannot outsource all their security infrastructures to a third-party. Enterprises must invest in their people, training them in process and technology to ensure they can adapt and overcome any security challenge in-house. Outsourced resources can be employed to bolster security posture and reduce attack vectors, but it all starts in-house.
On a positive note, many companies specialize in helping companies understand these threats to their organizations. They help their customers adapt and deploy solutions, systems and services that prepare them to mitigate the damage future breaches. Successful companies take a hybrid approach to manage cybersecurity threats
from inside—SOCs provide overwatch, and software providers help manage incidents and reduce false positives within the network. It will take an all-encompassing approach to survive the next generation of cyberwarfare.