Cybersecurity

Hackers target human weakness, not system weakness

What the hackers are after varies, of course.

By Jeremy Pollard, CET

“We didn’t see that comin’!”

Really? We are so ill-prepared for what is coming that I fear we will have the floor dug out from under us, so, when we step on the carpet, we will plunge into the depths of the earth.

Sorry all—more security stuff. While I have not heard of any issues with “talking Barbie” network hacking or someone stealing your recipes, there is a huge issue surrounding baby monitor cameras.

I am sure that they’re not used in any control rooms since I expect that there are IP cameras employed in many situations to provide for remote monitoring of instrumentation and for simple security purposes.

I have a few IP cameras installed in my township where I look after the water monitoring at various remote pump houses. They are used to read certain metering that is critical to the system and confirms analog scaling based on data read by the SCADA system. Some of these pump houses are 15 miles away from the township office, so it is a matter of convenience, rather than necessity.

Simple setup secures the camera. Changing the default user and password—that’s a good start, but according to the reports on the hacked baby monitors, most users didn’t know that they should.

At least 90% of companies have security levels that would allow an unsophisticated hacker to gain entry into their systems.

The same goes for residential routers that are installed by local providers. They power it up; they don’t change anything including the DHCP IP range; they configure the WAN side; and then they are gone. The user really doesn’t know any different.

And we would think that the IT groups that protect our turf at work would be cognizant of the rules of engagement with the outside world. Well, it seems that group may not be as in tune to security as we first thought. I refer to the Sony hack, which by all accounts was orchestrated by North Korea.

The fodder for this column comes from a “60 Minutes” segment surrounding the knowledge base of Jon Miller, a security and hacking expert who was once paid to hack into companies and then tell them what they needed to do to protect themselves.

Also read: U.S. government resources for cybersecurity 

Miller is now the strategic VP for a company called Cylance. He is recognized as a ‘significant’ technical leader in IBM security and Internet security systems.

What he had to say about the Sony hack and the state of affairs in North America was staggering. In his estimation, at least 90% of companies have security levels that would allow an unsophisticated hacker to gain entry into their systems.

Miler estimates that there are in the neighborhood of 5,000 hackers who have the knowledge and availability to reproduce the Sony attack today. One can only imagine that more are coming online each and every day. What does this mean for us in our industrial sandbox?

Well, the Dark Web provides a few answers. For $30,000, you can buy the technology to hack into various servers, sites and personal computers behind the corporate firewall.

The most likely entry point to the corporate network is a bring-your-own device (BYOD) such as a personal phone or laptop, or maybe even Barbie, who has an application that was “loaded” from an alternate network. As Miller states, hackers target human weakness, not system weakness.

Another individual in the segment, Kevin Mandia of FireEye agrees with Miller, in that the system is only as good as its weakest human link. He contends that the hackers need only get into one computer, mobile or otherwise, and, when that device gets connected to the inside, it calls home and the network is breached.

What the hackers are after varies, of course. It’s all about the money, but imagine if ISIS, which hacked Centcom’s Twitter account, got into the infrastructure grid and held it hostage—for what I don’t know, but I’m sure they would have something in mind.

The Ashley Madison breach gives me chills, since I believe that nothing is sacred or safe.

The big issue that has surfaced is that the hackers eliminated data, so it could never be used again. This kind of makes an off-site backup strategy important, doesn’t it? And the IT world is wondering if this is the new normal.

Miller was paid to hack into nuclear plants by the utility companies that own them and report on the vulnerabilities, so some are taking security very seriously, since the repercussions of a nuke hack can be very deadly. Holding the country for ransom would be my first guess.

He also states that floating oil platforms have been compromised in the past, and the control-system networks have been taken over, but you don’t hear about them, since no “personal” information was taken.

James Lewis from the Center for Strategic and International Studies suggests that the U.S. had a faith-based defense when it came to cybersecurity.

I don’t think we are in Kansas anymore. The Sony hack changed the game. It’s time to learn the new rules.

Homepage image courtesy of Stuart Miles at FreeDigitalPhotos.net