Are there really ‘war stories’ from the world of cybersecurity? This week, Shamane Tan, Chief Growth Officer at Privasec, proves to us that – yes – there are indeed dramatic war stories the likes of which Hollywood producers dream about.
You must hear about all sorts of inventive ways to breach organisations. What are some of the experiences you’ve seen through the work you do?
There are lots of stories! Let me start by rewinding a bit and explaining what Privasec is and how these stories came about. So, Privasec is one of the fastest-growing cybersecurity companies in Southeast Asia and Australia. We specialise in governance, risk and compliance. But the interesting bit is that we also have a team that does ethical hacking for businesses.
Some of the projects they have been involved in include social engineering their way into boardrooms, gaining access to classified information and cloning access cards, as well as Wi-Fi hacking. Their objectives are to locate top-secret data centre operations. I can share with you a real-life war story, and we call it the Incognito War Stories.
I can’t wait to hear about it. What happened?
In one of our engagements with the critical-infrastructure sector, we were given two objectives. First, to find and access the control room – they didn’t tell us which of the five sites this control room was located in. Second, to see if we could connect to the SCADA network to prove the possibility of a major disruption.
The team spent quite a bit of time initially doing open-source intelligence gathering and surveillance of the site. We actually used drones as well to perform reconnaissance of the buildings and help us gain a quicker mapping of the perimeter and the internal layout. We also looked at identifying the shift and roster patterns of the employees, and then we found the right time to really action everything.
What we did was we broke into the site using a ‘shove-it’ tool, which you use by shoving it between the door and the door frame. And actually before the whole engagement, we had to buy uniforms to look the part. The funny thing is we could have saved some money because in the very first room we got into, we found a whole box of brand-new helmets and uniforms just sitting there. It was easily accessible.
We had about two or three of us on the day itself. One of us had a checklist, but he was pretending to do an audit. And you’ll be surprised to find that most people would rather avoid auditors, so we didn’t really get many people challenging us. In fact, they just thought it was part of the routine. And do you know how we found the control room?
You asked someone?
Yes! We simply asked the staff to show us everything. Because the more we said we were doing an audit, the less we were challenged. So they said, “OK, what do you want to see?”
Along the way, we managed to connect to a network port and scan a network for evidence of critical systems. Obviously, we didn’t want it to be invasive because we wanted to prevent any real disruption to the environment itself. What happened is on our way out, we bumped into a janitor and we instructed him to provide us with his access card for inspection. Then we created our own copy of it. We cloned the access card right in front of him. He thought we were auditing his card, but we were cloning it on our laptop. That gave us a lot of access.
So what happened next?
In every engagement, we need to have a ‘get out of jail’ card because these engagements are very dangerous. If we are questioned, we need to have the right documentation to show that we’ve been authorised to do these activities and that we are not there illegally.
What happened next was actually quite interesting. A security guard found us as we were just about to leave the site. He actually stopped us because he thought maybe something was a bit amiss. So we explained to him that we were there to conduct an audit of the doors. Now, this was our chance to just show him our ‘get out of jail’ card. But instead, we actually tested the boundaries. We gave him a story. We said we were auditing the doors. We provided a fake letter of authorisation, and we wanted to see how he would respond. But unfortunately, he didn’t verify the letter. He read it and he didn’t make any calls to confirm. He just saw the name there, the numbers and the signatures.
Then, he proceeded to take us around, gave us a tour of the whole place because he was really eager to help facilitate the repairs and security enhancements. He said, “I’ve been talking to management for so long and asking them to get all these things fixed. I’m so glad that you guys are here.” And then he proceeded to show us all the security gates of the environment.
This is a great example of a well-intentioned staff member, but he misunderstood policies or he was not feeling empowered enough to appropriately challenge strangers. And this is a whole example of where in cases like this, it’s not about pointing fingers or blaming people. At the end of the day, we need to secure the human element itself. We need to continuously raise awareness and we have to ensure that we have the right processes that are being enforced.
So that gap for this particular organisation, was it a training issue, an awareness issue or a process issue – or was it a combination of everything?
That’s a good question. We find that different scenarios play out differently for different organisations. It depends sometimes on even the most secure or aware person also making the same mistakes. It depends on what’s going on with him personally at that point in time. Maybe he’s feeling down, feeling worried and then not being aware or being alert enough to pick up things that are not the right behaviours.
There is also a delicate balance in communicating vulnerability findings to business leaders without them feeling like it’s a strike against the way they operate. It’s a learning process for the benefit of the whole organisation.
Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.