BRIAN FAWCETT (BF): Earlier this year, Asher de Metz, Security Consulting Senior Manager at Sungard AS, joined us to share a fascinating story of how he broke into a high security office and hacked into their network during a pen test. Well, there's more where that came from.
I'm your host, Brian Fawcett, and this is IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available.
Today, Asher is back to share another one of his pen testing escapades, followed by a more in-depth discussion on how he accomplished it and what lessons businesses can learn from it. Without further ado, here's Asher.
ASHER DE METZ (AD): Thank you, Brian.
Yes, this is a really interesting story. Very often, we're talking about testing stories of offices or other high security facilities and this one is a story just about a grocery chain. And of course, grocery chains, these sort of companies, they take in credit cards and process a lot of transactions and handle a lot of money. And so, as part of their security endeavours, we want to see, can somebody gain access to sensitive parts of the store and can they gain access to the networks in the store as well?
You’d actually be surprised how often it happens that people in real life do actually try and gain access to sensitive parts of the store or the network. They come in with a story. I’ve spoken to a lot of managers and employees of these types of retail chains, and it happens quite a lot. And I drove over to this targeted store and had a little drive around, had a look at what was around the building and eventually just decided to have a walk in.
And once in the store, I looked around, and eventually discovered after walking through the back, and nobody stopped me at the front of the store, that there was a stairway up to a second floor. And so I just walked up and nobody actually stopped me and I had a walk around into the cafeteria area for the employees. I found a room that seemed to be a room for training new employees, so I just walked in. There were a few people there on computers and no one was actually at the front. So I just grabbed a spare computer, pulled the cable out, put it into my laptop and started hacking away and got very far quite quickly - access to terminals and things.
And then somebody came in, and they looked to be the trainer and they sat at the trainer’s desk. This lady looked at me, I looked at her and I just confidently got back to work. And after five minutes, six minutes, she said to me, “Can I help you? What are you doing here?”
And I said, “I’m from head office, IT, just doing some updates on the network and I'll be finished in a moment.”
And after another five minutes of just hacking away, she was happy with that. After another five minutes, she says, “Well, does Dave know you're here?”
“No, he doesn't really know I'm here, you know, I usually just plug in, get to my work and leave.”
OK, well, a minute later she says, “Well, I just called Dave just to let him know you're here.”
I said, “No problem, you know, you do that, I'm actually finished now.”
I thought it was a good time to finish up. I had quite a lot of good data. I got access to some good things, and I got some good results for the client. So I start packing up my laptop and as I start going out the door, she starts following me. Well, I thought “you know what, I'm just going to walk a bit faster.” And I went through the wrong door for the wrong stairway down and it sets off an alarm.
So I decide to close the door, the alarm is still going off. I go down the right stairway and she's still following me, and I go past the cash registers on my way out and I hear a call from a gentleman behind me, “can I help you sir?” And this lady’s screaming, “that’s the guy. That's the one. That's him.”
So he goes, “can I help you? What are you doing here?”
I said, “well, I'm from head office and I’m from IT.”
And he says, “I heard that.”
And I said, “Well, the real reason I’m here is not for updates. It’s because there was actually a breach on the network last night and I’m here to investigate. I’m from the IT security team.”
And I'd already come prepared with printed out business cards and printed out work orders with store numbers in there. All information I could find online. And I said to him, pulled him close and said to him conspiratorially, I said, “This is very serious. Do you know the link between this store and this store, because last night at 3 am, these were actually breached and a lot of money was stolen, a lot of credit card information stolen. This is really really serious.”
And he looks very worried and goes, “I don't know what the length could be.”
And I said, “Look, this is really serious. I want you on a call later on this afternoon with you, me and my manager. We’ve got to talk about this because this is very, very, very serious as you can imagine.”
He says “Yeah.”
Now this lady, who is a trainee, trainer rather, she's coming to me, “Do you want me to call someone? Do you want me to call security, police?”
“No, no,” he says, “Go away, go away.”
So I say, “Let me take your phone number. Let me take your cell phone number. I'm going to get you on a call.”
I took his information, took his email address, phone number and said, “We're going to go on a call this afternoon. And I’ll call you later, I’ll conference you in later.”
He goes, “yeah, you're going to call me, right?”
I said, “Absolutely.”
So the alarm’s still going off. I make my way out of the store as quickly as possible, get to my car and drive off. And then I get a call from the project manager and the engagement manager and he says to me, “Were you just testing at this particular store?”
I said, “Yes.”
He goes, “Because I got a call apparently that the alarm’s going off, and the fire and police have been called.” [laughs]
So I tell him the story and he's laughing away and thinks it is absolutely brilliant.
He says, “You did well. You got out in the store. You demonstrated that. But you really should go back into the store to let them know that was a test because every time the alarm goes off, they have to call the fire brigade and they have to call the police. It’s just standard. So don't worry at this point I'm going to call, I'm going to sort it all out.”
So he did that and that was the end, and it really offered a lot of value for them to make changes and improvements to their processes, so that if this happened for real, they’d know exactly how to react to it.
(BF): Oh my goodness, Asher. Well, first off, thanks for coming back on the podcast and sharing another story with us.
(AD): You're welcome.
(BF): Where to even begin here? So, I'm a bit floored that you were able to make it up the stairs to the second level, enter that room, connect your laptop, gain access to the network. All of this without even being stopped or questioned further by anyone. In fact, it took a while before that single employee even said anything to you. Is this common?
(AD): Unfortunately, it's very, very common. People in the West are very nice. They want to not really cause anybody problems, not ask too many questions. And this is OK, you know, this is OK. We find it more in California and places like that where they’re extremely nice, a lot less so across the East Coast, maybe there's a little higher security. The trouble is, is that this is OK, but we put too much responsibility in the hands of employees on all different levels, whether it's technical or physical. When employees are given too much power to make mistakes, well someone's usually going to slip up and open up possibilities for breaches or for other situations to occur.
(BF): You were able to gain access to the network relatively quickly. What could this company or organisation have done to better secure its network?
(AD): Critically, it’s important that no phone device should be able to be simply plugged into the network. It should recognise that this is a foreign device and the port could have been shut down. It could have given an alert to an admin that something like this happened for it to be investigated. It could have even been put on a guest network instead. That would have been a good idea. There are always workarounds for hackers on this. But that would have been one of the first things that I would certainly recommend in order to protect the network from foreign devices.
(BF): Let's go back to talking about the physical security. As I mentioned, it took a bit of time for anyone to even question your presence. How should businesses approach these situations going forward?
(AD): Well, it starts with knowing who's supposed to be there and who isn't. For instance, how many trainees are really participating that day? What are their names, etc.? Having an understanding of the presence of who's supposed to be there and who's not.
And then also, feeling comfortable to ask for identification. It took a while for this lady to ask for identification and there needs to be a culture where people are quite happy to ask and be asked without any offence being caused. And while identification can be easily forged, it's just another line of security that businesses can and really should implement in events like this. It really comes down to the security principle of security in-depth, multi-layered approaches.
Also having a protocol in place to confirm that an individual’s story checks out. If you didn’t receive an email or notification that someone’s coming down to perform an update, that person is really likely not supposed to be there. And what we've trained a lot of stores in now is that somebody turns up on site, yes, they should have that email confirming and they should have their own number to call to confirm who that person is as well, not just a number that the person gives them. So all these things are critically important to put into place.
(BF): So Asher, after you were able to break in, what measures did the company put in place after that, and what, if anything, changed in their security?
(AD): Well, similar things to what we just mentioned. Certainly, they tried to put a culture in place where employees are comfortable asking who people are, but then not putting the power into their hands to make mistakes. They certainly did lock down the network as well based upon understanding foreign devices and then pushing them over to a guest network if they're not recognised and the alerts for that. Then also the system I just mentioned, the procedure I just mentioned, whereby they will get an email if somebody’s supposed to be on site and know exactly who to call to validate that they're supposed to be there and the identification for that. And that's worked very well for them since. And future tests they've done pretty well in.
(BF): It should never be this easy for an intruder to gain access to your company's network, but it happens all the time. And while your employees should be knowledgeable, educated and take security to heart, it's a disservice to your company to assume they're capable of being your first and last lines of defence. The most resilient organisations prioritise the basics, take a top down approach to security, installing clear policies and governance, that’s used by all. Asher, I appreciate your time today to come back on the show.
(AD): Yeah, thanks for having me.
(BF): Asher de Metz is Security Consulting Senior Manager at Sungard AS.
You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow.
Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available.
IT Availability Now is a production of Sungard Availability Services.
I’m your host, Brian Fawcett, and until next time, stay available.