SecurityLah - the Asian Cyber Security Show

Ep 1. Capitol Hill Insurgence - Impact to Information Security

January 19, 2021 SecurityLah Season 1 Episode 1
SecurityLah - the Asian Cyber Security Show
Ep 1. Capitol Hill Insurgence - Impact to Information Security
Show Notes Transcript

When protestors stormed Capitol Hill,  physical security breach aside, there are implications for cyber security as well. Physical boundaries with even the best security forces failed to prevent insurgence from entering a highly secured located. This caused losses of information, in forms of physical and electronic. 

Wed, Mar 29, 2023 11:39AM • 21:53

SUMMARY KEYWORDS

device, organizations, building, controls, machine, access, capitol hill, people, network, assets, laptops, security, secure, physical, stolen, desktops, point, byod, happen, plug

 

00:23

Welcome to the security lab podcast.

 

00:33

Guys, you know something, I was doing work late at night and I saw a startling news riot occurred. And it's not in any of the developing countries. It's in the United States of America. And guess what? Their administrative center Capitol Hill, and a whole bunch of people storming and there was like insurgents going on. I could see people with tactical gear, and zip ties going into the building. Man, that's a scary sight to see. What do you guys think about it?

 

01:06

I bet it has something to do with President Trump having to give up his seat.

 

01:13

Yeah, I heard he lost the election. But it seems he was doing some he was taking some legal action. And I guess that didn't go quite well. And you guys have any idea what happened after that?

 

01:26

So apparently, from what I hear and read is that there was some social media messages out there, asking his supporters to, you know, stomp the building, or basically protest and things like this. And I believe one thing led to another and there was escalation into Capitol Hill building. It simply started off slow, and then it it became a full face, right, where people broke into the building. And it's certainly very clear what exactly the intentions were after that, what was the plan? You're taking hostages? Was it going to get even worse? We don't really know. Because all the people from the building was evacuated immediately. There was an emergency in there. And yeah, and apart from all this, I believe there was certain devices like you know, laptops and everything being stolen. And, and also, possibly the network being like, you know, attacked. So one of the questions that does come to mind is like, you know, what, what, if someone may be in the organization, you could face something similar, where you may have a physical breach, someone breaks into your network, you know, steals your devices, plugs in a rogue device, you don't really know. So what exactly, we could do in some in a situation like this.

 

02:44

So let's look at this problem. And compartmentalize the issues. The first one is a physical compromise, which means the third party has gotten access into the physical building. So what we can do to secure them. Secondly, an asset is most likely stolen. In normal situations, you usually hear about laptops getting stolen. But today, you have tablets, you have an UCS, those computers will very small form factors or even desktops. And these devices can also be stolen. So you have the second part, which is the devices being stolen. And the third part is the aftermath. What else could have happened when your physical side gets compromised, so let's look at it in three different sections. And let's look at what we can realistically do as an organization to secure this environment. Okay, so the first part is someone getting physical access to your building. Now, essentially, in the Capitol Hill case, you didn't have one or two or three, you had a whole mob of people going into the building, and they were all over the place. So there's no, there's no clue of knowing what actually they did. So in this case, let's assume the worst. So imagine your building was torn by a mob of 100 people who may have cyber security penetration testing Red Team knowledge. What could they do in that case? I would imagine that if any of these people were in a physical building, they would look at example, network points. Is there any exposed network points that I could use? That's the first thing that I'm looking at. Now Wi Fi is tend to be a bit more secure, because you may have security schemes like Eeep TLS, to make sure that you have a digital certificate installed on a machine. So getting through to a access point or through the wireless network may be a little bit more difficult, may require a little bit more time. So I will look at the first one we do with

 

05:05

counselors made possible by listeners like you. Thank you for your support. Now back to the show.

 

05:14

The first thing is you can physically mark it down so that no one can have access to expose network point. Number two, you can limit what device can connect to a physical network point. There are solutions such as network access control, that allows you to identify what device is being plugged in, whether they're authorized to connect or not. And from there, give them the right levels of permission for them to access the kind of information that they need to.

 

05:45

Okay, we'll talk I'm not a cybersecurity or even a technical expert. But I'm presuming what you mean by exposing network points is that if they saw a cable network cable, and they happen to have the bad guys, or the protesters or whoever who rampage the building, happen to have a device with them with the with an interface to plug the network cable in, can compromises happen that happened that way.

 

06:11

That's exactly what I'm trying to explain. So someone could put in the cable, do a scan on the network, try to find out if they're open chairs, or open chairs, or essentially found chairs that don't need permission. So you can immediately browse and see what files are in there, you can make a copy of those files, that's probably something that may have happened. Now we assume that with federal governments, you have tighter controls, you have requirements, like the US NIST standards. So they will follow a certain level of standards to ensure that you don't have an open share, you don't have any services that's laying open for you to use. So but before even that, you want to make sure that we secure the network layer. So can your network first detect if a rogue device is being plugged in? And if it does, how does it know the difference between an authorized device versus an unauthorized device? This is where it gets slightly complicated. If it's a PC, it's kind of easy, right? Because you can put in a software, the software within your machine. What about devices, like printers, Network Attached scanners, these are standalone devices. And those points are pretty much at times unprotected. So as an attacker, most person will toggle these kinds of points to say, let me plug in and basic or rudimentary control would mean that I check the hardware address on the MAC address, the network address of that particular device before I allow it, just kind of silly, because if you take the printer out in the back, there'll be a sticker that that tells you this is the MAC address of that particular printer. And as an attacker, all I do is configure that MAC address into my network interface. And connect lo and behold, I'm already connected. So at least there's some level of control that's there. But there should be some idea of what's happening. A printer should not be connecting to any other arbitrary device. A printer should just be passively listening for the print server to send it the job. So knowing what your device does, understanding what your device does, and the network gives you an idea of what the device can and should do. Create a profile of what the device does. And if the device does something beyond what it's supposed to do. Your organization should have some form of capability for it to identify the behavior change and detecting.

 

08:42

But I don't get it, because the issue that we're talking about here is physical access. They when somebody gets gain physical and unlawful access to expose devices, and all those things, that the crucial issue here is time, would you have sufficient time to actually rectify all of this?

 

09:02

You're absolutely right. The issue is time. But if the control was put in beforehand, you will have a problem.

 

09:09

You wouldn't be able to anticipate something like that happening.

 

09:13

True. I mean, if you are the CISO of Capitol Hill, in your risk assessment, the chances of someone doing an insurgence are right on Capitol Hill would most likely be zero. So you would never have thought of such as secure ability, having such injures insurgents or an issue that attacks the physical assets of the building. So you wouldn't have thought about it

 

09:41

coming back to the same point that Doc mentioned. So you can also deal with insider threats like this. Let's say you have multiple flows within a building right and each flow would have different departments. So you wouldn't want as an example your, your finance team to access system which are Maybe lying around in the marketing department, or vice versa. So you can have like these controls which kind of segregate your network, so that each department functions separately and and the whole idea is we use that, like Doc mentioned is that you have access controls implemented in earlier on. So it's not really about someone breaking in you also have insider threats over here, which, which these kinds of controls can take. And you can do

 

10:27

exactly what I'm saying is that these are all reactive strategies, there's only this much you can do controls place, put in place to prevent things that you can anticipate you can foresee from happening. But when you have an incident like that, nobody could foretell, no. And definitely there will be a gap here where you will have a problem that you have not totaled, you're not aware of you're not prepared off, it's just a very, very difficult situation. My question then is, is there really anything that InfoSec could have done?

 

11:00

One way is that today, if you see a lot of organizations do red team penetration testing, which involves not just the cyber, but also physical penetration testing, so which means someone actually gave unlawful access into the physical part of the building, and from there checking to see if they can do further damage. So what we're looking at is that scenario actually happening, but in an uncontrolled model, in a controlled environment, one way for you to identify if these attacks will succeed, is when performing an active reading assessment,

 

11:35

it will probably take a long time for you to really identify and flush out all these things. What is the extent of the damage?

 

11:42

True, in fact, there's one case where two pen testers were caught entering into a courthouse in the US the ended up in a very bad situation, because they had a case against them. But because they actually had the letter upfront to say, we have been engaged by the court to see if these people can actually break in. And so essentially, you're simulating these attacks. In an event where you want to see whether your existing controls will hold against any of these such issues, like what you rightfully said, they may not have been prepared for an iron granted, but the controls would still apply, you would still see people walking into a federal building, they may be visitors coming in, they may be vendors coming in. These are real risks, that may not just necessarily be with rioters, but with other people who physically enters the building.

 

12:45

So there's that the physical aspects of securing devices, or buildings against people who enter buildings with bad intentions. What about assets or machines that are taken away, and they try to do things with the machine that anything they can be done about that.

 

13:05

By default, today, more mature organizations will have full disk encryption. What that means is that when your machine boots up, it's going to ask you for some sort of identifier or maybe a password. In order for your Hartley's to be decrypted. The mangled name is defined in order for you to start using it that prevents data from being stolen. However, a lot of organization take this base approach, which means these kinds of software's are typically installed in laptops, but not necessarily on desktops. So which means someone who gain access into these machines, these desktops that are unprotected, would essentially suck out all these files, and now have access to these sensitive information that's stored in the hard drive. So for laptops here, you probably have a bit of better controls. But organization should start looking at rolling these controls out, even for desktops in the event if those assets go missing or stolen, or they're compromised in whatever way that's the first thing. The other thing that I think is crucial that we should look at is you are now in a very urgent situation. You have people knocking on your door you have to leave immediately. Then the question is what can I do? Easiest way is if you're using a Windows environment, press the Windows key and L for Windows logon. So you press when l that immediately allows your from your currency for from your current terminal. That should be the first thing that all organizations should look at making aware as part of their security awareness. How do you immediately log up? I can still see a lot of organizations a lot of people practicing control after the Delete and fine. But if you really have to go out and do it fast use Windows help. Some organizations implement smart card based mobiles, which means that you have to plug in your ID card into the machine. And if you need to go to the toilet or excuse yourself go for a meeting, you plug out your smart card, the machine automatically. These are two methods that organizations can do to prevent the machines from being employed. The other way is, we can look at screensavers. So usually, after five minutes, your screensaver stopped coming in. And in order for you to go back in, you log back into the machine. Now this may work if you have that time delay of five minutes before your screensaver comes up. If not, your machine is still unprotected, someone can still gain access. But can this apply for everyone? Not necessarily. Example, if you're in a bank, and you're in the front, your front line or you're in the teller when you're dealing with customers need to do your Know Your Customer process. KYC is sometimes you want to ask questions about transaction while you're doing this transaction as part of your counter terrorist financing, anti money laundering practices. There's a whole lot of process that requires interaction with the user when your customer before you can even get back to your machine. Imagine if your machine locks up every single time that you try to access it. Because you're taking too long, the time to return back to your machine becomes cumbersome becomes counterproductive. It really impacts customer centricity of that particular organization. So a lot of organizations do this. But there's also a pros and cons of what kind of control

 

16:56

Okay, following the measures that you have recommended. One very simple question in the event that the device is removed from the location. And although I assuming that I have logged off, how much time do I have?

 

17:11

If you've logged up, the machine is secure until the battery dies in that particular device, that machine is ON?

 

17:19

Meaning there is no way you can gain access into the information inside that.

 

17:25

This I have to think the reason why I say I have to think is because there are many possibilities of what can be done, right. So for example, if the machine is still logged in one way is I perform a pen test against that particular machine, there may be ports that are open, there may be application that's running in the background. If the machine is not patched, then there's a possibility of me running an exploit getting access to the machine gaining access to the deal. That say, it again depends on what kind of application is running, whether the patch level is up to date. And that's funny, you can say software like a personal firewall, or an endpoint detection or prevention suit, that would limit the exposure of that particular asset. Today, you would have that, and I say you would, because especially if you're a road warrior, you travel a lot, you have a laptop with you, most organizations will load these kind of software's into your laptop so that you can connect safely to their Wi Fi and Starbucks for you to be able to log on via VPN to your corporate environment in order for you to compete.

 

18:38

So what's the window of opportunity here for organizations to respond in time to prevent or minimize the loss of damage?

 

18:48

I'm gonna go back to Capitol Hill as an examples. I'm going to assume that the security guys or the cyber security guys may not be working at that point of time. If they have or if they are, they're running a 24 by seven sock security operations center. And if they do have an asset management software, they could potentially do a kill switch, which wipes out the data of that particular laptop provided still connected to the network or it has a mobile network connectivity to that particular asset. That way you can ensure that if an asset is not accounted for, can be wiped on the same as your mobile device using MDM solutions, mobile device management solutions.

 

19:36

So most of the controls that you mentioned, you have sort of applies to, you know, to assets that an organization brings in there what about BYOD so like with other new things, or other organizations off lately, allow a lot of employees bring their own devices with cloud you know, things like this So there's no more internal infrastructure and things like this. So your controls that we've been discussing kind of make it very difficult to manage, right, from a security point of view. So how do we add in the level of security? If we have, like, you know, BYOD policy in place,

 

20:21

I guess it will help just like how you like what you're actually saying, you have assets that's owned by you, you have assets that's not owned by you. assets that are owned by you probably have more stringent controls and requirements, or as assets that are not owned by you probably have a second coat. So in BYOD, implementations, personal assets, you only wipe out the segment that stores corporate data. Whereas if it's an asset that's owned by the organization, you now have the option of wiping out the whole data. But be mindful that BYOD solutions or MDM solutions have the ability to wipe out the whole device. The only thing that makes it different is the policy that you implement on that particular

 

21:09

well, okay, so thank you everyone is good to know all the possible scenarios that can happen in the event one has to leave their machines or devices unattended for whatever reason.

 

21:27

Thanks for joining us this week on security lab. Make sure to visit our website at security Lata Asia where you can subscribe to this show in iTunes, Spotify, or via RSS so you'll never miss a show.