My objective: break into a server room, disable the motion detectors, lock out the system administrator, and download a secret file from a password-protected terminal.
That was the scenario set up in the booth of penetration consultancy Security Compass at RSA Conference last week. They called the learning exercise Battle School. As a lifelong fan of spy thrillers, I had to try my hand.
Step One: Pick the lock on the motion detector keypad box and short-circuit the system. Embarrassingly, this was the only defense that absolutely stumped me. It turned out to be the easiest to defeat.
“A hacker always looks for the easiest way,” Michael Bennett, lead DDoS engineer at Security Compass, said after I set down my lockpick set in despair. Pulling back the edge of the flimsy metal box, Bennett popped the front off without touching the lock.
From there, my attack progressed without a hitch. I shorted the circuits on the motion detector control panel and popped open the locked server room using an under-door lever tool. Yahtzee — the secure terminal was now mine to hack:
Using an Android phone with off-the-shelf NFC reader app, I scored the admin’s login credentials from a conveniently mislaid ID badge. From there, it was a simple matter of keeping the administrator off of the system using a string of DDoS attacks while I downloaded the “secret file.”
Of course, the whole scenario was designed for teaching, not realism — and participants earned up to eight CPE credits for completing the challenge, through a Security Compass partnership with Educredu. But there were a few interesting takeaways from the exercise:
- Invest in a good lock. Sure, the scariest threats out there are advanced malware launched anonymously from the other side of the globe. But without good physical access control to critical systems, all of the firewalls and policy orchestration in the world might be for nought.
- Realize what you’re broadcasting. Contactless payments and RFID badges mean that many of us may be continually broadcasting personal information to anyone who can get an antenna close enough. What kind of information is on your company ID badge? Get a reliable NFC reader app for your Android device and find out.
- DDoS is a beast with many heads. While ICMP floods and other Layer 2-4 attacks tend to get the headlines, there are more than 30 kinds of DDoS attacks. Many of the more sophisticated techniques actually focus on the application layer, with narrow targeting that can be difficult to spot quickly.
- Process matters too. “Many times, we’ve done a penetration test that a CTO has ordered and a company is expecting, and it will take four days for the security team to report up that the attack has taken place,” Security Compass Managing Director Sahba Kazerooni told me at RSA. Creating complex dependencies that slow down internal communication can cost critical time in responding to an incident — companies should run battle drills to catch the hangups before they discover them in a real incident.