A data center – even just your average one – is rife with advanced technology and machinery. It’s the brains of any organization’s IT infrastructure, and the gateway to accessing its information. Although accessing this “digital nervous system” would seem a logical first step for would-be attackers, oftentimes it can only be done when physical access to the assets are achieved – or sometimes it’s just easier to do it this way than hacking your way in.

It sounds like plotline to some Hollywood cyber-thriller, but it’s the type of thing that occurs often enough, and its people like Peter Wood who are prolific at hatching such schemes. But Wood does not sneak into a company’s data centers to plant malware on a network, hoping to cash in somehow on a bounty of information. He’s the CEO of penetration testing firm First Base Technologies, and Wood and his team make their salaries from would-be victims who contract the consultancy to probe their defenses – both physical and digital. 

Simulated criminal attacks
“My role is to lead a team that does simulated criminal attacks against organizations”, Wood explained to the audience at this week’s DCD Converged event in London. His team then goes about identifying the key vulnerabilities an organization may have – much like any criminal would – and then, after executing a series of infiltration attempts, provides feedback to the client on approaches to close potential security gaps.

Addressing the issue of unsupervised visitors at any data center site is perhaps the most crucial aspect that needs addressing, which becomes even more difficult if an organization co-locates their data center functions or outsources them altogether.  “The single biggest threat on premises is someone who has not been escorted at all times”, Wood advised.  “We need to encourage the confidence to ask who people are, and report it”, he added. 

He then explained how an attack on the network would differ, but oftentimes a physical infiltration can help lead to a digital one, or is required to gain access to network resources of more hardened networks. Take, for example, the computer virus Stuxnet, which requires implantation into a target environment via an infected USB flash drive. Stuxnet attacks industrial programmable logic controllers (PLCs), and back in 2010 it was discovered that the virus caused the destruction of centrifuges at Iran’s Natanz uranium enrichment facility – setting the Iranian nuclear program back approximately five years or more.

Attack Anatomy
Whether it’s a physical or logical attack – or a combination of both – there are some common threads in their execution. Wood then provided the general steps for how an attack takes place:

• Background research
• Social engineering (phishing, for example)
• Taking control of an end point
• Explore the network
• Find data
• Exfiltrate (steal) data

“These steps are not rigorously followed by any criminal gang or security researcher”, Wood warned. Instead they are just commonly involved in the average infiltration process – and sometimes they will occur in a completely different order. “Most attacks are not really advanced, but they are multi-vectored,” he added. 

Attackers gather intel through many routes, including esxamining premises on Google maps and Street View, for example. Finding corporate email addresses through internet searches on sites like LinkedIn is an easy source of information gathering, and these same portals can provide access to staff names and job titles – enhancing the information arsenal of any prolific social engineer. Plus, once you find the email structure of an organization, you can use names to generate emails for nearly anyone in an organization, which helps attackers execute phishing and more targeted spearphishing campaigns designed to help gain access to a network.

These are key shortcomings that most organizations suffer from, Wood contended. He recommends increased staff education on phishing/spearphishing, and refraining from the use of corporate emails on professional social networking sites.

In a test spearphishing campaign First Base was hired to conduct, Wood and his team came back with 41 recipient email credentials within 15 minutes. “This stuff is quite boring to do, but so effective”, he said.

“It’s scary simple to gain access to systems that are protected by some of the most rigorous security controls available”, Wood lamented. “[The human] approach to being friendly and helpful (and the majority of people are) is what criminals take advantage of.”

Another issue he highlighted is that too much information is protected by a single security control, such as a Windows network login credential. “Our thrust toward single sign-on and single Windows passwords is the death of network security”, he declared. 

Wood advised that would-be cybercriminals look to compromise systems via paths of least resistance. “The criminals and other attackers see themselves as a business as well”, he remarked, based on his experience. “They may not have the same moral underpinnings, but they are looking to achieve their goals successfully.” 

“[Cybercriminals]”, he added, “will not take the sexiest or most technical route available, unless it is the most effective.” Most of the time, he continued, “they are looking to compromise systems with the least amount of damage.”