The great military strategist Sun Tzu said “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Were he alive today, he might say instead: “To catch a hacker, you must think like one.”
Cybersecurity is a battle of wits in which each side aims to exploit the other’s weaknesses. To win, we must study our opponents to discover their weaknesses. So when the global hacker community gathers for DEF CON – the massive annual hacker conference – General Dynamics Information Technology (GDIT) is right there with them.
DEF CON isn’t all cloak and dagger. It’s an eclectic mix of professionals and amateurs who see every lock and firewall and security feature as a puzzle to be solved or a door to be opened. Technical briefings, exhibits and live competitions offer a chance to learn more about the way hackers can exploit vulnerabilities, which we use at GDIT to develop strategies to help secure our customers and mitigate risk and exposure.
Think of it as a massive opportunity to gather intelligence and insight.
In our evermore connected world, those insights are increasingly valuable. Hackers aren’t just focused on the latest new devices – the plethora of lightbulbs, thermostats and mobile devices that may hook into our network. They’re also digging into aging technologies we may be overlooking or taking for granted.
Like the fax machine.
Most offices still have a fax, often an underused or forgotten feature of an all-in-one printer/copier/scanner. It’s almost always allows for network access. And it may be a major security liability. Hackers can exploit fax software by delivering malware disguised as an incoming color fax. When the incoming image file is opened, the malware installs itself, gaining access to everything else on the network besides.
That wasn’t as much a concern when faxes were hooked up to stand-alone phone lines, but now that they’re tightly integrated with networks and Internet-based phone systems, the risks are significant.
The lesson here isn’t that you can’t use faxes. It’s that everything we introduce to our information environment brings with it a set of risks. Reverse engineering every piece of hardware and software before we put it on the network isn’t feasible. But we can mitigate those risks through employing policies and settings, isolating systems from parts of the network, and blocking others from accessing the network entirely. For printers, that may mean disabling the fax function on that all-in-one printer and installing a stand-alone fax with a dedicated phone line for those instances when you really must send a fax.
Our mobile phones are also vulnerable. One new attack vector uses ThinSIM technology to track or redirect calls. ThinSIM are like standard mobile phone SIM cards, only they live on top of the standard SIM and work by intercepting communication between the phone and the SIM card. The technology is frequently used in emerging economies to support mobile money transfers. For Western users, the risk is that a ThinSIM is placed inside your phone without your knowledge. Because the technology is designed to intercept communication between the phone and the SIM, it could be used secretly capture communications from the mobile device, or even to alter communications under some circumstances. The risk intensifies in foreign locations.
Technology isn’t our only vulnerability, of course. DEF CON also highlighted human frailties. In a social-engineering competition, for example, we listened in as participants demonstrated how easily they could connect with unsuspecting corporate help desk staff, then coax them to let down their defenses and violate simple security policies, like pulling out their personal phones to open up a web page. It was a powerful reminder that phishing attacks play on human weakness and they aren’t only embedded in emails.
In today’s world, security threats come from many angles. Security strategy must therefore have many facets. Organizations will always have to defend networks and systems, and no system is 100 percent safe on its own. But our greatest weaknesses are not always the fault of our systems or architectures or policies, but rather are the result of simple human weakness.
Our security is ultimately only as good as the vigilance of those who use and operate our systems and who follow – or fail to follow – our policies. Hackers remember that. We must remember it, as well.