NEWTON, Mass. — Trucking companies may be inadvertently creating security holes in their customers’ computer networks.
A recent study by a number of US firms involved in cyber security has found that many companies—including those in the transportation industry—have opened themselves to attack by not properly securing the privileged administrative accounts that are used to run software applications and grant access to hardware. And having a hole in that part of their security makes not only them, but their customers, vulnerable.
The report, entitled Privileged Account Exploits Shift the Front Lines of Cyber Security was compiled by Cisco Talos Security Intelligence and Research Group, Deloitte Financial Advisory Service LLP’s computer and cyber forensics team, Deloitte & Touche LLP’s cyber risk services division, Mandiant, RSA, Verizon Enterprise Solutions’ RISK Team and CyberArk.
One of its key findings is that cyber criminals aren’t necessarily launching attacks directly against their target victims. Instead, the hackers often look for ways to reach their end goals via the target’s supply chain partners.
“The IT systems of small- and mid-sized companies are presumed to be less sophisticated and their security defenses easier to infiltrate. Threat investigators observe that cyber attackers will often target such companies for the access they have to the corporate networks of larger, more secure business partners. For this reason, threat investigators have traced attacks to non-traditional targets such trucking companies and all types of professional services firms, from management consultants and auditors to litigation attorneys.”
Getting in via transportation providers makes sense says Newton, Mass.-based Adam Bosnian, executive vice-president of the Americas for CyberArk. By attacking through a trucking company, for example, cyber criminals not only gain access, they gain knowledge about their target.
“Why would a trucking company be part of this? I think it has a lot to do with who, what, when, where and why. If I were really looking at how to get into an organization or trying to figure out where the good stuff was, I might want to know when the company’s trucks were doing deliveries, what’s on the payload, how frequently are they delivering that payload, how they schedule that information and is there another backdoor into the ultimate target of my attack. So it is all the things along the process. Those types of things are valuable to an attacker as they take the many different pieces of information and put it all together into a successful attack.”
The other advantage to gaining access to a trucking company is that transportation firms generally have a wide reach into the business community.
“A key part of this is, with a trucking company as an example, they have many customers. These aren’t just one-off attacks where they are looking to find a weak point to be able to get to XYZ organization,” said Bosnian. “If they find a weak point in a logistics or a trucking company, that trucking company is now a weak point for all of their customers. It’s not a one-time type of thing. If they remain persistent in that network, that weak point can be leveraged for multiple attacks, not just on an individual target.”
There are a number of ways hackers can gain unauthorized access to privileged accounts. Sometimes it is done the old-fashioned way by human engineering—getting employees to give up passwords via spear phishing e-mails (visit this website and entire your login ID and password) or by seeing what passwords they have left out in the open on whiteboards or yellow sticky notes. Other times cyber criminals are able to access admin accounts because their default passwords have never been changed, or the companies don’t even know they exist.
“When we talk about these types of accounts, one of the things that is really interesting about them is how numerous they are within an organization. Pretty often a company doesn’t know all of the privileged accounts that are within their environment, which is surprising. After having worked in this industry for over 10 years, it still happens at some of the biggest companies out there,” said Bosnian, citing an example to explain how that could happen.
“An Oracle system may come with 30 default accounts, but if you are only setting up one part of it, you may not be aware of the other 28 that are there. Unless you are aware of the account, you’re not going to change the default credential.”
He explained that lists of the default passwords for hardware and software applications can be found openly, online or can be purchased illegally, and once a hacker has the password, the criminal suddenly becomes a part of the system.
“It’s all about attacker becoming an insider—whether they are starting as in insider or starting on the outside and becoming an insider—because that’s ultimately what they need to do to perpetrate an attack. They need to be on the inside.”
Once a hacker is in, it can be very difficult to spot them, especially if the goal is just to collect information, said Bosnian.
“When we talk about it from a privileged account perspective, a lot of times the focus is on the power of that account. If I have the admin for the invoicing system, I have access to that invoicing system. I can get all of the data. I can even, if I want, I can control what is going on in that environment. I can change things. But usually the attacker isn’t going to change things. They are just going to sit there and watch. It’s the other part of the privileged account that is not as focused on, and that’s the anonymity.
“Because a privileged account is a shared account by nature—it’s designed to be used by multiple people—it’s not locked down to ‘Adam Bosnian.’ It’s ‘admin’ or ‘invoice admin,’ or whatever the application name is. It’s designed to be used by multiple people. So not only is it powerful, but it is anonymous, and that’s what allows them to stay low and slow. You don’t know it’s not you logging into the system. It’s me logging into the system, and I’m going to make it look like it’s you logging in. If you always log in between nine in the morning and five in the afternoon, I’m going to make sure I do whatever my actions are between nine and five. I’m going to try to stay low and slow—I have the power, have the anonymity and I’ll try to stay cloaked in that environment as much as I can.”
Bosnian added that eventually hackers do need to get information out of a system. He referred to this as the exfiltration strategy.
“If they are a privileged user within the environment, they can start to install backdoors: backdoors are accounts people don’t even know exist. If people don’t know they exist, there is no way to monitor them. They are able to cloak it so it looks like regular traffic through the firewall. There are a variety of ways they do it.”
Sometimes the people who have hacked the system aren’t the people who are going to perpetrate the final attack. Bosnian said he is seeing hackers compartmentalize the stages and actions of a plan so very people know all the details of the end goal. And sometimes they just get in, grab as much information as possible, and just offer it up on the black market.
He recommends that businesses looking to defend themselves against these types of security vulnerabilities first start with a full discovery audit where a security expert comes in and surveys the entire IT infrastructure, and the key here is “entire.” Bosnian stressed that unauthorized access isn’t just a problem for computer administrators. It’s something every employee in every department must take understand to be a threat.
“A lot of times people view this as a datacentre issue and don’t look at it from the view of the business applications they use every day. It’s not just the network servers and the database that is out there, it’s the HR application that’s the target. It’s the logistics application that’s the target. It’s those applications that are under ownership of the business side that are maybe being maintained by IT that need to be considered, even down to the social media accounts organizations have, like LinkedIn or Instagram or Facebook . I know our HR department uses LinkedIn and uses Facebook to look at prospective employees, but they’re not using their personal account. They are using a corporate account. That corporate account is a shared account, and having it fall into the wrong hands can create bad behaviour—usually not from a financial attack perspective but from a reputation attack.”
Bosnian added that business leaders need to pay particular attention to the threat posed by unsecured privileged accounts, and start managing the business in a way that takes the possibility of a cyber attack seriously.
“For that executive in a trucking organization, understanding that the security threat is more than just a perimeter breach threat. You have to think about it as if they are already on the inside and you have to protect your organization as if they are already on the inside. That’s really the message,” he said.