[Reading time – 3 minutes 29 seconds]
Suppose that you have something very valuable (rare gemstone, roll of cash, whatever, just play along here for a moment) in your house. Unfortunately, a burglar finds out about it and decides that he wants to steal it. He waits until you are away from home one night and decides now is his chance. He goes up to your front door and finds that it’s securely locked. Would he then just walk away?
Instead, he’d check the windows in the garage. And it so happens that one of them is easy to force open, so he gets into the garage. He then works on the door in the garage that leads to the kitchen in your house and is able to open it. He works his way through the rooms of your house until he finally arrives at the room where your valuable is tucked away. He grabs it and then disappears.
If this story makes sense to you, then you are well on the way to understanding how cybersecurity attackers work today–and how we need to make ourselves secure.
It all focuses on a single word: pivot.
By definition a pivot (noun) is the central point or shaft on which a mechanism turns or oscillates. The verb means to turn as if on a pivot (think rotate, turn, revolve, spin, swivel, twirl, whirl, wheel about, etc.).
That’s how both burglars and cybersecurity attackers work today. They pivot.
Rarely will a burglar find an unlocked front door that, upon opening it, he sees your valuable sitting right there for the taking. Instead, a burglar tries to find some entry point–any entry point–into the house (a garage window, a sliding glass door, an unlocked deck door) and then “pivots” through other rooms to finally find your valuables.
Cybersecurity attackers do the same. Rarely can they break down the front door of a server to access the database containing your social security number. That’s because organization that owns the server spends a massive amount of money and time protecting it from the outside world. So, what’s a good cybersecurity attacker to do? Just like the burglar she will try to find an entry point–any entry point–into the network through some weakness or vulnerability. And then she will pivot through the different connected devices on the network until she finds your valuables.
Generally, attackers follow these steps in an actual attack:
- The attackers first conduct reconnaissance against the systems, looking for vulnerabilities.
- When a path to a vulnerability is exposed, they gain access to the system through the vulnerability.
- Once access is gained, the attackers escalate that access to gain more advanced privileges.
- With the advanced privileges, they tunnel through the network looking for additional systems they can access from their elevated position.
- Attackers install additional tools on the compromised systems to gain even deeper access to the network.
- Attackers may install a backdoor that allows them repeated and long-term access to the system in the future. The backdoors are not related to the initial vulnerability, so access remains even if the initial vulnerability is corrected.
- Once the backdoor is installed, the attackers continue to probe until they find their ultimate target and perform their intended malicious action, such as stealing your social security number.
Attack On the Jet Propulsion Laboratory
This can be illustrated through a successful attack on NASA’s Jet Propulsion Laboratory (JPL) in April of 2018 that resulted in 500MB of data stolen that related to a Mars mission. And what was the point of entry into NASA’s JPL network?
It was a $35 Raspberry Pi, small enough to fit in your hand, that someone connected to the JPL network without permission.
A 49-page report by the NASA Office of Inspector General (OIG) published last month (Jun 18 2019) also shows other critical errors by the JPL. First, they did not segment their internal network into smaller pieces, which is a fundamental security practice to make it harder for attackers to freely move around inside a network. Also, the OIG noted that the JPL did not keep its asset inventory, called the Information Technology Security Database (ITSDB), up to date. This ITSDB database is supposed to be a record of devices connected to the JPL network. The OIG found that the database inventory was incomplete and inaccurate; in fact, the compromised Raspberry Pi board that served as a point of entry had not even been entered in the ITSDB inventory.
So, what’s the big takeaway for us?
Think back to our burglar once again. Would you spend huge amounts of money on having a super-strong front door to prevent the burglar from entering your house–but not bother to even lock the garage windows? Of course not.
But that’s what we often do when it comes to our thinking on securing our computers and data. We decide, for example, that an email account does not need to have a strong password since, after all, it’s just email. But think for a moment: because almost all online accounts allow us to reset our password by sending to our email account a reset link, what would happen if an attacker could gain access to our email account? He could then have password resets for all of our accounts sent to that single compromised email account, where he could then reset the password on these accounts to whatever he wanted and then use those new passwords to enter our accounts and swipe our money or gather our data.
Secure Every One of Your Passwords
The lesson to be learned for us is that because cybersecurity attackers pivot like a burglar, there are no garage windows on our computers that we can leave unlocked. We need to secure everything.