Kyle Stecki recently completed his final in my NTS405 course (Network Security). He did an excellent job war gaming an attack, describing it in a very creative format. 

Kyle provided a cautionary tale on some of the dangers that are currently faced by businesses globally. He was tasked with providing a war game scenario that could realistically occur against a medium sized business.

 

3-1The tools necessary to commit fraud, steal credit cards, duplicate identification badges, or even to clone automobile keys remotely are being sold right now on popular shopping sites. Criminals are buying the tools necessary to steal credit cards used at gas pumps and deploying those tools on a daily basis. We live in a dangerous world and it is only becoming increasingly so as criminals are now capable of purchasing cyber weapons and the entry barrier is shrinking every day for online criminals.

 

UAT is training the cyber guardians of tomorrow with the tools and technology they need to become effective protectors of our nation. Our classes are taught using real life examples, and our students are provided the means to understand how cyber security works in the real world.

 

I ask that you take the time to read the following, knowing it was inspired by real global events, and while the situations, names, and persons are fictitious, you will find the recommendations to be steeped in cold hard facts...

           

Disaster is Looming

By Kyle M. Stecki

 

A new young business, CheapBuys, has started to boom. The company makes its money from selling an assortment of different devices such as USBs, cell phones, headphones, numerous IoT devices and more. They sell their product for a small profit, but the company's wide customer base from selling multiple products keeps customers happy and has them coming back to save some money. The company has a great foundation for a successful business with a nice hierarchal employee system in place, a large 10 story building for employees and a warehouse to store the product. The building has a decent security system in place with the need to provide a company ID card to swipe when entering the building, and each workstation also needs authentication with the employee ID cards. Employees are well taken care of with competitive pay rates and are frequently given the chance to earn a raise every 4-6 months. The market is starting to get taken over by CheapBuys, because of their cheap products and wide customer base beating out competing companies.

 

The biggest problem the company has is how the employees act outside of work. This is not something that can be controlled, but when company property, such as the ID cards, are being handled outside of work, there needs to be rules and guidelines. One night, an employee ended up at a bar after work. He had a few drinks and it was becoming apparent he was not sober. When he pulled out his wallet to pay for his drinks, someone sitting at the bar spotted the ID card and instantly knew where he worked at. This stranger knows of the company and how it is becoming a big success and sees an opportunity to dig his hand in the pot. The stranger is someone who knows quite a bit about security access cards and how to copy them. For instances like such, he likes to keep his RFID copier on him so he can make the decision quick and easy. The employee has had quite a bit to drink and the stranger knows this, so it will make his impromptu plan go smoothly. The stranger starts by having a conversation with the employee to start building a little trust. After a little while, the stranger has fed him more drinks and the stranger can see his plan coming to fruition.

 

After a bit, the employee starts to place his wallet on the bar in front of him making it easier to carry out the sabotage. The stranger decides to get closer to the employee and distract him by ordering more drinks and throwing his arm around the employee. While pointing the other way at the bartender, he offers to pay for the drinks and throws his other hand over the wallet on the bar and sneaks it into his pocket. He tells the employee to keep an eye out for something tuning in on the TV over the bar and goes to the bathroom. After making it to a stall, the stranger now has all he needs. He pulls out the ID card and scans it with a scanner he purchased on a popular online marketplace website, then takes some quick pictures of the card to fully duplicate one later. He goes back to the bar and sneaks the wallet back onto the bar without the employee noticing. After that drink, the stranger starts to make a better bond with the employee telling him they should meet up at the bar again and ask him what times he works and when his days off are. The employee, not thinking about much at this point, agrees and lets the stranger know; now the stranger has everything he needs to pull off an attack on the business. The night ends and they go home, where the stranger quickly starts to duplicate the employee's ID card. The stranger does a little research and creates a USB stick with malware to take advantage of privilege escalation on one of the software suites the company uses. He will create a connection with a remote server to start offloading data from the company servers.

 

2-1

 

Within a couple days, the stranger is ready to pull off his plan. He gets into the building with ease, swiping the ID card which was not hard to duplicate. With no security guards, he has nothing to worry about with being spotted getting into the building. His only task is to find an unoccupied workstation, which isn’t difficult, in their 10-story building. After getting to a workstation that is relatively secluded, he swipes the ID to login, plugs in the USB, and his program starts to run automatically. The malware is triggered, vulnerabilities are exploited, and he creates the connection to the remote server he had previously prepared. The workstation is left logged on, the stranger un-plugs the USB and walks out of the building. His plan went perfectly. He goes straight to his server to see all the data he has obtained. The data he ended up collecting includes all sorts of employee information, birthdates, full names, and social security numbers as well as some customer information such as name and credit card numbers. The man anonymously contacts the company and notifies them he has a lot of valuable information and gives them a sample of what he possesses to prove his threats are genuine. He wants a million dollars in bitcoin by the end of the week or he will start to release the information in batches of 50 people to the public every day. With no other option, CheapBuys agrees to pay the stranger and the stranger agrees to not release the data. He decides to sell the data on the black-market later for an additional profit.

 

This story shows some of the flaws that can be exploited by one person and cause tremendous damage to a company. To start with securing the company, physical security needs to be increased. KyleSteckiSecurity guards could be hired to keep an eye on the entrances to the building, this way employees will have to check in or simply be verified by a person observing those coming in. Next, workstations should have an implementation of two factor security, by providing a second password after swiping the ID card. This will help prevent attacks like the one that was previously explained. Third, a group policy should be given to all employees to prevent use of USB devices on a company workstation. Only authenticated USB’s can be allowed for company use but will not be allowed to leave the premises of the building. Finally, an Intrusion Detection System should be implemented to detect any suspicious activity on the network. These implementations would just be a start in further security aspects of the company and would have prevented the attack coming to fruition.

 

Kyle Stecki

 


 

UAT’s Network Security Bachelor of Science is a cyber security degree that prepares students to take on the ever evolving world of online theft and corruption of information. Our cyber security degree combines essential and best of class elements of software and network programming and network security analysis. This leading edge degree is designed around the contemporary skills and advanced industry-standard tools associated with security for information network technology initiatives.

 

Designated as a Center for Academic Excellence in Information Systems Security Education by the US National Security Agency, our ethical hacking degree is highly recognized by industry and government entities alike. Graduates from the cyber security degree program will have developed the essential knowledge and tools to automate their own security processes through extensive training in network security programs and scripts. Students will be taught to use critical thinking skills to research current and evolving cyber security trends, as well as become experts in network security industry standards and regulations.

 


 

References

Danny Bradbury. (April 23, 2019). “Killer USB Breach Highlights Need For Physical Security”. Retrieved from: https://www.infosecurity-magazine.com/infosec/usb-breach-physical-security-1-1-1/

 

Bernhard Mehl. (May 23, 2018). “Step-by-Step Tutorial: How to Copy or Clone Access Cards and Key Fobs”. Retrieved from: https://www.getkisi.com/blog/how-to-copy-access-cards-and-keyfobs

 

Brien Posey. (June 27, 2017). “How To Prevent the Use of USB Media in Windows 10”. Retrieved from: https://redmondmag.com/articles/2017/06/27/prevent-the-use-of-usb-media-in-windows-10.aspx

 

Aaron Jones

Written by Aaron Jones

Jones has a Bachelors in Management Computer Information Systems from Park University and a Masters in Intelligence Studies (Cyber) from the American Military University. CLASSES: Technology Forensics, Technology Leadership, Technology Studies