[Reading time: 3 minutes 29 seconds]
Imagine that you have a valuable item in your home. A burglar discovers about it and decides to steal it. He waits until you’re gone one night before deciding now is his time. He walks up to your front door, and it is locked. Would he just then walk away?
Instead, he would check the garage windows. He finds that one of the windows is easy to force open so he enters the garage. He then tackles the garage door that leads to your kitchen and is able open it. He continues to work his way through your house until he reaches the room where your valuable is. He grabs the item and then disappears.
If you find this story to be logical, you will soon understand how cyber-attackers work today and how you can protect yourself.
It all centers on one word: pivot.
A pivot (noun), is the point or shaft at which a mechanism turns, or oscillates. The verb is to turn as if on the pivot (think spin, rotate, spin, swivel and whirl), ).
This is how both hackers and burglars operate today. They pivot.
A burglar will rarely find an unlocked front entrance that he can open and see your valuables. Instead, a burglar will try to find an entry point into the house, whether it is a garage window or a sliding glass door. Once he has found that entry point, he will “pivot” through other rooms until he finds your valuables.
Cybersecurity attackers do the exact same. They are unlikely to be able to break into a server’s front door and gain access to the database that contains your social security number. Because the server is owned by an organization that spends a lot of money and time protecting it against the outside world, this is why it’s so hard to break down the front door. What does a good cybersecurity attacker do? She will attempt to find a weakness or vulnerability that allows her to gain access to the network, just like the burglar. Then she will navigate through all the connected devices until she finds your valuables.
These steps are generally followed by attackers during an actual attack.
An attacker will first perform reconnaissance on the systems to find vulnerabilities.
They can gain access to the system by exposing a vulnerability path.
Once they have gained access, attackers can escalate the access to gain more privileges.
They can tunnel through the network to access additional systems from their elevated position thanks to their advanced privileges.
To gain deeper access to the network, attackers install additional tools on compromised systems.
An attacker may create a backdoor that gives them long-term and repeated access to the system. Access to the system can be gained even after the initial vulnerability has been fixed.
Once the backdoor has been installed, the attackers continue to search until they find their ultimate target. Then they will perform their malicious action, such stealing your social security numbers.
Attack on the Jet Propulsion Laboratory
This is illustrated by a successful attack on NASA’s Jet Propulsion Laboratory (JPL), in April 2018. It resulted in 500MB data theft that was related to a Mars mission. What was the point of entry to NASA’s JPL network and JPL?
It was a $35 Raspberry Pi that you could hold in your hand.
The JPL also made other serious errors in a 49-page report published by NASA Office of Inspector General (OIG), last month. They did not create smaller segments of their internal network, which is a fundamental security measure to make it more difficult for attackers to move freely within a network. OIG also noted that the JPL didn’t keep up-to-date its asset inventory, known as the Information Technology Security Database, (ITSDB). This ITSDB database should be a record of devices that are connected to the JPL network. The OIG discovered that the database inventory was inaccurate and incomplete. In fact, the Raspberry Pi board that was compromised as a point-of-entry had not been included in the ITSDB inventory.
What’s the big takeaway?
Think about the burglar again. You would spend a lot of money on a strong front door to stop burglars from entering your home, but not bother to lock the garage windows. No.
This is what we often do when we think about protecting our computers and data. For example, we decide that an email account doesn’t need to be hav