Imagine you are the receptionist at the front desk of a bank around Valentine’s Day. There are countless bouquets of flowers and boxes of chocolate being dropped off for delivery to employees. You set them aside and alert the employee upon arrival.
But what about that one box with no name on it that says “To my love.” Taped to the box is a DVD. The delivery person says he doesn’t know who it is for; he tells the receptionist that he simply delivers the packages. The receptionist wants the romantic package to make it to the intended target, so she puts the DVD into her computer in hopes it can give her a clue.
A video animation pops up on her screen of a bunny saying, “I love you.” However, behind the scenes, an executable is placed on the computer. And now the criminal is inside the company’s network.
That delivery man was Anton Abaya, a senior assessment and compliance consultant with Accudata Systems. He was hired by the client as a “white hat hacker.” Once Valentine’s Day passed, he sat down with his client and watched the surveillance video of the employees laughing at the cute video while also eating the chocolates.
“I’ve tried all of [the social engineering situations] and have been fortunate to have been authorized by my clients to be as creative as possible. The bank was very advanced on their security protocols for unannounced visitors,” he said. However, those policies were not followed in this scenario.
“My client was just as entertained as I was,” he said.
It is Abaya’s job to drop in unannounced to clients’ buildings to see how far he can get in the physical building as well as the network.
MORE ON CSO: Social Engineering: 6 commonly targeted data points that are poorly protected
Abaya, 30, has been interested in technology from a young age. “I am part of the generation that grew up on the internet before there were any rules. I was really fascinated with the craft,” he said.
When he was around 12 years old, he started collecting computer viruses as a hobby from local stores that pirated software. The software they copied almost always had some virus on it, he said. He would then try to find different ways to heal the infected computer. “This fascinated me at the time – I don’t why and it always has,” he said.
His early forays on the internet dabbed a bit on the “dark side,” but it never got too far where he couldn’t get back on the straight and narrow. “When I was young and my curiosity led me down dark alleys on the internet, I used my moral compass to guide me back to the light,” he said.
“Let’s just say that a long time ago I once knew where [the bad guys] hung out, was there long enough to pick up a few skills, but knew they did bad stuff. I never joined them on any of their missions, and then left when things got awkward because I was clearly not a contributing member.”
Jack-of-all-trades
Abaya, who came to Accudata in 2008, has a background in IT hardware repair, system administration, and engineering and auditing. A jack-of-all-trades with skills that lend well to knowing the tendencies of employees. At Accudata he performs penetration testing, vulnerability assessments, risk assessments, infosec/compliance gap assessments, PCI assessments, and general infosec consulting. He said his favorite story is the one that launched his IT security career. He was an IT auditor performing his first penetration test. The target was a company with more than 80,000 systems and a staff of around 50 employees guarding it.
Anton Abaya, a senior assessment and compliance consultant with Accudata Systems
“I remember them telling me ‘You guys will never get in. We’re tested all the time by our own [pricey infosec] consultants.’ The other IT auditors started with using nMap and Nessus. I decided to go at it a different way and was a domain admin in about 4 hours (they hadn’t even finished their nmap scans yet),” he said. “The way I got in turned out to be an unreported vendor vulnerability so it not only affected the company I was targeting, but all of the vendor’s customers. It really was not the most glamorous zero-day – I just knew enough about computers, security, and also got lucky.”
A job of a white hat hacker usually involves some kind of deception. In another assignment Abaya was asked to spear phish. The target was the manager of Windows Systems at a university. Abaya pretended to be a student doing research for a 400-level class and convinced the manager to meet for some coffee to talk about the trade.
“He agreed to meet and I was able to get him to trust me. Before the meeting, I emailed him a Word doc with my interview questions to give him some time to prepare for the interview. Well, the Word doc of course had my payloads. The manager of Windows Systems responded back with the ERROR message he got when he opened the Word file. It turns out he was using a Mac… the manager of Windows Systems was using a Mac! I learned a hard lesson that day,” he said.
He said in today’s world, it is critical to have security in layers. “There will always be some people who ‘fall for it’. Even the most paranoid employees can make mistakes or be tricked,” Abaya said. When an organization always assumes the first line of defense will be broken, creating the second and third layers of defensive controls will buy them some time to stop the attack.
What happens if the company is successful in stopping the pen tester or social engineer. Does that mean the organization is total secure?
“Does stopping a bullet mean you can stop a bazooka? In general, it is close to impossible for an organization to be perfectly immune to an attack. If an adversary wants to target you and is patient and competent, and they have a big enough gun, then they will probably eventually find a way in,” he said.
Stopping a penetration tester that you hired for a day when your ‘hacker’ adversary has been targeting you say for weeks or months and an unlimited budget will not yield a meaningful comparison, he added. However, if a majority of your adversaries are only going to spend at most a day targeting you, then being able to stop an experienced, qualified, and trained pen tester for a day’s worth of work probably means you can stop a majority of these types of attackers.