IP Products

Hacker landscape

by Mark Rowe

Organisations need to be more aware of the changing threat landscape where hackers are targeting infrastructure that is directly impacting on our physical world. So says Ed Skoudis, an IT security researcher and penetration tester and a faculty Fellow with the IT training body SANS Institute.

“For a while, we have seen somewhat humorous examples of hackers changing electronic road signs to give jokey messages like ‘Zombies Ahead’ instead of more useful traffic information,” says Skoudis. “But the principle is rather scary especially when you look at other real world systems that are increasingly computer controlled.”

Skoudis points to hackers attacking the uranium centrifuges run by the Iranian government as an extreme example but points out other more potential targets, “A water treatment plant is largely an automated environment run by complex computer systems. While the procedure used to refuel planes is also underpinned by software – even the electricity grid is a software centric environment.”

Hackers are looking at new ways to penetrate these often closed systems; “USB sticks, infected mobile devices, interception of data in transit and even QR codes are all areas where we have seen hackers use physical elements to breach a IT security perimeter,” says Skoudis.” You may see comments from authors such as Thomas Rid questioning whether cyber war is really happening? I can tell you that for every Stuxnet in the public eye, there are a dozen significant incidents across the globe that due to national security consideration will never see the light of day.”

Skoudis has conducted a demonstration of hacker techniques against financial institutions for the United States Senate and is a regular speaker on issues associated with hacker tools and defences. He is also an author of articles on these topics as well as the Prentice Hall best sellers Counter Hack Reloaded and Malware: Fighting Malicious Code.

“It is not a case of scaremongering, but more a game of cat and mouse,” he says.” Every time we spot a new method and block it, the very best of the hackers will then try a new approach. With technology constantly evolving, new exploits and a greater attack surface increase the threat. Without proactively testing defences, there is no way to know if the barricade is working as planned.”

Skoudis has authored and regularly teaches SANS courses on network penetration testing (Security 560) and incident response (Security 504); helping over three thousand information security professionals each year improve their skills and abilities to defend their networks.

“The penetration testing skill set is also changing,” he believes. “We are increasing looking at a much wider attack surface then we did say 10 years ago. If you look at the most theoretically interesting attacks, they often used methods that combine social, physical and psychological tricks to breach secure systems.”

Skoudis believes that changes in attack patterns and targets are also reflected in the types of individuals and organisations that are increasingly investing in penetration testing skills. “The recent courses I have taught have had a higher percentage of students from the military, critical national infrastructure, manufacturing and government agencies ahead of what used to be predominantly financial services. In addition, the types of students now includes IT professionals and managers that need to understand the core pen-testing concepts to engage pen-testers and to enact the recommendations of the testing process.”

According to Skoudis, the courses are also evolving to teach how to deliver a real business value through pen testing and a methodology to ensure processes are systematic and repeatable. “We also teach technical depth, not just teaching students how to use a bunch of tools, but to understand how the hack actually works – to help student think like an attacker so they can find the hole and close it before an attacker gains control over a critical system.”

Skoudis will be teaching SEC560: Network Pen Testing and Ethical Hacking for the first time in Europe at the upcoming SANS Secure Europe 2013. As one of the region’s largest InfoSec training events, Secure Europe will be returning to Amsterdam’s Radisson Blu Hotel from April 15 to 27, 2013 with a roster of eight courses including a new session covering Advanced Computer Forensic Analysis and Incident Response. For more information on the event including course overviews and GIAC Certification, or to register, visit: http://www.sans.org/info/124612

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing