WEBVTT

00:00:00.890 --> 00:00:04.500
I wanted to give you a little example of a real‑life attack that

00:00:04.500 --> 00:00:09.230
affected an organization, and we can see how network attacks could

00:00:09.230 --> 00:00:12.080
quickly spread from one area to another.

00:00:12.950 --> 00:00:15.430
This was a larger retail organization,

00:00:15.430 --> 00:00:19.880
you have probably heard of this, with a loss of millions of credit cards.

00:00:21.130 --> 00:00:24.860
Let's take a look at an average organizational network.

00:00:25.130 --> 00:00:28.170
We have different parts of the company, sales,

00:00:28.170 --> 00:00:28.950
finance,

00:00:28.950 --> 00:00:33.300
human resources, and operations, and they're all running on a

00:00:33.300 --> 00:00:39.100
foundation of information technology being managed by our IT staff.

00:00:39.100 --> 00:00:44.560
When we want to connect to the internet, we have a firewall that allows

00:00:44.560 --> 00:00:47.360
our traffic to be filtered and controlled.

00:00:48.100 --> 00:00:53.910
In this case, the organization installed a building management system,

00:00:54.070 --> 00:00:58.660
a heating ventilation and air conditioning unit, and that heating

00:00:58.660 --> 00:01:02.840
ventilation/air conditioning unit was installed by a vendor, and the vendor

00:01:02.840 --> 00:01:08.440
said could I please have an internet connection to that air conditioning unit

00:01:08.510 --> 00:01:10.880
because it'll tell me if there's any problem,

00:01:10.880 --> 00:01:13.840
if we need to come in and do some maintenance or repairs.

00:01:14.280 --> 00:01:19.970
And the organization said, well, no. We don't mind if you have a

00:01:19.970 --> 00:01:23.480
connection that you can connect through the internet, but we don't want

00:01:23.480 --> 00:01:28.030
to give you a separate internet connection because that'll be unmonitored

00:01:28.040 --> 00:01:34.110
and could possibly even be misused, so instead, we will connect you to

00:01:34.110 --> 00:01:38.710
our corporate network. Then all of your traffic will go through our

00:01:38.710 --> 00:01:44.180
expensive corporate firewall and we'll be able to ensure that there is no

00:01:44.180 --> 00:01:50.500
misuse then of the traffic or the pipeline going to the air conditioning

00:01:50.500 --> 00:01:50.990
unit.

00:01:51.610 --> 00:01:56.350
Now this sounds good in theory, but the problem is that most IT

00:01:56.350 --> 00:02:01.240
administrators don't understand the protocols or languages used by building

00:02:01.240 --> 00:02:05.190
management systems, and if I don't understand the language,

00:02:05.190 --> 00:02:09.030
it's going to be pretty hard to know if something strange is going on.

00:02:09.360 --> 00:02:13.100
I'm not even going to be able to write the rules for the firewall that are

00:02:13.100 --> 00:02:16.120
going to be able to filter that traffic effectively,

00:02:16.460 --> 00:02:18.080
but it sounds good in theory.

00:02:19.540 --> 00:02:23.360
The problem was the vendor came in one day with their laptop to

00:02:23.360 --> 00:02:26.760
do some maintenance on the air conditioning unit, and they

00:02:26.760 --> 00:02:31.330
didn't realize that their laptop was actually infected, and when

00:02:31.330 --> 00:02:36.700
they plugged that laptop in, it now infected the building management system.

00:02:37.690 --> 00:02:41.300
The building management system now calls out through its

00:02:41.310 --> 00:02:45.640
internet connection through the corporate firewall to a hacker

00:02:45.880 --> 00:02:49.080
that is then positioned on the internet.

00:02:50.710 --> 00:02:56.370
That attacker now has a direct connection into the organization

00:02:57.010 --> 00:03:00.750
and they can converse back and forth through what now is

00:03:00.750 --> 00:03:05.090
considered trusted traffic because it was initiated by that

00:03:05.100 --> 00:03:08.370
internal system to talk to the hacker.

00:03:09.570 --> 00:03:14.900
The hacker is not just isolated to the building management system.

00:03:15.160 --> 00:03:19.540
Instead, they have access to the entire network, and that

00:03:19.540 --> 00:03:23.400
includes to things like the point‑of‑sale system being

00:03:23.400 --> 00:03:26.050
used in sales for this company.

00:03:27.080 --> 00:03:32.890
And they can take advantage of the fact that the point‑of‑sale system

00:03:32.890 --> 00:03:37.640
put in still had default passwords. Default passwords,

00:03:37.640 --> 00:03:42.720
the passwords put in during the original manufacturer of these little payment

00:03:42.720 --> 00:03:45.210
card reading devices, and we're all familiar with them.

00:03:45.210 --> 00:03:49.030
You go to a store and you want to make a purchase, you insert or you

00:03:49.030 --> 00:03:52.070
tap your credit card, that's a point‑of‑sale device.

00:03:52.920 --> 00:03:57.770
And it had been installed by a vendor as well, not by the IT department.

00:03:58.260 --> 00:04:01.730
And we can see here part of the problem is that we have a building

00:04:01.730 --> 00:04:05.600
management system which is definitely not managed by IT, we have

00:04:05.600 --> 00:04:11.200
point‑of‑sale devices which are not managed by IT, and yet we're relying on

00:04:11.210 --> 00:04:17.110
IT to actually protect the network that these devices communicate on.

00:04:17.110 --> 00:04:22.040
Because the hacker knows the default passwords, they were able to install

00:04:22.040 --> 00:04:29.030
malware on that point‑of‑sale system. That is now anytime somebody uses a

00:04:29.030 --> 00:04:36.330
credit card, it then takes a copy of the credit card number and sends it off

00:04:36.340 --> 00:04:37.620
to the hacking group.

00:04:38.860 --> 00:04:42.580
Having vendor default passwords is against the

00:04:42.580 --> 00:04:44.920
rules of the payment card industry.

00:04:45.340 --> 00:04:50.080
The payment card industry says you must not have vendor

00:04:50.080 --> 00:04:53.060
default passwords on network‑facing equipment.

00:04:53.680 --> 00:04:59.140
But, even the auditors that reviewed this company said that they

00:04:59.140 --> 00:05:05.140
were compliant with the rules of PCI, PCI DSS, so this was a

00:05:05.140 --> 00:05:09.860
mistake by the auditors who didn't realize that these default

00:05:09.860 --> 00:05:11.440
passwords were still there.

00:05:11.570 --> 00:05:15.230
In other words, the auditors simply didn't do their job properly.

00:05:16.280 --> 00:05:21.310
That resulted in the harvesting of tens of millions of

00:05:21.310 --> 00:05:24.230
credit card numbers back to the hacker.

00:05:25.220 --> 00:05:31.180
Now, one of the things that IT was involved with was monitoring network traffic.

00:05:31.690 --> 00:05:36.280
They had SIEM. We've talked about SIEMs before, a security

00:05:36.280 --> 00:05:40.370
information and event management system which is monitoring

00:05:40.370 --> 00:05:42.550
many different network devices,

00:05:42.550 --> 00:05:49.390
IDSs, IPSs, firewalls, applications, and by monitoring all of these

00:05:49.390 --> 00:05:54.770
devices, bringing the data together and aggregating it, it gets to see

00:05:54.770 --> 00:05:57.190
a big picture if there's something wrong.

00:05:57.980 --> 00:06:00.250
And in this case the SIEM was very good.

00:06:00.620 --> 00:06:04.380
The SIEM actually indicated that they had this breach, this

00:06:04.380 --> 00:06:09.330
problem, the very first day, but the IT department, quite

00:06:09.330 --> 00:06:10.990
simply, didn't know what to do with it.

00:06:11.390 --> 00:06:15.130
They didn't understand where the breach was because it wasn't even in

00:06:15.130 --> 00:06:19.050
a system that they managed. They were busy with many other things

00:06:19.050 --> 00:06:23.450
because it was a busy time period for this retail operation, and so,

00:06:23.450 --> 00:06:29.950
therefore, even though this attack had been alerted, they didn't

00:06:29.950 --> 00:06:34.540
respond until six weeks later when it was brought to their attention

00:06:34.540 --> 00:06:35.790
by law enforcement.

00:06:36.560 --> 00:06:39.980
So, this is just an example of something that was

00:06:39.990 --> 00:06:43.700
certainly an awful lot more than one mistake.

00:06:44.210 --> 00:06:47.060
There were many mistakes that led to this breach, and

00:06:47.060 --> 00:06:52.210
unfortunate. For us, there's a lot of lessons to learn.

00:06:52.690 --> 00:06:58.340
We can learn to check thoroughly, for example, for default passwords,

00:06:58.350 --> 00:06:59.760
incident response,

00:07:00.060 --> 00:07:04.980
the alerts that come from our SIEM systems, to make sure that when we

00:07:04.980 --> 00:07:09.670
install a piece of equipment such as, for example, a building management

00:07:09.670 --> 00:07:13.910
system, it shouldn't just be connected to the corporate network, it

00:07:13.910 --> 00:07:16.100
should be connected, but isolated.

00:07:16.440 --> 00:07:20.410
And this is something we'll look at actually in the next module of this course,

00:07:20.660 --> 00:07:27.040
Network Security Design. There should be segmentation of many of these

00:07:27.140 --> 00:07:32.660
types of traffic and network elements so that a breach at one place

00:07:32.660 --> 00:07:35.420
does not easily spread to other places.

00:07:36.400 --> 00:07:38.860
We know that network security is essential.

00:07:39.180 --> 00:07:42.080
Our businesses rely on our networks,

00:07:42.260 --> 00:07:46.310
therefore, we need to make them both secure and reliable.