Do you know what's on your network? Gemma Moore does. She knows what's lurking in the dark, forgotten corners of because she's spent weeks slowly and methodically combing through it, looking for the one weak link in your armour, the Achilles heel that will bring your security to its knees.
Moore is the co-founder of security consulting firm Cyberis, and an expert in offensive security, Red Teaming and penetration testing. Holding numerous accreditations from security certification body CREST, Moore makes a living by hacking into companies, and she has some horror stories to tell about the weaknesses which let her (and, by extension, genuine attackers) break through corporate defenses.
"It's always the same story," she says; "you get in through a foothold, you find enough information through network shares or through guessing passwords to get you to the next stage. you can almost always escalate privileges. I mean, if you've got an infrastructure that's old enough, the most reliable way of escalating privileges still remains things like SQL servers with the same blank password as running a system."
"You'd be really surprised how many networks we still find things like that on. And it won't be on the live system, it won't be on a maintained system it will be something like an old legacy system that no-one's decommissioned or it will be a dev system that nobody's looked at in years and it's still on the network. It's still there."
This, Moore says, is why decommissioning old infrastructure is such a crucial element of enterprise security: Because it frequently gets forgotten about, leaving attackers with an easy way into more heavily-defended systems. One story she tells involves an application test for a customer in the telco industry, during which she used an old and overlooked backup server to obtain and decrypt a database full of poorly-hashed but up-to-date user credentials. If she had been a genuine attacker, the breach would have been catastrophic.
This kind of attack is predicated on a lack of technical controls and monitoring allowing intruders to move laterally within a network, but there's a different kind of attack altogether that's much harder to guard against a physical attack. The vast majority of cyber criminals are opportunistic thieves simply looking for an easy score, who will pick the victim that presents the least resistance and the least effort to penetrate. For companies that are being specifically targeted by a dedicated and motivated attacker, however, their biggest security hole is probably their office itself.
"Nine times out of ten, you can just wander in," Moore reveals, "and if you can't just wander in, maybe you'll put on a fleece or a hi-viz jacket and tend to be a PAT tester, or someone to look at the phones or the fire extinguisher repair person."
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacks
Her firm has "a dressing-up cupboard" in the office, stocked with different coloured lanyards, fleeces and various official-looking uniforms that she says generally allow her team to roam freely around the halls of their targets.
"PAT-testing's a great one, because it gives you an excuse to rummage around on the floor where all the power cables are."
Unfortunately, it turns out that it's much harder to stop physical attacks than technical ones, because they exploit weaknesses in human nature rather than infrastructure and you can't patch for that. For example, tailgating the act of following a legitimate employee through a security-protected door after they've gone through it is hard to prevent in most offices, particularly because people are socially conditioned to hold doors open for those coming after them.
Hackers are well aware of these vulnerabilities within human psychology and they are not shy about exploiting them. One particularly devious move that Moore has used is to tell the truth or at least a version of it.
"I turned up at the office, and I told the woman who's in charge of the building that I was there to do a physical security audit," she explains. "This woman introduced me to the facilities manager who gave me a tour of the whole building; showed me where the keys were kept, showed me all the locks, showed me where the secure shredding was..."
After this highly illuminating tour, she asked them if there was somewhere she could write up her 'report', and was promptly shown to a desk and plugged into the corporate network.
"I had domain admin privileges about an hour later and meanwhile, they were bringing me tea and asking me if I wanted a biscuit and generally being really nice about it," she laughs. "You feel awful when you do it. You genuinely do feel terrible."
Moore's job isn't all about pulling the wool over her targets' eyes, however. Sometimes they'll end up doing a spot of unpaid IT support as part of a penetration test. As part of an attack, one of Moore's team, whom she describes as "the best liar I've ever met", ended up becoming one of the most helpful people in the office.
"Sometimes we've even fixed IT problems for people. A colleague of mine went into an office where someone was having problems with a zip file; effectively, it was too large to send out, and she was getting really frustrated. He walked over he was pretending to be a temp at the time and he said to her 'can I help you with this, are you alright?' She was explaining this problem with the zip file, and he goes 'I'll sort that out for you'. So he's on her computer, trojanises it computer, gets a foothold, and then fixes this problem for her by chunking this zip into smaller files, compressing them and sending them separately, with instructions to reconstruct on the other end while she made him a cup of coffee."
"So she was really grateful and really friendly and started introducing him to the other people around. Let's just say you didn't get reported as being suspicious in the office having helped someone with a problem -- and then he fixed the printer for someone else. So all this time, of course, he's using their user accounts and trojanising their machines and what have you."
Moore's work is only one side of the coin, however. Blue Teams are the Red Team's defensive counterpart; a security team within the organisation that works to thwart the Red Team's efforts. As Moore points out, the objective of Red Teaming is to help the Blue Team get better at their jobs. A successful Red Team exercise, she says, is one that results in the attackers being able to coach the Blue Team through exactly how they managed to evade them and what they can do to stop any similar attacks in future.
"The whole point is working with the Blue Team after and doing the debrief and understanding why they didn't see it, what they could have done that would have shown them it, and then just iteratively improving that so they see more next time," she explains.
"When we do a Red Team, what we would like is that the Blue Team sees everything we do, and is on the phone going 'is this you'; that's what we like. And over time, that's what you should get to, but you have to treat it as a sort of open, iterative process."
