Hackers and cyber criminals aren't so much trying to attack computer network security measures as they are looking for vulnerabilities in people who use and operate those networks as a gateway to access them.
That point was hammered home by the winning team of hackers during a cybersecurity "war game" hosted by information technology giant SAIC last week during the Rocky Mountain Cybersecurity Symposium at The Broadmoor hotel.
The team, modeled after the international hacking group Anonymous, used information from a fictional information technology employee's Facebook account and other personal information found on the internet. The team members then persuaded someone from the help desk at a fictional Ukrainian oil refinery to change the employee's password - gaining control of the refinery's website.
The employee had posted on her Facebook page that she was on vacation. The page also included key details such as her birthdate, hometown and other information that helped hackers know the answers to security questions the help desk would ask.
While the team defending the refinery from cyberattacks suspected the call was bogus, members were hamstrung by a policy that allowed employees to call in to the help desk and request a password change. Once they had access, the hackers demanded a ransom and posted employee financial and health information on the site.
More than 80 percent of hackers start with social media as they look for someone to target within an organization they want to attack, Gordon Hannah, a principal in the Cyber Risk Services operation of Deloitte Consulting LLP, said during a symposium panel discussion on managing cybersecurity risks. He quoted a colleague who described defending against cyberattacks as "playing soccer with two goalies and everyone else on the field playing offense" and said that many executives involved in high-profile breaches are still using the same passwords they used before the breaches.
Brett Fowler, a senior principal cyberspace operations at SAIC in San Antonio who was helping one of the hacking teams, said when hackers "break into a company('s network) they typically collect a lot of information about them first because people give away a lot of information on social media. Most people don't lock down their social media accounts, so they open a massive attack surface for hackers to exploit. They disclose things like their mother's maiden name, their favorite color, their dog's name, and all of those are common security questions."
Rather than staying off social media, Fowler recommends people be cautious. That includes using a special email account when creating a social media profile, not including personal information like their birthdate, hometown and pet's names on the profile or any posts.
Fowler also says internet users should resist the temptation to click on links to unfamiliar websites even if they're sent by friends, co-workers or banks or retailers they use since the email may have come from a hacker and be designed to look legitimate.
"Computers are hard to break into, but people are easy," Fowler said. "This (exercise) is designed to show people how vulnerable we really are. How can we stop the social media threat? We don't know yet, but modeling it in an exercise like this helps us learn how. The problem is that we are aways a step behind and there are always new threats."
SAIC raised the stakes in this year's version of the war game, including social media and news components through software the company has developed as a training tool, Fowler said. The company's Cyntrest software allows game managers to make changes in real time to simulate a cyberattack and make it more realistic, he said. SAIC conducted two hourlong war games with 15 to 17 participants split into teams of defenders from the oil refinery, hackers modeled after Anonymous and a second hacker team sponsored by an unnamed nation-state that was trying to cause an oil spill.
Participants in the war game ranged from military cybersecurity specialists to civilian information technology worker; the game is designed to include players with a variety of skills to capitalize on teamwork. During the first session of last week's game, it took the hacker team modeled after Anonymous about 50 minutes to gain access to the refinery's network. The nation-state backed team wasn't able to access its target, which was an internet-connected value on an oil storage system that was poorly secured with a default user name and password that had never been changed.
Kevin Rohan, chief cybersecurity architect for Oracle Corp.'s Colorado Springs operation, was part of the defending team and said he knew his team "would lose because defense always does," but noted the team kept the "oil and money flowing" because it had strengthened the refinery's network firewall.
Gene Albin, a Navy cyberintelligence specialist working at U.S. Northern Command in Colorado Springs who was part of the nation-state hacker team, said the game was more realistic and challenging because it was a three-way contest. He said the exercise reinforced that cybersecurity skills are "perishable and need to be constantly updated."
During the second war game session, a new team of nation-state hackers "laid waste to the entire network" of the refinery by hacking both the defending team and the other hacker team, which was targeted to gain access to the refinery's network because they had already achieved partial access, Fowler said.
"It is the best performance I have ever seen in this competition, and we have done nine of these over the past two years. They were very efficient and, even though they were not that experienced, they thought outside of the box, succeeding almost entirely by technical means, and they weren't shackled by the rules," Fowler said.
AFA team conquers foes
A second competition during the symposium featured five college teams taking on 29 challenges in a seven-hour "capture the flag" game that is designed to teach participants how to defend against a cyberattack, said Ryan Roberts, who ran the competition and who is a senior manager for Deloitte's Cyber Risk Services advisory unit in Colorado Springs.
The four-person teams included one each from the Air Force Academy, Pikes Peak Community College and defending champion University of Colorado at Colorado Springs and two from Brigham Young University. The challenges ranged from repeatedly pinging (sending messages to) a server to analyzing network traffic.
The competition, which includes a flag and electronic gear as prizes, helps participants sharpen cybersecurity skills to defend against hacker attacks and also is an avenue for Deloitte and other symposium sponsors to recruit personnel to an industry that suffers from a worsening labor shortage, Roberts said. The game also helps to build the reputation of the Colorado Springs area as a "cybersecurity center of excellence" since it already is home to numerous technology companies, military commands and academic programs specializing in cybersecurity, he said.
The academy team built an early lead by capturing the first three flags in about a half-hour and held that lead throughout the competition. Senior Cadet John Johnson said the team used a "divide-and-conquer" strategy of splitting tasks among each member of the team. The team heads this weekend to Denver to the Rocky Mountain Collegiate Cyber Defense Competition as members attempt to qualify for the National Collegiate Cyber Defense Competition next month in Orlando. They also will participate this month in a cyber competition among the nation's service academies.
Thousands at symposium
The four-day Rocky Mountain Cybersecurity Symposium is hosted annually at The Broadmoor by the Colorado Springs-based Rocky Mountain Chapter of the Armed Forces Communications and Electronics Association, attracting about 3,000 cybersecurity professionals from government agencies, private industry and academia. The event is the primary fundraiser for the chapter, which has awarded $1.5 million in scholarships and grants to teachers and El Paso County school districts to support science, technology, engineering and mathematics studies and projects.
Next year's symposium is scheduled for Feb. 4-7. Additional information is available at rockymtn.afceachapters.org.
Contact Wayne Heilman: 636-0234