Analysis: CISOs are showing up to a knife fight with a chessboard

News by Davey Winder

A new paper from Trend Micro has shown that outdated technologies are still being used in security-critical areas. Is this a step back for security in the places that its need most?

A report from Trend Micro 'Leaking Beeps - Unencrypted Pager Messages in Industrial Environments' reveals that pagers are also still used in Critical Infrastructure environments, including nuclear power plants. The communications data they transport is not encrypted though, and researchers could easily listen in.

It has been estimated that as many as 85 per cent of hospitals in the US still rely on using pagers for communication.

In the UK, government departments in Whitehall continue to spend money on pagers. In 2014, the Ministry of Defence was spending nearly £10,000 per month on them.

Their continued use in the western world is apparently due to them being seen as being a more reliable network option than cellphones. In the developing world, their continued usage is driven by cost. In both, sadly, they remain insecure and as researchers have discovered open to eavesdropping.

Such eavesdropping could be implemented as part of a passive intelligence gathering phase of an advanced attack. The Trend Micro researchers were able to glean diagnostics data revealing sensor values and facility related status updates revealing the SCADA devices in use for example.

Mark James, security specialist at ESET, explains that the problem is that messages are "broadcast from multiple towers often with no encryption which could easily be intercepted by criminals and in some cases could actually send their own messages appearing to come from the original point of contact."

While Tony Rowan, solution architect director at SentinelOne points out that we need to understand that pager transmissions by their very nature "cannot be hidden and in fact should be regarded as public broadcasts." As soon as you consider these types of communication public, its obvious that encryption is required to provide a level of privacy and a period of protection.

"Looking at the pager issue in the wider context" Rowan continues "it does draw attention to the basic fact that the threat actor will search for weak and undefended pathways that will lead to their objective."

The CISO should be focusing resources more on making data unusable, by encrypting it, rather than trying to prevent access to it because the 'no entry' approach is frankly doomed to failure.

Pascal Geenens, Radware's EMEA security evangelist reckons that if, as an organisation, you "take the checkbox approach to securing your infrastructure" then you will be left vulnerable to "every change, shift or advancement in attack technology and sophistication."

Organisations must change their way of thinking, and investing, in security from fighting automated bots with automated bots to employing technology that is dynamic and can learn, can adjust, to new attacks in real-time.

"Hackers will leverage any vector that might give them access" Geenens warns, continuing "pagers might be esoteric, but mobile phones through SMS or Bluetooth, drive by hacking through Wi-Fi and dropping USB keys in the car park all occur."

A study earlier this year  involved dropping USB sticks around campus; and resulted in 48 per cent of all devices ending up being plugged into a laptop and connecting to the test server. Similar results have been found by dropping USB keys through letterboxes in an envelope!

"These attack vectors are typically not assessed enough by enterprises" Geenens concludes "yet form a very real threat for focused attacks."

Chris Hodson, EMEA CISO at Zscaler, reminds us that "we should remember that many industry verticals still carry significant amounts of legacy infrastructure." In the SCADA world, systems are often expensive and monolithic; version upgrades and security improvements are costly investments and without the influence of an articulate CISO, there's no guarantee that executives will understand the security risks.

That could be said of many enterprises. This highlights “a systemic issue we have with unencrypted information", says Hodson

Then there are the bad guys to consider. Bad guys who not only make up their own rules, but don't follow laws. This puts the modern security organisation at a massive disadvantage. "We're showing up to a knife fight with a chessboard" says Red Hat head of product security, Josh Bressers.

Security must assist the business, not hold it back. "This means understanding what the current assets are" Bressers says "and then planning how to best protect them."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews