How not to get hacked by Mr. Robot
The hacker/geek-culture antihero drama "Mr. Robot" is adored by the technology community for its realistic portrayal of the mechanics of cyberattacks. It's the one show that doesn't make IT experts roll their eyes. Rather, it has the reverse problem: Outsiders don't think it could happen. (Note: Season 3 coming this October)
"To people who don't understand security, a lot of it seems far-fetched," says Kerry Matre, former senior manager, security portfolio marketing at Hewlett Packard Enterprise, and editor of its annual "State of Security Operations" report. "Insiders know that the little things, like turning on the camera of someone's laptop or infecting a whole company from one CD picked up on the street, are fairly easy. Even breaking into a company's HVAC system seems implausible, but all those little, individual attacks have happened."
In an example, Elliot Alderson, the main character in "Mr. Robot," attacked a major data storage facility by compromising the HVAC system, physically attaching a microcomputer to the thermostats. The scripted attack was nowhere near as bleeding edge as an attack in 2010 on the U.S. Chamber of Commerce. That intrusion turned out to be so thoroughly compromising that even after apparent remediation, a thermostat was among the devices discovered to still be communicating with servers in China.
While experts love the verisimilitude of "Mr. Robot," if anything, the show underplays the potential reach of hackers. But if there's one thing InfoSec insiders should question, Matre says, it's their own scarcity on the series. "What they don't show is the security experts looking for those attacks who are ready to disrupt them," Matre says. We asked her what IT security experts are doing—or should be doing—to thwart Mr. Robot-scale attackers.
Protecting the enterprise from Mr. Robot
Organizations must take precautions against the kind of attacks portrayed on the show. Matre recommends these key measures for minimizing the potential for trouble and maximizing the chance of disrupting it:
- Educate employees. "People are our weakest link, so you get a big improvement by teaching them not to pick up USB drives off the street," Matre says. She also says you must do more than tell them not to click on suspicious emails. "Make it personal for them by showing most attackers are just business-minded people trying to make money off us. It makes them more able to identify that kind of activity and act against it."
- Check your suppliers. "You may have the hardest, most sophisticated security in your organization, but if you have a supplier that is much less prepared, they could be the attacker's way in," Matre says, citing the 2013 data breach at Target, in which attackers used credentials stolen from an HVAC vendor to access Target's network. "You have to make sure your suppliers have proper security in place, or you have to have some other service protecting you."
- Know what has value and protect that. End users carrying unprotected mobile devices and using the cloud have shot holes in the idea of securing the network perimeter. Rather, add extra security to data you most want to protect. "You have to set priorities and protect the data that are your crown jewels," Matre says. "It's a shift from building walls to protect devices to protecting the users and the data—but that means knowing what data is the most valuable, knowing it's available in only a few places, and protecting it."
- Segment your network. The next-best thing to keeping malware and intruders out is keeping them away from the good stuff. "You don't want the bad guys to be able to navigate through your network to get to your most valuable data," Matre says. "If you have credit card data in the network, for example, it should only exist on machines that really need it. An HR system would never need access to PCI data, so you segment the network so those machines can't access each other." She notes that keeping valuable data relatively isolated also cuts audit costs by making it easier to demonstrate where it is and who has access.
- Keep an eye on users. Attacks are often an inside job or accomplished using a trusted insider's stolen credentials—so it pays to watch the activity of people with high-risk access. "On the show, a woman and her boyfriend are extorted into planting malware, but insiders can be unintentional threats as well," Matre says. "At HPE, we use behavioral analytics to figure out the baseline activities of users and watch for anomalies that could mean trouble—like seeing someone who never travels out of the country log in from Romania to access a sensitive database." Identify high-risk users, such as contractors or admins with elevated privileges whose credentials might be stolen, she says, and keep a closer eye on their activity. "You don't monitor everything," she says, "but you do watch closely who is interacting with the data."
Protection against hackers requires thinking like a bad guy
No enterprise can apply maximum possible protections to every corner of its business. "You'd go broke," Matre says. "Instead, you've got to prioritize."
Top priority is an inward approach centering on the data and systems that are core to the business's survival. But while a retailer, for instance, would put more value on its e-commerce systems, a criminal might care more about the HR database. Thinking from an outward-in perspective, credit card data is not nearly as valuable these days as the personal information that can fuel healthcare fraud. "Thinking like a bad guy" thus might call for a different security stance, especially once a company has squared away the business-critical basics.
"We're starting to see the most mature organizations take both approaches," Matre says. And no wonder. There are a lot of "bad guys" out there.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.