The Red Team is a part of Nofsinger Security team which was hired by to improve the digital security of Sifers-Grayson (SG) following two successful ransomware attacks against the company. The Red Team conducted a penetration test against SG and was extremely successful in illustrating the current weakness of the security posture of the company. The Red Team was able to hack into the Research and Development servers, install key logging software using a USB drive left for SG staff to find, and compromise and hijack a X10 test vehicle.
The Red Team (RT) was able to hack into engineering center’s servers by exploiting an unprotected network connection. This connection was unprotected by a firewall or any type of Intrusion Detection System (IDS) or Intrusion Protection System, (IPS) allowing access to the design documents and source code for the AX10 drone project. The RT was then able to retrieve all of the documents and source code for the projects. A firewall, IDS, IPS, and an Identity Governance and Administrative (IGA) solution would have made the task of the RT more difficult but not impossible. An IGA could have limited access to some of the material that was stolen through the use of role based access control and the principle of least privilege. (Chubirka, 2014)
The Red Team (RT) was also able to steal 20% of the employee logins by leaving a USB drive in a employee lounge. The USB drive was then introduced to the network where it loaded its malware payload of key logging software. The stolen login information was then used to install more malware onto a workstation that is connected to a PROM burner in the R&D lab. The malware was then introduced into the AX10 test vehicle causing the vehicle to initiate a cellular connection with the RT who took control of the vehicle and flew it into the Sifers-Grayson (SG) parking lot. Proper security training for staff and a culture of Operations Security (OPSEC) could have prevented or delayed key elements of the breach. An Application Lifecycle Management (ALM) solution would have also played a large part in preventing this successful attack. A key component of the ALM solution that could have made the RT’s job much more difficult is the Configuration Management (CM) aspect of the ALM solution. CM defends against attacks as was carried out against the AX10 drone by ensuring that all access and changes to the source code are logged for the ability to conduct audits and reviews. The CM solution ensures that changes to the software can be reviewed prior to the testing of the software product. (Beasley, 2014)
There were also other attack vectors that enabled the physical penetration of the SG facility through the use of a piggy backing technique. If the planted USB drive had not been successful, the physical penetration could have enabled a RT attacker to introduce malware or access data. OPSEC is the process by which risk is managed using the viewpoint of an adversary. (Rouse, 2016. It is clear through their actions that the staff of SG has no idea that there is an adversary even after two attacks.
The success of the Read Team’s penetration test makes clear the need for the changes recommended by the security professionals from Nofsinger. The technology changes will go a long way in hardening the digital assets of Sifers-Grayson (SG) but will fall short without the training and support of all the staff at SG. The awareness and education of the staff will ultimately determine whether or not SG is able to defend against both physical and cyber based attacks of the future. Embedding security into every department, application, and process is a necessary first step in the never ending task of protecting the future of the company.
Beasley, Jerry. (2014, September 15). Integrating Risk Assessment into Lifecycle Management. Tracesecurity. Retrieved from https://www.tracesecurity.com/blog/integrating-risk-assessment-into-lifecycle-management#.Wg37YUxFyHk
Chubirka, Michelle. (2014, May 19). A broader definition of identity governance. Tech Target. Retrieved from http://searchsecurity.techtarget.com/answer/A-broader-definition-of-identity-governance
Rouse Margaret. (2016, July). OPSEC (operational security). TechTarget. Retrieved from http://searchcompliance.techtarget.com/definition/OPSEC-operational-security