Leeds City College selects MOBOTIX to protect data... » UK: MOBOTIX AG, a leading manufacturer of digital high-resolution, network-based video security syst... Linksys launches high performance managed network ... » Rushden, UK: Linksys has announced its first managed switches in the Linksys Business product line-u... snom okays new handsets » Manchester: snom technology AG has said the complete snom handset range comply fully with the new In... Thales wins EDF Energy's £300 million contract » Basingstoke: Thales has been awarded a 10-year contract to support computerised control system servi... Security Council, UN officials hail signing of Cen... » A view of thousands of internally displaced people at Bangui’s airport, Central African Republic ... Defence Secretary full of praise for military pers... » SOURCE: MoD The Defence Secretary Michael Fallon has met the regular and reserve military personnel... MoD appoints UK busisness deal maker to head SSRO » The Chair of the new body that has been established to oversee all single-source procurement by the ... The Private Security and Investigation Industry in... » Preamble Security and safety are sine qua non for human existence, survival and development. Renown... Defence Secretary gives kudos to Royal Navy's prof... » The Defence Secretary has praised the Royal Navy’s professionalism after witnessing the advanced sea... Cubic awarded $4.1 million Training Order for U.S.... » SAN DIEGO, Calif.: Cubic Corporation has announced that it was awarded a new order valued at $4.1 mi...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

 

Cyber attackers have crossed the line between the digital and physical world warns Skoudis

Organisations and information security professionals must adapt skills to meet the threats against critical systems or face real world consequences

Organisations need to be more aware of the changing threat landscape where hackers are targeting infrastructure that is directly impacting on our physical world, believes Ed Skoudis, one of the world’s most respected security researchers and penetration testers and a faculty Fellow with the SANS Institute.

“For a while, we have seen somewhat humorous examples of hackers changing electronic road signs to give jokey messages like ‘Zombies Ahead’ instead of more useful traffic information,” says Skoudis. “But the principle is rather scary especially when you look at other real world systems that are increasingly computer controlled.”

Skoudis points to hackers attacking the uranium centrifuges run by the Iranian government as an extreme example but points out other more potential targets, “A water treatment plant is largely an automated environment run by complex computer systems. While the procedure used to refuel planes is also underpinned by software – even the electricity grid is a software centric environment.”

Hackers are looking at new ways to penetrate these often closed systems; “USB sticks, infected mobile devices, interception of data in transit and even QR codes are all areas where we have seen hackers use physical elements to breach a IT security perimeter,” explains Skoudis.” You may see comments from authors such as Thomas Rid questioning whether Cyber war is really happening? I can tell you that for every Stuxnet in the public eye, there are a dozen significant incidents across the globe that due to national security consideration will never see the light of day.”

Skoudis has conducted a demonstration of hacker techniques against financial institutions for the United States Senate and is a frequent speaker on issues associated with hacker tools and defences. He is also an author of numerous articles on these topics as well as the Prentice Hall best sellers Counter Hack Reloaded and Malware: Fighting Malicious Code.

“It is not a case of scaremongering, but more a game of cat and mouse,” he says.” Every time we spot a new method and block it, the very best of the hackers will then try a new approach. With technology constantly evolving, new exploits and a greater attack surface increase the threat. Without proactively testing defences, there is no way to know if the barricade is working as planned.”

Skoudis has authored and regularly teaches SANS courses on network penetration testing (Security 560) and incident response (Security 504); helping over three thousand information security professionals each year improve their skills and abilities to defend their networks.

“The Penetration testing skill set is also changing,” he believes. “We are increasing looking at a much wider attack surface then we did say 10 years ago. If you look at the most theoretically interesting attacks, they often used methods that combine social, physical and psychological tricks to breach secure systems.”

Skoudis believes that changes in attack patterns and targets are also reflected in the types of individuals and organisations that are increasingly investing in penetration testing skills. “The recent courses I have taught have had a higher percentage of students from the military, critical national infrastructure, manufacturing and government agencies ahead of what used to be predominantly financial services.” He says, “In addition, the types of students now includes IT professionals and managers that need to understand the core pen-testing concepts to engage pen-testers and to enact the recommendations of the testing process.”

According to Skoudis, the courses are also evolving to teach how to deliver a real business value through pen testing and a methodology to ensure processes are systematic and repeatable. “We also teach technical depth, not just teaching students how to use a bunch of tools, but to understand how the hack actually works – to help student think like an attacker so they can find the hole and close it before an attacker gains control over a critical system.”

Skoudis will be teaching SEC560: Network Pen Testing and Ethical Hacking for the first time in Europe at the upcoming SANS Secure Europe 2013. As one of the region’s largest InfoSec training events, Secure Europe will be returning to Amsterdam’s Radisson Blu Hotel from 15th to 27th of April 2013 with a roster of 8 courses including a new session covering Advanced Computer Forensic Analysis and Incident Response. For more information on the event including course overviews and GIAC Certification, or to register