ST. MICHAEL'S OPENS DOORS WITH HELP FROM ERA » David Stapleton and Era’s Tania Tams with Mrs. Grundy and pupils at St Michael’s First School Vig... 17% growth ensures Nationwide Platforms remains wo... » Nationwide Platforms has once again retained its position as the world’s largest IPAF provider after... Le Pen Seeks Anti-terrorism Operations in Chad...B... » "Well, Marine Le Pen may be able to save France from abroad. But hold on for a minute, do you really... Synectics to showcase urban transport surveillance... » David AindowUrban transport networks are in danger of data overload. Guarding against emerging secur... TomTom Telematics collaborates with SOTI » TomTom Telematics has announced a collaboration with SOTI that will see the company’s popular flag... Dimension Data launches support and managed servic... » London, United Kingdom: Dimension Data has extended its current offering with Cisco Meraki. This inc... LOCKEN ANNOUNCES STRATEGIC COLLABORATION WITH ISEO » Leading developers of cable free access control, LOCKEN and ISEO Group, an Italian based designer,... Sopra Steria finds UK citizens want more secu... » London: Sopra Steria has revealed that UK citizens are keener than ever to use digital public servic... World’s top education experts to answer key q... » Education experts, Edtech entrepreneurs and an assortment of thinkers, analysts and administrators f... HAUD gives more value through its Traffic Audit ... » Singapore: HAUD has now established itself as a market leading SMS firewall provider, and through ex...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

 

Cyber attackers have crossed the line between the digital and physical world warns Skoudis

Organisations and information security professionals must adapt skills to meet the threats against critical systems or face real world consequences

Organisations need to be more aware of the changing threat landscape where hackers are targeting infrastructure that is directly impacting on our physical world, believes Ed Skoudis, one of the world’s most respected security researchers and penetration testers and a faculty Fellow with the SANS Institute.

“For a while, we have seen somewhat humorous examples of hackers changing electronic road signs to give jokey messages like ‘Zombies Ahead’ instead of more useful traffic information,” says Skoudis. “But the principle is rather scary especially when you look at other real world systems that are increasingly computer controlled.”

Skoudis points to hackers attacking the uranium centrifuges run by the Iranian government as an extreme example but points out other more potential targets, “A water treatment plant is largely an automated environment run by complex computer systems. While the procedure used to refuel planes is also underpinned by software – even the electricity grid is a software centric environment.”

Hackers are looking at new ways to penetrate these often closed systems; “USB sticks, infected mobile devices, interception of data in transit and even QR codes are all areas where we have seen hackers use physical elements to breach a IT security perimeter,” explains Skoudis.” You may see comments from authors such as Thomas Rid questioning whether Cyber war is really happening? I can tell you that for every Stuxnet in the public eye, there are a dozen significant incidents across the globe that due to national security consideration will never see the light of day.”

Skoudis has conducted a demonstration of hacker techniques against financial institutions for the United States Senate and is a frequent speaker on issues associated with hacker tools and defences. He is also an author of numerous articles on these topics as well as the Prentice Hall best sellers Counter Hack Reloaded and Malware: Fighting Malicious Code.

“It is not a case of scaremongering, but more a game of cat and mouse,” he says.” Every time we spot a new method and block it, the very best of the hackers will then try a new approach. With technology constantly evolving, new exploits and a greater attack surface increase the threat. Without proactively testing defences, there is no way to know if the barricade is working as planned.”

Skoudis has authored and regularly teaches SANS courses on network penetration testing (Security 560) and incident response (Security 504); helping over three thousand information security professionals each year improve their skills and abilities to defend their networks.

“The Penetration testing skill set is also changing,” he believes. “We are increasing looking at a much wider attack surface then we did say 10 years ago. If you look at the most theoretically interesting attacks, they often used methods that combine social, physical and psychological tricks to breach secure systems.”

Skoudis believes that changes in attack patterns and targets are also reflected in the types of individuals and organisations that are increasingly investing in penetration testing skills. “The recent courses I have taught have had a higher percentage of students from the military, critical national infrastructure, manufacturing and government agencies ahead of what used to be predominantly financial services.” He says, “In addition, the types of students now includes IT professionals and managers that need to understand the core pen-testing concepts to engage pen-testers and to enact the recommendations of the testing process.”

According to Skoudis, the courses are also evolving to teach how to deliver a real business value through pen testing and a methodology to ensure processes are systematic and repeatable. “We also teach technical depth, not just teaching students how to use a bunch of tools, but to understand how the hack actually works – to help student think like an attacker so they can find the hole and close it before an attacker gains control over a critical system.”

Skoudis will be teaching SEC560: Network Pen Testing and Ethical Hacking for the first time in Europe at the upcoming SANS Secure Europe 2013. As one of the region’s largest InfoSec training events, Secure Europe will be returning to Amsterdam’s Radisson Blu Hotel from 15th to 27th of April 2013 with a roster of 8 courses including a new session covering Advanced Computer Forensic Analysis and Incident Response. For more information on the event including course overviews and GIAC Certification, or to register