As deputy director of information services for the city of Simi Valley, Garry Boswell regularly protects the city’s networks from hackers.
But Boswell, along with other information technology professionals and enthusiasts of all levels, recently had a chance to reverse roles — playing the role of a hacker to get into and sabotage a fictitious hospital’s information system.
It was part of a computer-oriented Red vs. Blue Team event held at California Lutheran University in Thousand Oaks and sponsored by the nonprofit Information System Security Association Ventura County Chapter.
The primary goal of the event was to teach IT and information security professionals “how to attack their own systems before attackers do” and learn some valuable lessons in the process.
The chapter partnered with Core Security at the event, providing participants with laptop computers loaded with Core’s flagship intrusion testing software called Core Impact, which assesses and tests security vulnerabilities in an organization.
Palo Alto Networks provided its next-generation firewalls to help run the event and had an engineer on hand in an adjacent room to show participants what attacks look like in real time and how the company can help manage those threats.
Stephen Maiorca, president of the chapter, said the event was held for participants to “kind of act like the bad guy.”
“We don’t always get to play on the other side. It’s illegal, so we hold events like these. If you don’t know how the hackers hack in, you don’t know how to protect the networks,” said Maiorca, whose full-time job is handling information security for a Los Angeles law firm.
Bobby Kuzma, systems engineer with Core Security, said hacking is “a huge topic of concern because most organizations don’t understand how bad their internal security is until they have skilled attackers come against it.”
“Core Security deliberately built this self-contained environment so that folks can safely learn to use testing tools. And every single vulnerability is something I’ve encountered in the wild in actual organizations in the last year or so,” Kuzma said.
Event participants got into the hospital’s network, which allowed them to gain access to patient medical devices, such as intravenous pumps, for which dosages can be adjusted. They could crack into a phone system that stored voice mail passwords and find bugs in the computer code to take control of the hospital network and steal patient data.
System administrators eventually ended up protecting the system from the hackers.
Maiorca said although the event was staged, hospitals are vulnerable to real-life hacking, which can put people at heightened risk for identity fraud — and put patients’ lives at risk.
There have been three verified attacks on hospital networks since December.
“There’s probably a lot more, and nobody’s noticed because hospitals are in the business of keeping people alive, not in the business of keeping their networks secure,” Maiorca said.
Other businesses are at risk, too.
Kuzma said he once knew of a large organization that handled financial data and had an unsecured area around its elevators and an Internet-protocol phone so people could call in.
“An attacker could drop a small device on that and they’d be on the inside of that network without ever having to pick a lock or talk to a person. That’s the kind of thing I see almost every time I do a test on an organization,” Kuzma said.
Kuzma said there are many ways IT professionals can protect their systems from known vulnerabilities, such as making sure all necessary computer patches are up to date and being careful with what is plugged into their networks.
Kuzma said people should not use easy-to-guess passwords and should not share those passwords on other systems.
“It doesn’t do a lick of good how good your security is if you’ve got the same password on your LinkedIn,” he said with a laugh.
He said good passwords are not dictionary words, since hackers can take the entire English dictionary and run through it in all variations.
“Most organizations have a 90-day rotation of passwords. It’s actually better for you to have a 15-character password that you only have to change once a year,” Kuzma said.
“I’m really fond of using favorite phrases from books and movies and using that as the base point for the password or even using the entire thing as a pass phrase.”
Kuzma said to think like an attacker when you’re looking at your environment and work with management to decide which risk factors you’re going to deal with.
He said using Core Security products, such as Core Impact, and also Core Insight, which helps large enterprises prioritize their vulnerabilities, can help.
Paul Witman, an information systems professor at CLU, said playing the role of a hacker was informative.
“As I tell my students, it’s really important to know how your opponent thinks and figuring out how to defend against that,” Witman said.
Boswell said he learned through role playing how to protect the network better.
He said Simi Valley hasn’t experienced hacking, and he hopes it stays that way.
Maiorca said it is important for any IT professional to know their own environment and network “because that’s the only way you can possibly hope to catch anybody invading it.”
“Most companies these days should have a firm grasp on the fact that is not a matter of if they’ll be attacked,” he said. “It’s a matter of when.”