Red Cell Security Testing – Just when you thought you were safe

Drazen Drazic

Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors. He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic

It sounds like something out of the movies, but if you’re not thinking about it, you’re getting further behind the game in terms of your corporate security. Don’t worry, there’s so few companies in the private sector in Australia doing this at the moment that you could catch up quick and promote yourselves as “thought leaders” by doing it now! Now that’s a win and something to promote to your clients.

In the previous, (to be continued article), we looked at the state of penetration testing; it’s importance, and more so, how companies can get it wrong – very very wrong.

But once you start to get it right, it’s then time to really get serious, and further shift the paranoid meter up a few more notches – because trust me when I say it, you MUST.

Dubbed “Red Cell Testing”, its testing that targets things like Social Engineering; strategic phone calls, phishing – right through to covert access and even things like camera redirection. It’s not new. Kevin Mitnick and others took it mainstream years ago but so many people think it just can’t/won’t happen to them.

Re-read that last article before coming back to this point in my rant so you have some reference point from which to try to determine whether you want to flame me for what could be perceived by the cynical as nothing more than me trying to scare business out of people. For those people who know me, they know it’s not my style. I’ll usually leave the questionable scare marketing to many of the AV marketing departments. I can’t compete with the experts.

In the last blog, I talked about how the bad guys. (Aside: I love that term “bad guys”’s open enough to fit so many criteria definitions). I mentioned that if they really want your stuff, they will get it. Full stop. All you can really do is to make it harder for them, to the extent where you hope it becomes too hard and they get bored and/or frustrated with your company and move onto someone else – unless you’re the specific target, in which case, they’ll probably continue on.

If they’re smart [the bad guys], they’ll plan their work and get to your data the easiest way they can and without making noise to wake up the sleeping monitoring systems (if they’re plugged in), and take the sysadmins away from their latest online games. (I just finished BF 2 so that shows how far behind the games I am). To be fair, there’s a load of good sysadmins out there who all know this stuff but given they’re not supported by their companies and the weapons they get to defend your company’s systems equate to a set of nunchukas in a battle versus a BFG, why enter the battle?

Let’s get serious again; if your technical Internet security is weak, the bad guys will just waltz in past your Firewalls, IDS/IPS and WAFs. If you’ve got your act together somewhat and are making it difficult for them, well they’ll make a few phone calls and/or a few other things and your staff will help them achieve their goal. Why spend hours, days and weeks when you can spend a few minutes and get what you need to own a large company reasonably quickly and easily?

As one of our team demonstrated at the 2010 Defcon Social Engineering Capture the Flag competition, in the space of a 20 minute phone call, he was able to gather enough information through one phone call, that if he had malicious intentions, he could have owned that global corporation.  

The last 6 months or so, at least from a what’s been printed in the media perspective has shown it will and does happen. And, as I said last time, what you read about is just the tip of the iceberg in terms of how much it does happen.

As I said, a “hacker” can hack away for a long time to find an elusive entry point to reach their target information, but combining that with a few “smart” phone calls as just one example, and you can have all the information to achieve your target within minutes at times. Once you have that, you’ll generally slip under the radar of all technical security controls, avoid detection and it’s Game Over!

*The level of “Game Over” is then in the hands of the attacker and no longer in the control of the organisation!”*

In the few Red Cell engagements undertaken by Securus Global in Australia, it’s rarely taken more than a few hours, (and in some cases, we could count it in minutes), for the companies being tested to be “owned”. By owned, it means we’ve got enough information and access to do pretty much whatever we like and in most cases, be able to do it all at our own pace and leisure, and undetected. Scary really.  

So why do so few companies head down this path? Let me put these reasons our there as a starting point:

1. Some are not aware of these risks – scary in this day.
2. Some just don’t believe they have a risk.
3. Some are just too scared to find out the truth.

The former reasons are worry enough, the latter is just plain bad management! Red Cell testing should be viewed from the positive aspects and not have that fear of upsetting people – people learn from these things, [Red Cell testing].

A security strategy doesn’t stop at the technical level. Your people are your biggest weaknesses so companies need to improve their staff’s security knowledge, make them aware of how they can be targeted and train them in what they need to do and how they respond to events around them. People can learn quickly. Security hardware costs a lot – security awareness programs can cost only a small fraction of the price of hardware and make a far larger difference and impact immediately! All companies should be planning these types of tests and awareness programs.

So the upshot is that companies need to decide whether they want some short term pain (reality checks) or longer term business threatening issues because once the attacker is in, it is Game Over. Is that worth the price of not upsetting some in the company beforehand?

Tags: Securus Global, social engineeringm security, 2010 Defcon Social Engineering, Red cell testing

Show Comments