By SHARE’d Intelligence Editor with Chad Rikansrud
While many people scoff at the idea of “hacking the mainframe,” a hacker looks at the system and sees plenty of possibility. Rather than seeing the mainframe itself as the “unbreakable ship” of the IT world, hackers look at the entire ecosystem and see the potential for human error; they note footholds for mayhem. How do we know this? If recent history hasn’t taught us a lesson, tapping into the knowledge of professionals who know how to think like the “bad guys” can show us all the cracks. Chad Rikansrud, cyber security guru and VP of technology at Wells Fargo, understands the hacker point-of-view and, fortunately for all of us, is on the “good side.”
To really illustrate the differing perspectives of a hacker and mainframer, Rikansrud uses the example of a highly distinguished IT professional talking about his RACF database. The IT professional assumed that if he did everything by the book from a security perspective, his data would be locked down – his database would be protected. Rikansrud likens this to a burglar who, when finding the back door is locked, looks up and sees an open window. Any proficient burglar is going directly through the open window, or he’ll wait until the owner of the house arrives and whack him over the head with the butt of his gun, steal the owner’s keys and go about his business. Just because you lock the back door, doesn’t mean there aren’t other options to enter the house.
“There’s a lulled sense of security in the organization,” Rikansrud says. “It’s like if you live in a neighborhood that just doesn’t have any crime. It might be you really got lucky, or the neighborhood next to you is juicier – security by obscurity. But eventually, you’ll be next. People tend to think this way with IoT and POS systems.” To better understand the perspective of the hacker, Rikansrud takes us through a few different scenarios and shows how a hacker would work his or her way into the mainframe. Note: A real hacker probably wouldn’t leave a diary of his or her plans lying around for anyone to read.
Mission: Steal and publically display the data of the company that unceremoniously laid me off.
Before departure, complete the following:
- Leave a back door open to access the company database after I’ve left.
- Grab as much information as possible to take with me, including the systems diagrams and a copy of the database with user I.D.s and passwords.
- Go to the company message board and find other employees unsatisfied with their jobs.
- Offer the disgruntled employee double their salary to take flash drive into work infected with malware, plug it in and then throw it away.
Mission: Hack into data from a local government entity.
Day 1
Today, I started footprinting the organization and found that it keeps its systems in Arkansas. Thank you Google Maps for the help with my reconnaissance work. Now, I’m working on finding the domains that the organization owns, as well as their web master and employee names and locations. I’ve already uncovered some employees of the organization and have taken a look at their social media accounts. Lisa made a comment on Facebook about her work friends going to the pub across the street after work.
Day 2
I just got back from the pub the employees frequent after work and overheard them talking about Matt, the HR administrator. I can start a phishing campaign posing as Matt from HR until I find the systems administrator.
Day 3
I found the systems administrator and contacted the company’s help desk to change my password. Lucky for me, the organization uses one-factor authentication. I also asked HR for a new I.D., as I’d “lost” my previous one.
If you’re thinking, “My co-workers aren’t this obtuse – there’s no way they would fall for these scams or a phishing campaign,” then you’re wrong. Plenty of examples exist in which a hacker was able to get deep into the system by playing on average employees’ lack of data security knowledge. While this all sounds rather dire, Rikansrud has a few tricks up his sleeve that you can adopt in your organization immediately:
- You need to have someone in your organization who thinks like a bad guy. Sit people down with professionals who do cybersecurity and have them think of the worst thing you can do to your system.
- Don’t underestimate your adversary! A hacker is going to enter your system in a “cloak and dagger” style rather than smash and grab.
- Use two-factor authentication. It’s the 21st century. It’s time.
- Assume you are going to get breached and figure out your plan ahead of time.
- The single biggest thing, Rikansrud points out, is to have employees who are well-trained and loyal to the organization. If you have low morale where people are just biding their time before they can retire, you have a major security challenge on your hands.
“Hackers look at the entire mainframe ecosystem,” Rikansrud concludes. “They cast a wide net to get to very specific things, getting a foothold in something unsecured. Maybe it’s a place where people can upload their resumes and they infect a resume with something malicious. Those opportunities exist in any organization.”