09 Jan Cybersecurity: How To Get Caught Robbing A Bank
This is the best possible outcome, one pen-tester argues
– Melbourne, Australia – Jan. 9, 2022
Jayson E. Street loves to talk about the most memorable security breach he has ever attempted — but it’s not the time he nearly ended up in a Lebanese prison after robbing the wrong Beirut bank (a few too many Diet Pepsis, he explains, sent him looking for a restroom and he walked into the wrong bank by accident).
“I have been in so many different high-stress situations, being caught by guards and being caught by people,” he told Cybercrime Magazine, admitting that he was “flabbergasted” when the bank manager told him the bank he was supposed to be penetration-testing was located next door.
“This was a failure on my part even though I was successful,” he said. “I was flabbergasted — and I was legit bad on that one. It was a learning experience, and it took me four hours to stay out of Lebanese prison.”
For all the drama of that incident, however, it’s not the one that Street prefers to look back on. That honor goes to his 2019 penetration of a high-security company — think high floor in a skyscraper, armed guards, high-grade elevator surveillance, and so on — that he was able to successfully infiltrate despite management’s confidence that it was impossible.
It wasn’t the initial breach that he is proud of, however, but the year after it — in which the company followed his recommendations by investing heavily in security awareness training.
Cybercrime Radio: Jayson E. Street
Hacking Into Banks
“They took information security and awareness to a whole other level,” said Street — who was called back in early 2020 to try breaching the system again.
This time, despite changing his appearance, he was stopped and questioned almost every time he tried to compromise a company workstation.
“I did get in and managed to compromise a couple of machines,” he recalled, “but when I went further and started going to the other sections, every single time I was always stopped and questioned.”
Employees would challenge his assertions by saying that they hadn’t received an email about the supposed maintenance visit, for example — and when Street offered to provide the helpdesk number, now-vigilant employees would look it up themselves.
“I got caught every single time,” Street said. “And if that is not a success, I don’t know what is. They got me 100 percent. The win was on them. And that’s what it should be.”
Everyone is exposed
Despite billions spent on security tools and education, pen-testers are showing worrying consistency in working around them.
In one recent Positive Technologies survey of pen-testers, for example, 93 percent reported being able to breach network perimeters and access local network resources.
When banks were targeted, every single one was able to be disrupted in some way, with quality of service impacted.
In 71 percent of cases, pen-testers hired to test “unacceptable events” needed less than a month to do so — disrupting production processes, disrupting service delivery processes, compromising the digital identity of top management, stealing funds, stealing sensitive information, and committing fraud against users.
Industrial companies were even easier to breach, with these goals achieved in 87 percent of pen-testing efforts.
Yet if getting caught is the ultimate vision of success for Street — a seasoned penetration tester who has developed a specialty in robbing banks to test their security controls — not getting caught is even worse, because it means that the company has failed to develop effective education programs for employees who are critically important to effective security.
“I don’t do APT simulations,” he laughed. “I just do bad, basic, adorable destruction. I try to be the worst possible thing to happen to you in the worst possible way, at the worst possible time.”
“Then I show you how to create a defense using the three E’s — empower, educate, and enforce security policy — so your workforce understand that they are able to say, ‘No, I’m sorry, I can’t let you in.’”
Getting to that point can take time, particularly when management fails to understand that building and maintaining a culture of security is as much their responsibility as conventional OH&S controls or protection from natural disasters.
“I’m not just here to show your faults or vulnerabilities,” Street explained. “I’m the advocate for your employees, and I’m there to teach them to get better. I don’t report failures [because] you cannot punish people for something that they are still learning.”
Education, not chest-thumping
The idea that pen-testing is a force for positive change, rather than an audit tool to identify weaknesses, has led to many conflicts with executives that continue to believe the benchmark of good security is that it be impenetrable.
That’s a “ridiculous” goal, Street said, whose frivolity is corroborated by the high success rate reported in the Positive Technologies survey.
“It’s not about who has the biggest wall or the thickest wall,” he explained, “because with a determined attacker the wall will be breached.”
And while he was successful in the case where he got caught, Street said, “I had to be way more creative. I had to work at it harder. And that is what it’s about.”
“The whole key thing with your defense system should be: how long does it take for the attacker to get in? How quickly can you identify that you’re being attacked? And then, how quickly can you respond and contain the attacker?”
Street has had a few run-ins with managers whose black-and-white worldview conflicts with the idea that security is an opportunity to focus security education, rather than a way of identifying and punishing employees just because they can be tricked into clicking on a phishing email.
Which reminds Street of one other client, whose CEO enlisted him to run a phishing test and provide a list of employees who failed the test so they could be disciplined or fired — a naming-and-shaming approach with which Street was uncomfortable.
After a series of discussions, Street recalls, he said to the “adamant” executive, “Just to make this clear, you want me to be successful, and I can pick 1 to 100 people to target who are employees of your company, and I have to give you their names?”
Twelve hours later, Street delivered his report with just one name on it: that of the CEO who hired him.
“I did not get rehired by him for the next job,” Street recalled, “but I am very happy about not getting that business. I am there to help and be an advocate for your employees, and for the security of your company — not to be a ‘gotcha’ guy, or someone that’s just going to check a box.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.
