Municipal IT departments need to scan their environments for external vulnerabilities the way threat actors do, says an expert.
”If you don’t take a look from an attacker’s point of view [at your environment] it’s very hard to be able to know what to protect,” Frank Fazio, founder of CySat Security an awareness training firm that often works with municipalities. ”You’ve got to recon your own site.”
He was interviewed Tuesday after giving a virtual keynote address at the annual meeting of the Ontario chapter of the Municipal Information Systems Association (MISA).
Reconnaissance of a target is the first tactic of any threat actor, he told the conference, after which it will scan for weak points, gain access, maintain access and, after getting what it wants, clears evidence it was there.
Municipalities do a good job of everything except looking at themselves to catch and close things like open ports and exposed files, Fazio said.
“We need to work on reconnaissance,” he said. “When was the last time we searched the internet to see what comes up on our municipalities? How do we protect something that we don’t know is being exposed? ”
”You don’t know what you don’t know. How do I know if I have files exposed on the internet” without looking, he asked.
Infosec pros may know about the Shodan search engine, which is used to find exposed internet-connected devices. But, Fazio said, Google can be used the same way in a technique called dorking.
In fact there are a number of Google Dork cheat sheets on the internet with lists of search parameters used by ethical hackers.
Fazio demonstrated how a search could be used on a municipality’s domain to mine for .env files, which are text configuration files created by application developers that could include sensitive information such as passwords.
Through Shodan, infosec pros can find all the SSL certificates registered on a municipality’s domain, he said. The search engine can then be used to find the website associated with that certificate, which could be an administrator or employee login screen – a great target for a threat actor.
Shodan can also be set up to monitor a municipality’s IP addresses, open ports and other items, Fazio said, and to email an administrator if something changes.
Fazio also spoke of the need for security awareness trainers to spice up their messages. “We’ve got to start making our training sexy,” he said – meaning make lessons relevant to employees.
For example, in his classes he tells of how the chair of Hilary Clinton’s U.S. Democratic party presidential campaign was fooled by a phishing email into giving away his password, which led to the hacking of the campaign’s email system.
(Actually, he did the right thing by being suspicious and asking the campaign’s IT staff if the message was legit. IT said it was.)
Another real-world blunder Fazio uses is the story of a U.S. woman who, immediately after winning $825 at a race track, posted a photo of herself on social media holding the winning ticket. Before she was able to cash it in someone printed the photo of the ticket and its bar code, went to an automated payout machine and walked off with the money.
A third true story he tells is of a woman who fell for a business email compromise scam. After her boss left for a vacation she got a supposed email from him saying he needed money transferred to an account. She did as he asked. The company fired and sued her for $138,000 for the money the company’s insurance wouldn’t pay.
Note to executives: The woman testified at trial that she wasn’t given awareness training. The judge believed her and dismissed the lawsuit.
Finally, Fazio told the conference of a phishing test he runs for clients when his private firm is hired for awareness training. He sends out a message with the subject line. “Dress Code.” Purportedly from the human resources director and/or the municipality’s chief of staff about a new corporate dress code, it includes a link to a document supposedly outlining the new rules. Although there are clues in the message that it’s a fake, including the fact that the email system labels the message as ‘External’ – meaning it came from an email system outside the organization — every employee clicks on the link.
“We’re not trying to trick people,” Fazio stressed. “We’re trying to teach them how easy it is to be manipulated.”