Back

Once upon a time in Cyberland

If the fool warns of a risk, run away.
Teke proverb

 

 

In [01], I mentioned that the risk can be internal to the organization you are managing/administrating/supervising. I had vaguely in mind (but without really quoting it) the Trojan Horse story, which is one of the greatest war tricks, you will agree. Now, let us look at the case of a user with high rights, acting clumsily and, of course, involuntarily.

Before starting, it should be noted that any resemblance to real facts is purely and fortuitously coincidental. This article reflects only the author’s opinion.

As illustration, [02] is a fictitious cyberattack between two States. In this article, we will use this described attack as a model and consider three main actors: the victim user (the Good), the administrator of an organization (the Ugly) and the attacker (the Bad). To sum up, the Bad wants to attack (by manipulating the Good) the organization managed by the Ugly. Of course, the Bad’s motivations can be multiple: espionage, destabilization, destruction, etc.

Ugly is the administrator of computers park where all users (including the Good) are administrators of their workstations. This practice is not at all recommended, but I voluntarily give to the Bad the best conditions.

One day, in the middle of a casual conversation, the Good innocently says to the Ugly that during a business trip, he met a young woman (or a young man, depending on the preferences that the Bad will have detected by a strategic social engineering technique) with whom he immediately sympathized. Now we can smell the trap, right? Before, an old colonel told me: “if in twenty years you’ve never had any success with girls and now beautiful blondes fall into your arms, it’s suspicious, be careful!”. Of course, he understood everything!

In short, the Good sympathizes with this strangely pleasant person. The Good tells him that he would like to communicate with his company but he does not have any SSL VPN tool (for example) to do this. That’s good, the new girlfriend (or boyfriend) is familiar with the subject and, of course, recommends him to use a tool that works very well and is also free. Without asking Ugly advice and trusting this new acquaintance, the Good installs this tool on his workstation (he is an administrator, do not forget it) and thus thinks he is safe to communicate with his organization.

Stop, end of the story… The wolf has entered the sheepfold. We give him the keys to the house, we opened the door and in addition we allow him to lie in our bed. Why would he be embarrassed?

As you may have understood, the Bad is the person met “by chance” (who always does things well, doesn’t he?). By a simple manipulation (and, above all, a lack of vigilance from the victim), the Bad potentially took possession of the organization workstation in order to be able to navigate within it easily.

In conclusion, as mentioned in [01], security is not an option but it is not a sinecure either, I admit it. In the cybersecurity field, the users’ information and education (with or without high privileges) must be priorities for information system administrators. However, this awareness is not enough to avoid all the traps and must be complementary to technical solutions such as (non-exhaustive list):

  • Complete hard disk encryption,
  • No regular use with administrator rights,
  • Use of ICT tools that have been widely tested (or certified) and, above all, validated by the organization’s administrator,
  • Dedicated stations for travels, etc.

To conclude, as French Prime Minister Édouard Philippe said: “Security is everyone’s concern.” Personally, I invite you not to become paranoid but always to behave in a responsible manner.

 

 

Antoine COUTANT – Chief Cybersecurity Officer

 

References

[01]        Soliloquy around a consistent monitoring approach

https://www.systancia.com/en/soliloquy-around-a-consistent-monitoring-approach/

[02]        Cyberattaque 2.0 : comment mêler exploits techniques et manipulation humaine ?

https://www.cesar-conference.org/wp-content/uploads/2017/06/actes_CESAR2010.pdf