Get best of the week

Pentester Applied

image

IS, the one that is applied, with penetration tests, must also take into account leakage. Perhaps I’ll throw it on the fan for thought.

The first portion. PB and OT


Information security is always a conflict of interests between the Security Service, IT and, no matter how strange it sounds, the Security Service and OT.

What is industrial safety? What is labor protection? What are we talking about?

No, I understand the Security Council is a security service, they have security in their blood, they can be gestured to the maximum, so that everyone can be controlled, so that it would be impossible to take a step without their knowledge. Not well, but “cho” ...

I understand - IT is information technology, it’s as easy and affordable to make in their blood, use one admin account on all servers. so as not to mess with setting up rights in various systems, so as not to mess with setting up cross-domain, cross-system, cross-service rights. Yaya ...

Security and IT always have a conflict of interest - this is obvious to everyone. Literate IT is always a bit of SB, and literate SB is always a bit of IT. But what does the PB and OT have to do with it? An occupational safety engineer is almost always not IT or Security Council, and he does not care for them.

For now, you have to believe that here suddenly the third participant is clawing, well, or you can think a little ... while you read further.

The second portion. SKUD, APS, SOUE, SMIS and SMIK


ACS - there can be no doubt, if there is an SC, then ACS is the prerogative of the SC, and the SC will make every effort to take this system away from IT, because it’s not real.

APS (I'm not talking about a gun, but about a fire alarm) - if the SB is not lazy, then it will be under the control of the SB, but rather the PB and OT, and IT will hardly be responsible for this system.

SOUE - as a rule, in the same place as the MTA, and it makes no sense to separate and separate them from each other.

SMIS and SMIK are usually this engineer in dispatching and with the corresponding engineering services, but there are situations when SMMS and SMIK are integrated with the SOUE, and often enough.

What am I talking about? Ah, yes, SOUE - this system will break your information security (“yours” with a small letter, because about your company, and not about disrespectful attitude towards you). Have not guessed yet? Look, you have security regulations, you have IT requirements regarding information security, you covered the penetration routes of attackers from all sides, you seem to control their activity in all possible IT systems, like you completely control the perimeter of entry and exit, and You have also acquainted all employees with your information security for signature, and even DLP has been introduced.

But then a labor protection engineer came and hung a fire escape plan on the wall.

What am I talking about?

I suggest thinking again.

The third portion. Penetration


Everything is cool with the Security Council, everything is cool with IT, but nevertheless, your company managed to "let the spy" inside the building, perhaps even with a tour of your holy of holies - the server or data center, or maybe just your Open Space, where they all sit cool together - simple clerks and the general director, along with other TOPs.

Or maybe it’s not a street “spy”, but just an employee who already works for you, well, they threw him some money for taking out dozens of 2.5 "SAS disks from your disk shelf, well, or a financial director’s laptop along with a portable encrypted bitlocker a disk that the financial director hands over to the safe at the end of the working day, well, either with a client bank and a USB flash drive with certificates, and at the same time with a hard-wired RSA on the same keychain.

Not, of course, you have an ACS, and even a metal detector frame, which, of course, will not allow this “spy” to make all of the above. Well, probably, you made a guest card for this spy, he, purely theoretically, if no one has screwed up, he cannot get anywhere, well, if accompanied, he should look at Open Space for a maximum of escort.

Already more interesting.

In any case, we consider this fact as a fait accompli - people inside. Or maybe it’s already enough?

The fourth serving. And yet, what does the PB and OT have to do with it?


Probably everyone has already guessed that the influence of safety and security on information security is direct, immediate. How, for example, does the same evacuation plan in case of fire agree with IS? Most likely in no way, moreover, in 99.99% of companies it does not agree with IS in any way, because it is industrial safety and labor protection. Ensuring the safety of life of employees is above all - in fact, I do not argue with this. For this reason, in the event of a fire alarm, all personnel will immediately leave the danger zone - after all, they trained regularly, thanks to the labor protection engineer. Most likely, they will leave the building, passing completely calmly without inspection and without stopping your entire access control system through and through, stupidly ignoring all the SB regulations. Wah ...

But how? So very simple - PB and Otzhe ...

Details? I have them.

You allocated a lot of money for ACS, APS, SOUE, SMIS and SMIK, a cool system integrator offered you an awesome solution based on one vendor, all systems are integrated with each other, and at the forefront of the SOUE. All of your doors are fire-proof with anti-panic, of course, they have ACS modules, and in a normal situation they cannot be opened without a key or fingerprint, but the SCMS nullifies the entire ACS under certain conditions - when the APS is triggered. Hehe. And also, if you have a seismically active zone, then the ISMS and the ISMS also affect ACS. True, if everything is simple with an APS, it’s enough to ignite something, then it is a bit more complicated with an ISMS and an SMIC, it’s not so easy to deal with them, the emergency response is complicated, but no one has canceled the sabotage on the data line, and on themselves sensors - there may be plenty of signals for triggering the SOUE.

Or maybe you didn’t allocate a lot of money, the systems are all different, the cheap Fireball is ours, but in this case, when the APS is turned on, the SOUE turns on and opens all the doors out, or the APS gives a signal directly to the ACS. Because it should be - come out, cute shpien.

It remains to get acquainted with the plans for evacuation in case of fire, to see the collection point for evacuation outside the territory of the enterprise, behind the gates, to look at the target, find the sensor, and smoke.

The fifth serving. No, we have CCTV, we will find later


Most likely yes, you will find it on video recordings. But we are adults, we must understand that the person who goes to such actions is a “suicide”, he doesn’t plan to return to your work tomorrow, he doesn’t plan to go home and start plumping on the “earned” on the deal, rather he plans to dump everything as far as possible and as quickly as possible. So looking for it will be almost useless. And why look for him. if what you need is already stolen.

Yes, and how quickly do you find that you have something stolen? An hour or two? Tinkoff Bank quickly enough executes.

Conclusion


And where does the pentester, and even applied?

We always consider penetration and sabotage, but we rarely think about how to transfer information / values ​​(which is identical) in case of successful penetration, and the pentester shows us the possibilities for penetration and sabotage, and the applied pentester shows us the possibilities for leakage, for removal

When you begin to write IS regulations, when you coordinate it with the Security Council, do not forget about the safety regulations and OT - they always have a different view of security. On their side is a law that must be respected. On their side are the same firefighters who are violet to your IS regulations and to your SB, and therefore you will have to look for options with PB and OT, in which both the sheep and the wolves are full - and the evacuation is carried out, and no one is searched released. And worst of all, that the safety bureau and OT cannot be forced to execute something that is contrary to the law - that you will have to align your regulations with the safety and health plans in conjunction with the SB.

It is difficult, but not impossible, and it will no longer be a surprise.

And yes, in this small opus I consider options with APS and SOUE as one of the attack vectors, but ambulance representatives and severely sick people on stretchers still go out of the frame without search ... so much for thought ...

More articles:


All Articles