For example, the public Pastebin clipboard could be used to search for the tag words #SCADA and #IDIOTS to find public information about SCADA devices around the world, including publicly visible IP addresses of already identified vulnerable SCADA systems. The resulting search information, which was likely uploaded by attackers and hactivists, could then be dumped into a Google search to find up to 15 times more SCADA sites that are vulnerable to the same or similar exploits, according to Marcus.
Marcus also described how one could authenticate as an administrator to these sites, completely unfettered. Once connected, one could read the contents of the system databases, change the configurations of the devices, install malicious code, and even reboot the systems with the click of a button.
So, how do we break out of this rut of focusing on the who and the why driven by media and vendor messaging? This is where the old saying "the best defense is a good offense" comes in. That's what SANS Institute's Director of Research Alan Paller told the audience at the ISSALA conference. Marcus shared these five tips:
1. Embrace and operationalize OSINT -- use tools such as Twitter, Pastebin and SHODAN to identify and capture public-facing information about your own organization and systems. This open source, publicly available information has a lot to teach us. It can provide an organization with its own insight as to how the enemy views its infrastructure and operations.
2. Don't make decisions based on industry or marketing buzzwords -- don't worry about advanced persistent threats (APTs) so much as understanding what the prize is and how an attacker could gain access to this prize.
Marcus says to "go for the basics." All of the SCADA systems identified and accessed by Marcus failed the basic security measures during Marcus' demonstration, even though the operators of the systems likely had intrusion prevention systems (IPS), intrusion detection systems (IDS), and other APT-fighting technologies in place to guard against attack, as most organizations do today. "These protections likely weren't configured properly or simply weren't capable of guarding against the well-known vulnerabilities," said Marcus.