Probing for weaknesses

Viasat’s Red Team starts its cybersecurity work with vulnerability assessments.

cyber-month-3.jpg

This is the second of several articles to mark Cybersecurity Awareness Month, an annual outreach begun in 2004 by the National Cyber Security Alliance & the U.S. Department of Homeland Security. The initiative’s overarching theme is “Do Your Part. #BeCyberSmart.”

———

The five members of Viasat’s Red Team have the weighty responsibility of hunting for cybersecurity threats. But that doesn’t mean they don’t occasionally get to have a little fun.

The team is a group of five dedicated to finding cybersecurity system gaps both within Viasat and for customers who contract with the company for the service.

A good portion of their time is spent conducting vulnerability assessments – an automated, high-level test that shows missing gaps in security. To prove they’ve thoroughly examined a system for such weaknesses, Red Team members document their efforts, using clear but non-malicious examples that their clients can easily understand.

“If you can tell a story of how a real-world threat will take advantage of a vulnerability and how it will impact their business, it brings it home to them,” said cybersecurity engineer and Red Team member Jonathan Wyatt.

While vulnerability assessments are more automated, penetration tests dive in deeper. For the Viasat team, that’s even included taking over HVAC systems.

“Often, you can take over a system because the default password was never changed,” said cybersecurity systems engineer Jim Heyen. “I’ve gone into offices and cranked up the heating and air conditioning – all because someone left the default password in place.”

When Heyen tried this method with another client, he ran into an unexpected obstacle.

“I changed the temperature because I wanted a screenshot to prove I could do it,” he said. “But the temperature kept going up. I thought something was wrong because it kept correcting itself. It turned out an employee was sitting in the office and could see the numbers changing, so he kept getting up to readjust the temperature. We had this little game going between us.”

Setting a baseline

Vulnerability assessments are a crucial step in establishing base-level cybersecurity and mitigating threats. They’re usually a precursor to a more involved process.

The systematic review checks to see if a system is susceptible to vulnerabilities, assigns severity levels to the vulnerabilities it finds, and it concludes with recommendations on any needed remediation or mitigation.

The Red Team spends about a quarter of its time conducting such assessments, a service it provides for both clients and teams within Viasat. It typically passes its findings to Viasat’s Blue Teams – the Cyber Security Operations Center and corporate IT security – separate groups that resolves security issues.

“Our team doesn’t necessarily do the remediation; we just tell the clients what their risk is,” Wyatt said. “We don’t try to convince them to do one thing or another. Our job is to give them the best information we have and suggestions to make the most informed decisions.”

The vulnerability scan is not only the first step in any security assessment, it’s typically repeated on a regular basis, and with system changes or updates.

Depending on the client’s needs, it’s almost always followed by the deeper penetration (“pen”) test. The latter’s more detailed, hands-on examinations go far beyond finding those gaps; they exploit those weaknesses within a system.

Wyatt describes the vulnerability assessment as “a snapshot in time” of what an organization or product’s vulnerabilities are. The pen test, meanwhile, shows what could happen if those vulnerabilities were exposed and acted upon.

In some cases, Wyatt said, clients only need proof of the vulnerability assessment to establish compliance with required processes; the more in-depth pen test isn’t always part of those requirements.

The process typically follows three steps: Testing to determine the vulnerabilities, analyzing to find the root cause of each issue, and assessing the severity of each risk.

Depending on the client, the Red Team may then recommend they patch the problem, mitigate it, monitor the issue, or “harden” – aka remediate – the vulnerabilities it finds. Clients also have the option of simply accepting the risks the assessment reveals.

“How we remediate them really depends on the customer,” Wyatt said. “They’re the ones that make those decisions because they’re the ones that own the risk.

“The vulnerability scans only show what the vulnerabilities are. But it could be a false positive. With the pen test, you try to exploit that vulnerability to see if it’s real or not.”

The vulnerabilities revealed are typically human-caused, but finding those issues – regardless of the cause – is important. An exposed vulnerability can affect a company’s bottom line.

“It’s important to have a good vulnerability management program, and one that includes not only the technical people but the businesspeople in an organization as well,” Wyatt said. “The technical risk is translated into a busines risk, but unless we can communicate the vulnerabilities to show how it could impact revenue generation, they’re not going to care. We have to present our findings to the decision-makers so they understand it as both a busines risk and a cybersecurity risk.”

Clients are often stunned when the Red Team finds vulnerabilities. Typically, those weaknesses are linked to simple errors. Poor password choices top the list.

“Some of them really are shocked,” Heyen said. “They couldn’t believe we cracked passwords that were 16 characters long. But that’s often because they used dictionary words.”

The good news, Heyen said, is that clients respond.

“After we’ve done an assessment, they always put a password policy in,” Heyen said. “So the second time we do an assessment is never as easy. They learn very quickly.”