Category Archives: Operations

E-Verify Reminder – Department of Homeland Security – Q4 2018

Reminder: Employers may not terminate employees because of a Tentative Non-Confirmation (TNC)

You may not terminate or take any other adverse action against an employee because of Tentative Non-Confirmation (TNC) until the Social Security Administration (SSA) and/or Department of Homeland Security (DHS) has reviewed the case and the TNC becomes a Final Non-Confirmation.

Resources for more information on TNCs:


EMPLOYMENT ELIGIBILITY VERIFICATION (EEV) SERVICES

US Infrastructure: An Achilles Heel / SCADA exposure will short-circuit our utilities!

  • What is it?
  • Where are the vulnerabilities?
  • What should be considered?
  • Resources

Supervisory Control And Data Acquisition (SCADA) networks pervade the industry. These small microcontroller systems are used to control large industrial machines and systems. SCADA systems are predominantly used for monitoring industrial systems, often in remote locations.

Typically, remote terminal units and Programmable Logic Controllers are connected to enterprise networks using a “telemetry” network. Where the telemetry network meets the enterprise computer network, gateways permit two-way communications between the SCADA network and the traditional corporate network.

SCADA systems were designed to be highly efficient, but they were not necessarily designed with security in mind. Because security was not the primary consideration, SCADA telemetry networks may be highly vulnerable to exploitation. Because SCADA systems control and provide feedback on industrial processes, exploitation of these systems could seriously disrupt key industrial processes, such as power generation, lift and crane systems, and transportation systems.

There are numerous entry points to SCADA telemetry networks:

  • Compromise of WLAN and/or wireless networks that connect SCADA systems to each other and to control systems;
  • Compromise of gateways from traditional computer networks to the SCADA network;
  • Improper physical access to key control systems;
  • Access to telemetry networks and modification of command-level traffic (typically this traffic is unencrypted);
  • Application-level vulnerabilities in SCADA control software;
  • SCADA traffic encapsulated in TCP/IP and transmitted over public networks.

These vectors are but a limited selection of the entry points for SCADA networks. Because of the traditional use of SCADA networks, encryption of traffic between endpoints is often forgone.

The most memorable SCADA attack was STUXNET (1).  STUXNET attacked the centrifuge control SCADA systems in Iran, rendering them useless.

Organizations need a structured approach to securing SCADA systems.

While firmware manufacturers may be slow to respond to security requirements, organizations must take the following preventive initiatives:

  • Implement simple but effective controls that separate SCADA networks from general computer network systems.
  • Monitor SCADA system activities for abnormal conditions.
  • Upgrade and assess SCADA firmware on a regular basis.
  • Where bounds checking has been implemented (for controller movement such as stepper-motor controlled systems), the configuration scripts for SCADA devices must cover movement bounds to avoid damaging control hardware.

Finally, while there are many technological aspects to controlling SCADA systems, we cannot overlook the human element.

Originally released in part by VIMRO,
Larry Boettger
and
Michael Horsch Fizz

Resources:

SCADA 2019 Tech Summit: August 28 – 29, 2019
Westin O’Hare: 6100 N River Rd, Rosemont, Ill. 60018


Additional Resources:

SCADA News:


(1) AN UNPRECEDENTED LOOK AT STUXNET, THE WORLD'S FIRST DIGITAL WEAPON

They will bypass your best computer security system in ten minutes.

Social Engineering
The Evil Art of Human Hacking

Social engineering is a technique hacker’s use to take over an account by persuading or psychologically manipulating people to divulge confidential information. This is usually the first step within a more complex scheme. Social engineering uses “confidence building” techniques to set the victim at ease and convince him or her that the attacker is legitimate and presenting a valid scenario.

Social engineering is very common and occurs regularly; it is so pervasive, in fact, that two prominent internet companies, GoDaddy and PayPal, recently fell for a carefully crafted social engineering attack. This attack enabled unauthorized parties to hijack the account of a significant user and, through that breach, to access other confidential accounts. Cases like this “should have thrown up red flags for any Internet company dealing in identity,” reports techcrunch.com. “These are not new tactics and they should be guarded against as a very basic precaution.”

More alarming than the frequency of social engineering attacks is the relatively low risk for the attacker, who can disengage at any time simply by hanging up the phone or deleting the address used to send fraudulent emails. When this low risk is combined with the inviting ratio of success to failure, social engineering becomes an attractive alternative to much riskier fraud that requires facing your victim.

The means to defeat social engineering, however, are relatively simple if you understand what social engineering is: social engineering is a con. It relies on the victim’s reluctance or inability to question the authenticity of the attacker. Once that authenticity is questioned, the attacker must deviate from their “script” and flounder to avoid being discovered. The more you drive the attacker off the script, the more information you can gain; proportionally, this increases the risk to the attacker. Five simple steps can help you avoid becoming a victim of social engineering:

  • Question the authenticity of every communication. This is especially true if you are asked for information such as usernames, passwords, or other sensitive data.
  • Do not be afraid to validate the caller. Advanced social engineers will set up “bounce” numbers; these are phone numbers that are answered by co-conspirators who serve to falsely validate the authenticity of the caller. You can avoid this trap by instead calling a number you know to be legitimate, such as the published number for a company or the internal extension for the employee’s supervisor.
  • Insist on two-way validation. If someone asks you for your information, ask them for their information about you. For example, if a caller identifying himself as an IT technician asks for your information, ask what equipment his database reports for you. Then request from him his supervisor’s name, which you can validate in an employee directory, and call that supervisor to validate his request.
  • If you have identified a social engineering attempt, be sure to communicate your finding to management; news of this attempt should then be shared companywide to limit the attacker’s possible success.
  • Validate through testing. Every organization should, as one component of a thorough penetration test, evaluate employee readiness for social engineering attempts. A firm well versed in social engineering testing will go beyond mere phone calls, employing a multitude of techniques to perform extensive tests in this discipline.

Originally released in part by VIMRO,
Larry Boettger
and
Michael Horsch Fizz


Schedule an Introductory Consult

Contact Us