I recently had the opportunity to travel to San Francisco Ca. to attend one of the largest cyber security conferences in the United States. This was of course the 2023 RSA conference. I could honestly write pages about how great the sessions I attended were. How much I learned, or even how many of the 600+ vendors in attendance we’re doing something innovating or new. But instead of all of that, I want to talk about the overall issue that we were all there for, the reason you might be reading this article. The state of Cybersecurity in our everyday lives.
Things have changed a lot in the 20+ years I’ve been in the IT industry. Attackers aren't so just the lone wolves we've been lead to believe they are for the last 30 years by media. Attackers are organized, organized quite well, RAAS (ransomware as a service) exists. Anyone with a tor browser, half a brain and access to Google can navigate their way to the Dread forum and bumble their way into a dark web market. From there they can buy stolen log-in’s that will provide unfettered access to an organization. Or software that does the hard part for them. A well crafted email and an unsuspecting recipient can open the flood gates a provide entry. Even small organizations like my own have become targets by lone individuals, large hacking groups, and even nation state bad actors.
This isn’t new information, it has been well known for some time that these risks exist. Our individual, information is easily bought and sold for pennies on the dollar on the dark web.
While in San Francisco, the day before the conference started when my hotel was full of attendees and vendors. I was sitting significantly bored in my hotel room, and I decided to run an experiment.
How secure are these security professionals?
So what I decided was that I was going to log into my hotel’s free Wi-Fi network using my penetration testing laptop, and see what I could find. I remember thinking to myself as it made the connection; “There is no way possible way that this is going to work”. Despite that thought, as soon as I connected to the network, I ran Nmap to see what other devices we’re living on the same subnet. Truthfully, I fully expected the results to be zero. I fully expected the result to be zero because the hotel’s network security was configured correctly. Turns out I was wrong. In actuality I was sitting on a subnet with every other guest, connected to the hotel’s, very flat Wi-Fi network.
As a penetration tester or an adversary, I am now sitting on a proverbial treasure trove of data. I didn't continue my test. Instead I contacted the hotel networking team, and explained the issue... they were unaware of the misconfiguration. Mostly because the front desk manager was acting as the network admin. This isn't a small "mom-and-pop" hotel. This is a billion dollar a year major corporation, with a full networking team available to them. The GM just didn't want to spend the little bit of extra money to utilize their service.
My point here isn’t the amount of data I could have had access to. It wasn't that I could have started capturing live packets. We need to be doing a better job teaching everyone, security is no longer just a problem of large organizations. Security is a problem for everyone. We share unbelievable amounts of data every day.
First and foremost, our jobs and responsibilities are to secure our networks and our users. A close second should absolutely be acting as security advocates for the public at large. If we aren’t evangelizing our own ethos outside of our own circles, we’re just as much of a problem as the attackers.