![]() ![]() "She takes off, and I’m thinking in the back of my head that this is a really bad idea," Strand says. When everything was set, Rita drove off to the prison on her own. Over a preparatory caramel roll and slice of pecan pie, they set up a war room of laptops, mobile hot spots, and other gear. The morning of the pen test, the Strands and some colleagues carpooled to a café near the prison. If someone could break into the prison and take over computer systems, it becomes really easy to take someone out of the prison." ![]() Prison cybersecurity is crucial for obvious reasons. "For most people, the first couple of times they do this they get really uncomfortable," Strand says. Then they could work on the digital side of the pen test remotely while Rita continued her rampage. The thumb drives would beacon back to her Black Hills colleagues and give them access to the prison's systems. Rather than have her try to hack any computers herself, John equipped Rita with so-called Rubber Duckies, malicious USB sticks that she would plug into every device she could. Assuming she got inside, she would then take photos of the facility's access points and physical security features. To help get her in the door, Black Hills made Rita a fake badge, a business card, and a "manager's" card with John's contact info on it. Rita had the health inspector guise down cold, but she was no hacker. A professional pen tester would be able to assess an organization's digital security in real time and plant back doors tailored to what they found on the specific network. Rita Strand's mission would also be complicated by her lack of technical expertise. Two pen testers who broke into an Iowa courthouse as part of their job recently spent 12 hours in jail after a run-in with local authorities. And while pen testers are contractually permitted to break into a client's systems, if they're caught, tensions can escalate quickly. Penetration testers always say that you can get amazingly far with just a clipboard and some confidence, but a novice run at a state correctional facility is just plain daunting. That's not as easy a call as it might sound. "And it's my mom, so what am I supposed to say?" "She approached me one day and said 'You know, I want to break in somewhere," says Strand, who is sharing the experience this week at the RSA cybersecurity conference in San Francisco. All it would take was a fake badge and the right patter. She was confident, given that professional experience, that she could pose as a state health inspector to gain access to the prison. Then 58, she had signed on as chief financial officer of Black Hills the previous year after three decades in the food service industry. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. Normally, Strand embarks on these missions himself or deploys one of his experienced colleagues at Black Hills Information Security. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. John Strand breaks into things for a living. ![]()
0 Comments
Leave a Reply. |