After the city and county of Denver experienced a distributed denial-of-service attack earlier this year, the municipality’s IT security leader called a meeting with the broader organization to examine the incident.
Part of the discussion focused on how to best prepare for a similar – or even more extreme – event in the future. One way to mitigate the risk of such a crisis, the group decided, was to create an outlook of possible future attacks, similar to the way a weather forecast attempts to predict stormy conditions ahead.
Of course, the timing of security incidents is largely random and unpredictable. But for Denver Chief Information Security Officer Stephen E. Coury, certain dates on the calendar stood out as riskier than others. Particularly one: Election Day.
So Coury and his team got to work on helping ensure security of the Mile High City’s election network for a day when exactitude means everything, especially amid a high-profile U.S. presidential race – the results of which the whole world will be anxiously awaiting. Denver’s decision to beef up security was only affirmed when the FBI announced in late August that it was investigating intrusions against two state election databases that were possibly linked to state-sponsored actors. Or when two months later, reports emerged that hackers may have probed the election systems of more than 20 states.
“The greatest risk for us is if we could not post election results within the required timeframe (by the state),” Coury said. “There would be a voter confidence issue. If we were under attack or if we had something that messed up our network connection, it would shake up the confidence that is critical in accomplishing our mission. We have an obligation to be diligent.”
Denver has had a long-standing relationship with Trustwave for PCI compliance services, which include twice-a-year vulnerability scans. But the largest city in Colorado had never before partnered with Trustwave to also test other parts of its internal network not touched by payment card information.
“I have pretty limited resources,” Coury said. “We’re pretty much saturated, so to do this extra work could put gaps somewhere else. Plus, my team doesn’t do penetration testing on a regular basis, so we felt it would be better to get someone in where this is their business.”
The objective of the internal penetration test of Denver’s election network – carried out as part of the Trustwave Managed Security Testing service – was to determine if Denver’s current network security controls were vulnerable to an actionable attack from an attacker that had gained access to the network either physically or virtually. This level of testing validates corporate security policy and development standards by attempting to identify how resilient the internal network is to determined attackers.
“It’s where the rubber meets the road,” Coury said of pen tests. “The only way you’re really going to know (if you’re vulnerable) is with some tests.”
The city and county considered two other vendor bids for the election pen testing project, but Coury did not have a prior relationship with them as he did with Trustwave, he said. As a result, signing on with Trustwave was an easy decision.
John Hoopes, a SpiderLabs managing consultant at Trustwave who worked on the engagement, said he was pleased to see Denver taking such a proactive approach – especially amid a culture in which compliance requirements and prevention-focused perimeter security still garner a disproportionate amount of investment from many organizations.
“PCI has oriented security dollars in an organization toward credit card data,” Hoopes said. “They end up pushing a lot of their security budget over to the parts of the network that handle credit cards. The question then arises: Are they applying enough security into the other places?”
Focus on “non-air-gapped” networks
For more than a decade, as electronic voting (commonly referred to as e-voting) has risen to prominence, security researchers have been carefully studying ballot systems for vulnerabilities that could lead to compromise. Much of that work has centered on the machines themselves. But Coury’s concern, he said, lied with “non-air-gapped portions of the network that support elections.”
“Our exposure on the voting machines is pretty thin and that’s mainly because most of the ballots come in by mail,” he said, adding that those endpoints are physically isolated from the public internet and are adequately protected by already-existing security controls.
The primary apprehension of Coury and his team of around a dozen security and GRC professionals centered around the network that links to the Colorado Secretary of State’s Office, which oversees elections across the Centennial State. Coury explained that part of Denver’s network must connect to the state to deliver both precinct totals and access voter registration records so they can be cross-checked against paper ballots that residents fill out.
“It’s to validate that the ballot came from a valid voter and the signature matches the official signature that is on file,” he said. But with this part of the network publicly exposed, a simple scan of IP space could lead hostile intruders to the front door. Or they could hypothetically back their way in: by reaching the election network through a lateral advancement from some other part of the city and county’s network, which they could have accessed, for instance, through a social engineering attack.
A successful compromise of the election network could interfere with the reporting of results or enable sensitive data theft. Or both.
The Trustwave pen test engagement, which was performed remotely through a virtual remote penetration test appliance installed on one of the municipality’s workstations, involved several days of attempting to elevate privileges and conduct a bevy of attacks on the network, including IP redirection, session hijacking, password capture, spoofing and man-in-the-middle attacks.
“The methodology we followed for this pen test was our standard methodology in terms of network pen tests,” said Allen Douglas, a SpiderLabs managing consultant at Trustwave who assisted on the project. “It doesn’t matter what the data is – we’re just trying to get a hold of it.”
Pen tests try to simulate how an attacker might operate. Engagements typically start with a client consultation to determine the scope of the test. Once that is agreed upon, the test generally consists of reconnaissance, scanning, exploiting vulnerabilities and maintaining access. Each system that is compromised is examined for the existence of critical data and files. Findings, methods and other data obtained during the engagement are documented throughout the testing process in the Trustwave Managed Security Testing reporting portal and conveniently shared with the client.
“Trustwave has always delivered for us”
Hacking election systems may have been only theoretical as recently as just a few years ago, but that has all changed. While successful infiltrations are unlikely to be commonplace, the potential is there.
“We’d say, in general, the average bad guy wouldn’t have access to any of the equipment involved here [to compromise the election network],” Trustwave’s Hoopes said. “But when you talk about nation-states, they actually have the resources to figure out what the city and county of Denver uses, and can create an exploit.”
Coury emphasized how important it was to devote budget dollars toward the project.
“For PCI, I have to be on top of that thing every day,” he said. “I need Trustwave to help me get my report on compliance. Securing our election network is one of those things that just comes up. After November, nobody will think about it. But right now, it’s crucial.”
Better to be safe than sorry, Hoopes said “There’s no return on investment that anyone can see if the election doesn’t get hacked. But if it does, major things can happen.”
Testing for security vulnerabilities remains a lost art for most organizations. A recently released Osterman Research survey report conducted on behalf of Trustwave found that nearly one in five enterprises haven’t performed any security testing in the past six months. This laissez-faire attitude essentially amounts to a repudiation of how ubiquitous dangerous security holes are across one’s IT environment. These weaknesses can range from easily crackable passwords to configuration errors to unpatched software.
A majority of organizations recognize the value of security testing – two-third consider it a best practice, according to the Osterman Research report – but fewer than one quarter call themselves “very proactive” when it comes to doing it. A primary driver for this inaction is the lack internal resources, particularly skilled personnel, that are available to organizations to execute these tests.
Coury understands both the importance of testing his entire IT environment, as well as the value of delegating certain security responsibilities to third-party experts. That way, he and his team can devote their time to supporting and enabling the 50-plus city and county agencies under Coury’s security watch.
“Trustwave has always delivered for us, and they’ve always found something,” he said. “Elections are the first thing we came up with the money for. We also have television networks, police surveillance, building control systems – all these other networks that will need testing too. I don’t have the in-house resources to cover them adequately.”
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.