In Mr. Robot Season 2 Episode 4, as Darlene and Elliot watch a horror movie, Darlene suggests calling a dinner delivery service called Postmates - a service she hacked using code injection. As they chat, Elliot recalls his previous job. He remembers the details of his pen testing projects, and says it was his job to keep hacking until the company’s systems were “hacker proof.” I asked myself, what is “hacker proof” and is such a thing even possible?
What is “hacker proof”?
The answer I came up with is that “hacker proof” must be like “waterproof.” When you buy a waterproof watch or phone case, the “proof” is more like “resistance,” meaning the device is only waterproof to a certain depth. When you learn to scuba dive, you are taught that our atmosphere exerts 14.7 psi (pounds per square inch) at sea level. Therefore every 33 feet under water, your body has another atmosphere of pressure exerted on it. The watch or camera case may be waterproof to 33 feet before the pressure will override the seals. So the device is water resistant to 33 feet, or 1 atmosphere. The more expensive the watch or case, the more atmospheres of pressure, but the device is not waterproof - not at all. A similar case can be made for making a system or network “hacker proof.”
Postmates was obviously not “hacker proof,” as Darlene was able to hack one of their proxies, and gets the proxy to send users to her affiliate link so she could get credit for referring customers to the Postmates website. The net result is that Darlene receives a $10 coupon anytime anyone places an order. Code injection is a common goal of malicious users, as they look to compromise a popular website and modify the code using an IFrame or inject some JavaScript. Then the malicious code is executed each time the web page is launched in a browser. Nessus® has several plugins used to identify malicious URLs on web pages, such as Web Site Links to Malicious Content (52670). Malicious users may also post a comment in a blog or other feedback systems to inject the malicious code. Users of SecurityCenter™ and Nessus can use this plugin - and many other plugins - to review website content for malicious activity. SecurityCenter users can also download the Web Services Indicator dashboard to easily monitor for security issues related to web services.
Multiple defenses
The security industry has talked about defense-in-depth for several years. While some professionals say the concept is no longer effective, others say the practice is still alive and proves its worth each day. However just like the “waterproof” watch, you need to consider to what depth is your system hacker proof? Can your system resist one level of compromise, two levels, or three? Securing a network is not a single solution; your security plan must include several layers, such as firewalls, IDS, anti-virus, and many more, which may protect you up to one or two compromises deep. However, some of the best security solutions are often not implemented, because the solutions can be hard to manage and administer. Implementing hardening standards that are suggested by organizations such as the Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST) can provide some of the most effective security controls.
Customers using SecurityCenter and Nessus have the ability to scan systems for hardened configurations using over 400 audit files provided by Tenable. The audit files are created using guidelines from CIS, NIST, PCI DSS, and many other governing bodies. When combining hardening systems with good patch management and other security solutions, an organization can have a more “hacker resistant” system; should one layer fail, there are other layers to further protect the system.
Continuous visibility
Later in the episode, Elliot says that accepting help is not Darlene’s strong suit. He then suggests that everyone has a problem accepting help, and says that the only way to deal with a vulnerability is by exposing it first, meaning that you can’t solve the security problem if you don’t know about the problem. Tenable SecurityCenter Continuous View™ constantly analyzes information from five sensors: Active Scanning, Intelligent Connectors, Agent Scanning, Passive Listening, and Host Data - providing the help needed by organizations to have a more complete and honest view into the operational risks related to information security. Tenable’s continuous visibility and multiple sensors go a long way to help you answer the question, “Are we hacker proof?”