David Anderson: “How I Hacked a Construction Company”
David Anderson is a featured speaker during the NASBP Annual Meeting & Expo on Tuesday, May 1, at 10:45 a.m.
As anyone in the surety industry knows, success in construction is all about risk management. But in today’s digital-centric world, potential threats extend well beyond the construction site. David Anderson knows this for a fact, because hacking into construction companies is part of his job as Manager, SAS Information Security, at CliftonLarsonAllen of Minneapolis.
“Our group performs these simulations for several organizations every week,” said Anderson, who has been with CliftonLarsonAllen for 6 years. “We have a team of ‘professional’ hackers around the U.S. that focuses on assessing the security posture of companies.”
CliftonLarsonAllen’s goal is to help organizations mitigate risk by recognizing, reacting, and responding to a cyberattack. “First, we want to understand the client’s environment; then, we test their systems to see how they respond and whether there are any issues (missing patches, misconfigurations, easily guessable passwords, etc.) that we can take advantage of,” Anderson said. “Finally, we assess the results to see what the risks are with the vulnerabilities we discovered and how the organization can better secure its environment.”
Anderson simulates the work of “black hat” hackers, who compromise systems and data for malicious purposes—often for financial gain or reputational ruin. “The activities of a black hat hacker are illegal,” Anderson said. “The key is that this person does not have permission to test the security of systems and this person does not have the company’s best interest in mind.”
Anderson’s simulations, on the other hand, are that of the legal, “white hat” variety. “A ‘white hat’ hacker, or ethical hacker, is someone who has permission to test the company’s security and is motivated to help the company,” he said.
Though no industry is immune to cyber attacks, construction companies are often targeted in the following ways:
1) Corporate Account Takeover (CATO). Hackers target digital resources used to facilitate financial transactions, such as online banking, wire transfers, bill pay, or payroll systems. “The hackers will get malware onto the construction company’s network, often through social engineering, such as email phishing,” Anderson said. “Then, the hackers will figure out who in the company can move money, such as the CFO or controller.”
The malware will then spread to that person’s computer, logging keystrokes and determining how and when the company uses its online financial systems. Once hackers understand this information, they may attempt to initiate fraudulent transfers to steal money. “This could be in the form of a wire transfer or a fake employee added to the online payroll system,” Anderson said.
In other cases, the process does not involve malware. “It is very common for hackers to spoof email messages to finance people, impersonate someone in authority (e.g., the CEO), and try to convince his or her to wire money out to a third party,” Anderson said.
2) Information Theft. “Construction companies have information that is valuable, whether it is employee data, bids, contracts, etc.,” Anderson said. “If a hacker successfully gets unauthorized access to the network, the hacker may look for this data in an attempt to steal and sell it to parties on the online black market.”
3) Ransomware. Ransomware, a type of malware designed to encrypt a user’s files and hold them for a payment, is often delivered via phishing emails. “The phishing email may contain a malicious attachment (e.g., Word, Excel, Zip) or a link to a malicious website designed to infect the computer,” Anderson said. Hackers often demand ransom payment within 72 hours in the form of digital currency, such as Bitcoin.
4) Credential Theft. Hackers often try to access employee credentials and remote corporate resources, such as webmail or virtual private networks. “Attackers can try to steal passwords through social engineering, creating fake websites that employees log in to or calling employees pretending to be someone from support,” Anderson said.
Defending Against Threats
To detect and prevent cyberattacks, surety professionals and their contractor clients should take the following precautions:
1) Prioritize User Education. Users need continuous training on how to recognize and respond to social engineering attacks. “Special education should be performed for individuals with high levels of access (such as the IT department) or access to highly sensitive information (such as finance, C-level, etc.),” Anderson said.
2) Use Two-factor Authentication (2FA). Every external website used by employees should require 2FA, a process that adds an additional layer of security before a user can access a system. “The most common 2FA implementation involves an employee’s username and password and a code from a smartphone app,” Anderson said. “This protects the online service so an attacker cannot gain unauthorized access just from stealing an employee’s password.”
3) Monitor Patching and Configuration Standards. Ensure systems are frequently updated with the latest patches and that vendor configuration guides are used to strengthen systems from default settings.
4) Implement Backup Best Practices. A good backup policy can help a company recover more easily from a ransomware attack. “Have your IT department periodically test and recover files from their latest backup,” Anderson said. For planning purposes, document how long it takes to restore all files from backup. Finally, ensure the backups are protected and segmented so they cannot be encrypted through a ransomware attack.