Penetration Test - Survey the Target(12)

Weaknesses in Specialized Systems

• ICS(Industrial Control Systems)
  • Environment conditions
• SCADA(Supervisory Control and Data Acquisition) -
  • SCADA is the control system that interfaces with industrial processes
  • SCADA is often a turnkey layered software
  • PLC(Programmable Logic Controllers) - PLCs are the electronic boards(s) that power the manufacturer's processes
• Mobile - lack of updates, compromised settings, dangerous apps, etc.
  • Rooting/Jailbreak a device makes it open to security breaches
  • Beware of mining activities
• IoT(Internet of Things) - default (weak) security (wide open)
• Embedded
• Point-of-sale system
  • Attractive due to connection to payment devices(cash, readers, etc.)
• Biometrics -accuracy is still evolving
  • What if primary reader fails to detect?
  • What is the manual process? Pressure and urgency is always an aspect of social engineering.
• Application constrainers
  • Containers and VMs are not foolproof sandboxes
  • Compromising(breaking out) may allow access to external resources
• RTOS(Real-time operating system)
  • Designed to provide fast, lightweight services, not security.

QUICK REVIEW

• ICS and SCADA systems often lack current security patches

• Mobile and IoT devices are often configured for convenience over security

• Any device that handles payments is an attractive target