"The oil and gas sectors are thinking more organically than the others," Cianfrocca says. "The rest are pretty much wide open to compromise as they aren't being forced to implement nor prove they have the right security in place, plus they simply don't have the budget to invest in all of the security layers required."
With all of this in mind, let's look at some of the security weakness that continue to enable hackers to break into the enterprise infrastructure which may ultimately lead them to critical infrastructure:
* Application code vulnerabilities: With an average of 10% of code containing vulnerabilities, this is by far one of the more prevalent weaknesses that can be leveraged. The vulnerable systems don't have to be public-facing in order for an attacker to take over; access to an "internal" system could be gained using SQL injection, a cross-site script, or even a remote file include. A hacker that arrives within a trusted partner network could, from that system, scan and probe any connected critical infrastructure systems and networks for other known application vulnerabilities.
* Weak and recycled account passwords: In 2011, according to Tim Brown, CTO of CSID, the team at CSID collected more than 10 million records containing compromised identity information exposed by data breaches, which is now in the wild and available for sale or trade on the black market. More than eight million of these records contain email addresses with passwords, and many of these compromised accounts are directly related to corporate accounts. Gartner analyst John Pescatore says that "a lot of Anonymous' recent success has been in attacks where they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal or in email systems. What I think we are seeing is really what I like to call 'the curse of the reusable password.'" Using an account list extracted from a compromised enterprise coupled with a black-market purchase of account, email, and login information, a hacker could match these two sets of data together and attempt logins to critical infrastructure systems which are now discoverable via the trusted connected network that was compromised.