Lessons from penetration testing: four simple IT security mistakes that leave a business vulnerable

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.continuitycentral.com/index.php/news/technology/793-lessons-from-penetration-testing

With businesses dedicating more time and resource to cyber-security,
deploying increasingly advanced and robust solutions, and networks becoming
increasingly complex, you could be forgiven for thinking that most cyber
security breaches are the result of a vulnerability buried deep in the
coding of a piece of software or application, that would take weeks or
months to be uncovered and exploited. However, the reality couldn’t be more
different, and in my experience it is often basic oversight that leaves an
organization vulnerable.

These often simple errors can undermine the most advanced and complex
security deployments, leaving a network vulnerable to attack. In my work as
a penetration tester I see many of the same mistakes made time and time
again. Let’s take a look at four of the most basic errors or oversights
that we encounter during testing and that leave organizations unnecessarily
vulnerable to a breach.

Password sharing

It has been well documented that weak passwords are the first target for
attackers, especially once they have collected a cache of password hashes
or usernames.  As a result, businesses are starting to tackle the issue,
and are introducing measures to ensure that employees use appropriate
passwords that offer a suitable level of security.

However, password problems are not limited to mere strength. The issue of
password sharing (employees using the same password for different logins)
is often the undoing of many organizations during penetration testing. From
an internal, company perspective this includes employees using the same
password for general access to their machines and the network, as they do
for more privileged, sensitive network areas and for logging into third
party supplier portals.  This not only makes any potential hackers’ job
easier, as once he / she has the password it can be used to traverse the
network, but also leaves a business vulnerable in the event of one of its
suppliers being breached, with the attacker re-using the same credentials
to access corporate systems.

To stress this point, our consultants often gain access to corporate
systems on penetration tests from public ‘leaks’ of credentials from
previous breaches of other companies’ systems that internal employees also
use and are sharing passwords with.  So it is vital that organizations
encourage all employees to ensure they are using completely unique password
for each system and service they use. In addition, this should also be
promoted for any online services employees use outside of company systems,
with each and every website or service you utilise having a unique password
in place. There are many great password management tools available that can
help with this process.

Exposed administrative interfaces

Most organizations that we visit go to great lengths to test their security
policies and solutions internally to limit their exposure to the exploits
of cyber-criminals. They will test code, integration with the network and
other applications, but in paying meticulous attention to every detail they
risk losing sight of the bigger picture, making an error that leaves them
exposed.

The most common error that results from this mind-set is an administrative
interface that is left exposed to attackers. As an example, I recently did
a penetration test for a large organization that had just launched a new
website. Following initial testing the website appeared to have been well
secured, but after further probing we were able to find the files for the
test site, which included a link to an administrative interface with weak
credentials set that enabled us to not only take complete control of the
website but also gain access to the company network via compromise of the
web server. While the developers and IT team had gone above and beyond to
ensure the site wasn’t susceptible to other common attacks, or create a
vulnerability for the wider business, one oversight had left an otherwise
secure site vulnerable.

The key recommendation here is to ensure that all ‘test’ functionality is
correctly removed before websites / systems are put into production. In
addition, administrative interfaces should only ever be accessible from
trusted networks (such as the LAN or the VPN) with strong credentials set
for all accounts.

Unprotected smart devices

The Internet of Things is undoubtedly in its infancy and as a result
organizations are still getting to grips with the implications of Internet
enabled ‘devices’ entering the business environment.  This, however, has
not prevented organizations permitting Internet-connected appliances from
being used within the business, creating a targetable soft spot within
their network infrastructure.

As an example, some of our recent projects have demonstrated weaknesses in
smart TVs that can be compromised in one of two ways: either via a Wi-Fi
connection or quite commonly via its Bluetooth functionality. Such an
attack can be originated from outside the physical perimeter. Once the TV
is compromised it can be used as a stepping-stone into the corporate
network or turned into a listening device for attackers to cultivate
company information.

Organizations can avoid common weaknesses in smart devices by disabling
unnecessary functionality (cameras/Bluetooth/ Wi-Fi etc) and keeping such
devices up to date, just as they would any other corporate system. In
addition to this, these devices should be secured like any other device,
for example ensuring that default password / settings are changed.

Subverted business logic

The logic that is used by many IT teams when deploying a solution is to
ensure that the latest piece of software integrates with existing systems,
it delivers the innovation that helps achieve business goals and equally
that it is protected by a layer of security. It almost resembles a flow
chart of check-boxes, which in many cases reflects standard operating
procedure for IT departments.

However, this approach fails to take into consideration the logic that
cyber-criminals will use when targeting an organization and relies heavily
on the assumptive thinking of those that have no intention of trying to
infiltrate a network. As a result, when a hacker targets a company they are
playing by a different set of rules and find ways to subvert the rationale
of the development team, and look for ways to use the very technology
designed to protect an organization against them.

When deploying or developing new solutions and applications, organizations
must approach the security from the perspective of a would-be attacker. By
adopting this approach to security they will level the playing field and
prevent vulnerabilities from appearing in the first place.

With business investing heavily in cyber security, it is imperative that
they don’t render it worthless by making basic oversights and mistakes.
With these tips in mind businesses can help to ensure that they don’t fall
foul of that one vulnerability they forgot.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.