There are many more “mistakes” that I could write about that need fixing within many companies’ IT security programs, but these three are the ones I suggest you start fixing first. If you just implement measures to curb these three alone, your networks and data will have a much higher degree of security.
1. Companies Should Focus More On Egress Filtering
Most corporations spend their IT security program time and resources focusing on ingress filtering, making sure that the internal network cannot be accessed from the Internet and attacked. While this is important, it is often done to the detriment of egress filtering. Egress filtering is important for 2 reasons: 1) it is an essential part of data loss prevention (DLP) to stop rogue employees from sending your data out of the network and, 2) it stops bots and malicious software from making a connection out to their control servers. The second point is where I want to focus.
During the social engineering portion of a penetration test, one of my main goals is to get a malicious piece of software onto an employee’s PC. This piece of software will then talk out of the network to my server and allow me to not only control that PC, but to also pivot from there to the rest of the internal network. Black Hat hackers have the same intention, however, if the network has very strong egress filtering and does not allow outbound connections, the software is almost useless and the internal network is protected from attack. At SunGard, we highly recommend that our clients spend time strongly filtering outbound connections and then testing to see whether, in a range of scenarios, a connection can be made out of the network.
2. Companies Forget About The Local Administrator Password
Most clients believe that they do not reuse passwords and, in fact, they may have a well developed password policy program. However, there is one vital area that is generally missed: the local administrator password. Time and again, I have seen that the local administrator password on the PC is the same as the local administrator password on servers and even domain controllers.
Imagine this scenario: An attacker gains access to a PC. This may be by booting it off of a USB drive and dumping the hashes via a social engineering attack that gave access to the PC, a malicious user themselves, or any number of ways. In reality, the password is gained, not in a readable format, but hashed. An unknowing person may say, “My password hashes can’t be cracked with anything but the largest rainbow tables!” But an attacker doesn’t need to crack the hash; they can simply replay it with freely available tools to reuse it on another system.
Now that the attacker has a local administrator password hash, they replay it to the domain controller, not to the domain administrator account, but to the local administrator account. Very often, I find that it is the exact same password. More often, the local administrator password will be usable on servers and always on other PCs, including the IT staff’s PCs, that hold all sorts of juicy information.
At SunGard AS, we highly recommend ensuring that your IT security program puts solutions in place to avoid this scenario, and then to specifically run tests to ensure that it cannot occur.
3. Companies Leave Unpatched Systems Around
Although most companies today seem to have some sort of patch management program in place, I still see many with one or two systems that do not have the latest patches. In fact, most penetration testers wonder aloud to each other why the Microsoft MS08-067 vulnerability is still unpatched on so many systems. This is a vulnerability from 2008, which is 5 years old! An attacker really just needs to get a foothold onto a network to really cause damage and they only need one system on which to get that foothold. From that one system, there are so many things they can do. For instance, they can dump the local password hashes and replay them (see previous point), they can view the password cache of users that have recently logged in to the system (helpdesk, admin staff, etc), sit there and sniff the network via various techniques, look for useful information on the system that will help further the attack, and many, many more ways.
- See more at: http://blog.sungardas.com/2013/11/the-top-3-mistakes-corporations-make-with-their-it-security-program/#sthash.e00E8fRr.dpuf
0 comments:
Post a Comment