Pragmatic Network Security - Avoiding Real-World Vulnerabilities

Peter WoodChief Executive Officer

First Base Technologies LLP

Pragmatic Network Security

Avoiding Real-World Vulnerabilities

© First Base Technologies 2014

Who is Peter Wood?

Worked in computers & electronics for 45 years

Founded First Base in 1989 (the first ethical hackers in UK)

Ethical hacker, security evangelist and public speaker

• Fellow of the BCS, the Chartered Institute for IT

• Chartered IT Professional

• CISSP

• Senior Member of the Information Systems Security Association (ISSA)

• 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group

• Member of the Institute of Information Security Professionals

• Member of the BCS Register of Security Specialists

• Deputy Chair of the BCS Information Risk Management and Audit Group

• UK Programme Chair for the Corporate Executive Programme

• Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors

• Member of Mensa


Who are First Base Technologies?

• Web Application Testing

• Infrastructure Testing

• Network Security Testing

• Server Security Audits

• SCADA Security Testing

• PCI Penetration Testing

• Endpoint Testing

• Social Engineering

• Red Teaming

• Risk Assurance

• Transformation Consultancy

• Cloud Security

• Architectural Reviews

• Awareness Consultancy

• Keynote Seminars

• Security Evangelism

• Multimedia Training

• White-hats.co.uk User Group

Penetration Testing & Ethical Hacking Security Consultancy & Awareness


Background

• Network security testing since 1994

• Some problems just won’t go away

• Configuration problems persist

• Simple vulnerabilities are ignored

• New technologies introduce old problems

• Silver bullets still don’t work

• Too little time, money and people


Real and present danger

• We analysed the results from a series of network penetration tests over the past two years, in a variety of sectors including banking, insurance and retail

• We identified the most common vulnerabilities, how they can be exploited and the consequences for each business

• This presentation demonstrates in detail how criminals can take advantage of these weaknesses and how you can secure your networks using straightforward techniques.


Results of Analysis

Category Percentage vulnerable

Easily-guessed passwords 36%

Immediate access to sensitive information 55%

Regular users able to access sensitive data 36%

Default passwords giving admin access 55%

Default passwords giving remote control 18%

Missing patches giving root access 82%

SNMP read-write giving admin access 45%

Total vulnerable 100%

Sample: 11 large corporate organisations tested in past 2 years


Stories from the front line

To put our experience in context, we decided to use a real example – because we believe a story is more compelling than bald facts

“The story you are about to hear is true; only the names have been changed to protect the innocent vulnerable.”


Step 1: Telephone pretexting

• Our tester (Charlie) called the reception desk at head office using a telephone number found using Internet searches

• He impersonated a real employee, using a stolen staff list

• He claimed to be new to the company and had forgotten his swipe card, but didn’t know the procedure for when he arrived at head office

• He was asked if he had any identification that he was a legitimate employee, and he said he did not

• He was told that he could sign in at the front desk

• He asked if he needed any information in order to sign in, and was told that he did not


Step 2: Physical access

• Both testers arrived at head office by taxi, bypassing security on the main gate

• Charlie entered main reception and told the receptionist that he had forgotten his swipe card, and had spoken to a receptionist on the telephone about this

• He was asked to sign in, which he did using the previously selected employee name

• He was given a staff visitor pass, which he used to go through the staff access barriers


Step 2: Physical access (cont’d)

• Charlie waited five minutes and then returned to main reception

• He met Harry there and told reception that he was there to sign Harry in as a visitor

• Neither Charlie nor Harry were asked for identification, and Harry was given a visitor pass

• They then walked to the second floor to assess the security of the board rooms, which were unlocked

• The security passes granted to both testers did not expire during the entire week of testing (We were informed that security passes should expire at the end of each day)


Step 3: Password guessing

• Windows domain account for a training room using password ‘Password2’ (simple guessing)

• Enumerated user list using training room account

• Brute force attack revealed lots of users using ‘Password1’

• Browsed a file store and found two spreadsheets containing user names and passwords

• Located an Administrator-level account using ‘Password3’

• Logged in to OWA using compromised account and found password to Oracle E-Business

• Used OWA to link real names to user names


Step 4: Sensitive data access

• Using an accounts user with password ‘Password4’, accessed company bank account information

• Connected to a server using RDP, found access to payroll data

• Connected again via RDP, using an account with Domain Admin privilege – able to access all folders and shares

• Gained access to salaries, financial strategy, directors’ data

• Logged in to OWA as a Finance Director, obtained sensitive email trails with CEO and other executives

• Obtained access to entire email archive

• Found credentials for MS-SQL databases in archive


Step 5: Extending access

• Connected to a domain controller using an Admin account

• Turned off the anti-virus software and dumped 11,000 password hashes for the entire domain

• Over 6,000 passwords were cracked:- 3% were based on the word ‘password’- 51% were eight characters in length or less- 89% began with a capital letter and ended with a number- 18% ended with the number ‘1’

• Any one of these accounts could be used without detection

• Policy required 7 character passwords and a lockout of 30 minutes after 5 logon attempts in 30 minutes


Step 6: Persistent access

• Found vulnerable HP Data Protector service, using a simple port scan (around 2,000 hosts)

• Exploited the service and installed a remote shell

• Connected to a machine in our offices, giving permanent root-level remote access to the server


Summary

• We gained access to head office without valid identification

• Access was maintained for a week and no-one questioned our identities

• Weak passwords gave access to 12 directors’ accounts, including the CEO

• Executive email accounts were accessed without detection

• Corporate data held on servers could be accessed, including directors and payroll shares and user areas for all staff

• We were able to read and edit key strategic planning data

• We obtained passwords for HR systems and Oracle E-Business

• We gained administrative control over thousands of systems in the domain

• We demonstrated persistent access, allowing remote access to the network from the Internet


Fix 1: Telephone pretexting

Staff should be trained to:

• Never reveal corporate or sensitive information in response to a phone call unless they have verified the caller

• Report any phone calls that they suspect might be social engineering attacks


Fix 2: Physical access

• Reception should deny access to anyone without valid identification

• Visitor passes should only be granted to visitors after they have been signed in by a staff member with a valid staff pass (not a temporary pass)

• Temporary and visitor security passes should expire at the end of each day, and should not allow access through the security gates after this period


Fix 3: Password guessing

• Users should be educated and encouraged to choose strong passphrases

• The domain password policy should enforce a minimum length of 14 characters, but does not need to enforce number, symbols or upper case letters

• Account lockout thresholds can safely be increased as there is a negligible chance of brute forcing a valid passphrase

• Users should be educated not to store password details in plain text in personal folders

• User accounts and passwords should never be shared and service passwords should be secured in an encrypted vault


Fix 4: Sensitive data access

• User accounts, rights and share permissions should be audited regularly

• Rights and share access should only be provided to users with a proven business requirement to access that data

• Highly sensitive data should be encrypted as a second line of defence


Fix 5: Extending access

• See Fix 3 !


Fix 6: Persistent access

• All services should be upgraded or patched to the latest version on all systems

• Regular vulnerability scans should be run to identify services at risk

• Services that are not required should be disabled

• Consideration should be given to deploying an intrusion detection system on key systems

• Regular log and alert monitoring should be implemented

Peter WoodChief Executive Officer

First Base Technologies LLP

[email protected]

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Twitter: @peterwoodx

Need more information?

http://firstbase.co.uk/

http://white-hats.co.uk/

http://peterwood.com/

Pragmatic Network Security - Avoiding Real-World Vulnerabilities

Technology

Transcript of Pragmatic Network Security - Avoiding Real-World Vulnerabilities