top five internal security vulnerabilities
Post on 15-Nov-2014
2.308 Views
Preview:
DESCRIPTION
TRANSCRIPT
Top Five Internal Security Vulnerabilities
Peter WoodChief Executive Officer
First•Base Technologies
… and how to avoid them
Slide 2 © First Base Technologies 2011
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First•Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupVice President UK/EU Global Institute for Cyber Security + ResearchMember of ISACA Security Advisory GroupCorporate Executive Programme ExpertKnowthenet.org.uk ExpertIISP Interviewer
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2011
Traditional thinking
• Firewalls & perimeter defences
• Anti-virus
• SSL VPNs
• Desktop lock down (GPOs)
• Intrusion Detection / Prevention
• Password complexity rules
• HID (proximity) cards
• Secure server rooms
• Visitor IDs
Slide 4 © First Base Technologies 2011
Thinking like a hacker
Hacking is a way of thinking:
- A hacker is someone who thinks outside the box
- It's someone who discards conventional wisdom, and does something else instead
- It's someone who looks at the edge and wonders what's beyond
- It's someone who sees a set of rules and wonders what happens if you don't follow them
[Bruce Schneier]
Hacking applies to all aspects of life - not just computers
Slide 5 © First Base Technologies 2011
No.1 – Helpful Staff
Slide 6 © First Base Technologies 2011
Why “Helpful Staff”?
• Social engineering can be used to gain access to any system, irrespective of the platform
• It’s the hardest form of attack to defend against because hardware and software alone can’t stop it
Slide 7 © First Base Technologies 2011
Andy’s remote worker hack
1. Buy a pay-as-you-go mobile phone2. Call the target firm’s switchboard and ask for IT staff
names and phone numbers3. Overcome their security question: Are you a recruiter?4. Call each number until voicemail tells you they are out5. Call the help desk claiming to be working from home6. Say you have forgotten your password and need it
reset now, as you are going to pick up your kids from school
7. Receive the username and password as a text to your mobile
8. Game over!
Slide 8 © First Base Technologies 2011
Impersonating an employee
Slide 9 © First Base Technologies 2011
Cloning HID cards
http://rfidiot.org/
Slide 10 © First Base Technologies 2011
Impersonating a supplier
Slide 11 © First Base Technologies 2011
Do-it-yourself ID cards
Slide 12 © First Base Technologies 2011
Impersonate a cleaner
• No vetting• Out-of-hours access• Cleans the desks• Takes out large black sacks
Slide 13 © First Base Technologies 2011
Data theft by keylogger
Slide 14 © First Base Technologies 2011
Keyghost log file
Keystrokes recorded so far is 2706 out of 107250 ...
<PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella<CAD><CAD> arabella<CAD><CAD> arabellaexittracert 192.168.137.240telnet 192.168.137.240cisco
Slide 15 © First Base Technologies 2011
Helpful Staff
• People security is weak in most organisations
• If an attacker has confidence, they will succeed
• Help desks are too helpful!
• If an attacker is in the building, they’re trusted
• People are too polite!
• Solid policies and lots of training is the defence
Slide 16 © First Base Technologies 2011
No.2 – Stupid Passwordson Privileged Accounts
Slide 17 © First Base Technologies 2011
Windows null session
Slide 18 © First Base Technologies 2011
Find service accountsand guess the password
Slide 19 © First Base Technologies 2011
Stupid WindowsAdministrator passwords
admin5crystalfinancefridaymacadminmonkeyorangepasswordpassword1praguepuddingrocky4securitysecurity1sparklewebadminyellow
• 67 administrators
• 43 simple passwords
• 15 were “password”
• The worst of the rest:
Slide 20 © First Base Technologies 2011
What we’ve found usingWindows service accounts
• Salary spreadsheets
• HR letters
• Usernames and passwords (for everything!)
• IT diagrams and configurations
• Firewall details
• Security rotas
Slide 21 © First Base Technologies 2011
Grab password hashes …
Slide 22 © First Base Technologies 2011
… and crack them for impersonation
Slide 23 © First Base Technologies 2011
Stupid Passwords
• Too many service accounts (with admin privilege)
• Obviously named service accounts
• Ridiculously easy-to-guess passwords
• Too much access for too many accounts
• No idea how to make a strong password(LM hashes!)
• Clear standards, regular penetration tests and lots of training is the defence
Slide 24 © First Base Technologies 2011
No.3 – UnprotectedInfrastructure
Slide 25 © First Base Technologies 2011
Scan for default SNMP
Slide 26 © First Base Technologies 2011
Hacking a router
Read-Write strings revealedNow we have full controlof network infrastructure
Default Read string in useOpen door for attack
Out-of-date router OSPermits break in
Slide 27 © First Base Technologies 2011
Stupid LAN switch password
Slide 28 © First Base Technologies 2011
Stupid fibre switch password
Slide 29 © First Base Technologies 2011
Unprotected Infrastructure
• SNMP on by default when not used
• SNMP default community strings in use
• Ridiculously easy-to-guess passwords
• Passwords shared between staff & never changed
• No idea how to make a strong password
• Clear standards, regular network discovery checks and lots of training is the defence
Slide 30 © First Base Technologies 2011
No.4 – Unused andUnpatched Services
Slide 31 © First Base Technologies 2011
HP/Compaq Insight Managergives remote control of a server
Slide 32 © First Base Technologies 2011
Missing RPC patch givesremote shell on Windows
Slide 33 © First Base Technologies 2011
Missing Webmin patchgives remote shell on Linux
Slide 34 © First Base Technologies 2011
Unused & Unpatched Services
• Internal systems not patched up to date
• Default services never reviewed or challenged
• Minority systems not properly administered
• No internal vulnerability scans conducted
• No internal penetration tests conducted
• Clear standards, regular checks and lots of training is the defence
Slide 35 © First Base Technologies 2011
No.5 – UnprotectedLaptops
Slide 36 © First Base Technologies 2011
If we can boot from CD or USB …
Slide 37 © First Base Technologies 2011
Become Local Administrator
Ophcrack is a free Windows password cracker based on rainbow tables by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
Slide 38 © First Base Technologies 2011
Change the WindowsAdministrator password
Slide 39 © First Base Technologies 2011
Simply read the hard disk
“Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds.”
Slide 40 © First Base Technologies 2011
or take out the hard disk …
Slide 41 © First Base Technologies 2011
.. and read it in our laptop!
Slide 42 © First Base Technologies 2011
Laptop Security
• Physical security on laptops doesn’t exist
• Windows security is ineffective if you have the laptop
• Everything is visible: e-mails, spreadsheets, documents, passwords
• If it’s on your laptop - it’s stolen!
• Encryption is the best defence, coupled with lots of training!
Slide 43 © First Base Technologies 2011
Peter WoodChief Executive Officer
First•Base Technologies LLP
peterw@firstbase.co.uk
Twitter: peterwoodx
Blog: fpws.blogspot.com
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Need more information?
top related