+ All Categories
Home > Technology > Top Five Internal Security Vulnerabilities

Top Five Internal Security Vulnerabilities

Date post: 15-Nov-2014
Category:
Upload: peter-wood
View: 2,303 times
Download: 0 times
Share this document with a friend
Description:
The top five internal security vulnerabilities ... and how to avoid them.
Popular Tags:
43
Top Five Internal Security Vulnerabilities Peter Wood Chief Executive Officer FirstBase Technologies … and how to avoid them
Transcript
Page 1: Top Five Internal Security Vulnerabilities

Top Five Internal Security Vulnerabilities

Peter WoodChief Executive Officer

First•Base Technologies

… and how to avoid them

Page 2: Top Five Internal Security Vulnerabilities

Slide 2 © First Base Technologies 2011

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First•Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupVice President UK/EU Global Institute for Cyber Security + ResearchMember of ISACA Security Advisory GroupCorporate Executive Programme ExpertKnowthenet.org.uk ExpertIISP Interviewer

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa

Page 3: Top Five Internal Security Vulnerabilities

Slide 3 © First Base Technologies 2011

Traditional thinking

• Firewalls & perimeter defences

• Anti-virus

• SSL VPNs

• Desktop lock down (GPOs)

• Intrusion Detection / Prevention

• Password complexity rules

• HID (proximity) cards

• Secure server rooms

• Visitor IDs

Page 4: Top Five Internal Security Vulnerabilities

Slide 4 © First Base Technologies 2011

Thinking like a hacker

Hacking is a way of thinking:

- A hacker is someone who thinks outside the box

- It's someone who discards conventional wisdom, and does something else instead

- It's someone who looks at the edge and wonders what's beyond

- It's someone who sees a set of rules and wonders what happens if you don't follow them

[Bruce Schneier]

Hacking applies to all aspects of life - not just computers

Page 5: Top Five Internal Security Vulnerabilities

Slide 5 © First Base Technologies 2011

No.1 – Helpful Staff

Page 6: Top Five Internal Security Vulnerabilities

Slide 6 © First Base Technologies 2011

Why “Helpful Staff”?

• Social engineering can be used to gain access to any system, irrespective of the platform

• It’s the hardest form of attack to defend against because hardware and software alone can’t stop it

Page 7: Top Five Internal Security Vulnerabilities

Slide 7 © First Base Technologies 2011

Andy’s remote worker hack

1. Buy a pay-as-you-go mobile phone2. Call the target firm’s switchboard and ask for IT staff

names and phone numbers3. Overcome their security question: Are you a recruiter?4. Call each number until voicemail tells you they are out5. Call the help desk claiming to be working from home6. Say you have forgotten your password and need it

reset now, as you are going to pick up your kids from school

7. Receive the username and password as a text to your mobile

8. Game over!

Page 8: Top Five Internal Security Vulnerabilities

Slide 8 © First Base Technologies 2011

Impersonating an employee

Page 9: Top Five Internal Security Vulnerabilities

Slide 9 © First Base Technologies 2011

Cloning HID cards

http://rfidiot.org/

Page 10: Top Five Internal Security Vulnerabilities

Slide 10 © First Base Technologies 2011

Impersonating a supplier

Page 11: Top Five Internal Security Vulnerabilities

Slide 11 © First Base Technologies 2011

Do-it-yourself ID cards

Page 12: Top Five Internal Security Vulnerabilities

Slide 12 © First Base Technologies 2011

Impersonate a cleaner

• No vetting• Out-of-hours access• Cleans the desks• Takes out large black sacks

Page 13: Top Five Internal Security Vulnerabilities

Slide 13 © First Base Technologies 2011

Data theft by keylogger

Page 14: Top Five Internal Security Vulnerabilities

Slide 14 © First Base Technologies 2011

Keyghost log file

Keystrokes recorded so far is 2706 out of 107250 ...

<PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella<CAD><CAD> arabella<CAD><CAD> arabellaexittracert 192.168.137.240telnet 192.168.137.240cisco

Page 15: Top Five Internal Security Vulnerabilities

Slide 15 © First Base Technologies 2011

Helpful Staff

• People security is weak in most organisations

• If an attacker has confidence, they will succeed

• Help desks are too helpful!

• If an attacker is in the building, they’re trusted

• People are too polite!

• Solid policies and lots of training is the defence

Page 16: Top Five Internal Security Vulnerabilities

Slide 16 © First Base Technologies 2011

No.2 – Stupid Passwordson Privileged Accounts

Page 17: Top Five Internal Security Vulnerabilities

Slide 17 © First Base Technologies 2011

Windows null session

Page 18: Top Five Internal Security Vulnerabilities

Slide 18 © First Base Technologies 2011

Find service accountsand guess the password

Page 19: Top Five Internal Security Vulnerabilities

Slide 19 © First Base Technologies 2011

Stupid WindowsAdministrator passwords

admin5crystalfinancefridaymacadminmonkeyorangepasswordpassword1praguepuddingrocky4securitysecurity1sparklewebadminyellow

• 67 administrators

• 43 simple passwords

• 15 were “password”

• The worst of the rest:

Page 20: Top Five Internal Security Vulnerabilities

Slide 20 © First Base Technologies 2011

What we’ve found usingWindows service accounts

• Salary spreadsheets

• HR letters

• Usernames and passwords (for everything!)

• IT diagrams and configurations

• Firewall details

• Security rotas

Page 21: Top Five Internal Security Vulnerabilities

Slide 21 © First Base Technologies 2011

Grab password hashes …

Page 22: Top Five Internal Security Vulnerabilities

Slide 22 © First Base Technologies 2011

… and crack them for impersonation

Page 23: Top Five Internal Security Vulnerabilities

Slide 23 © First Base Technologies 2011

Stupid Passwords

• Too many service accounts (with admin privilege)

• Obviously named service accounts

• Ridiculously easy-to-guess passwords

• Too much access for too many accounts

• No idea how to make a strong password(LM hashes!)

• Clear standards, regular penetration tests and lots of training is the defence

Page 24: Top Five Internal Security Vulnerabilities

Slide 24 © First Base Technologies 2011

No.3 – UnprotectedInfrastructure

Page 25: Top Five Internal Security Vulnerabilities

Slide 25 © First Base Technologies 2011

Scan for default SNMP

Page 26: Top Five Internal Security Vulnerabilities

Slide 26 © First Base Technologies 2011

Hacking a router

Read-Write strings revealedNow we have full controlof network infrastructure

Default Read string in useOpen door for attack

Out-of-date router OSPermits break in

Page 27: Top Five Internal Security Vulnerabilities

Slide 27 © First Base Technologies 2011

Stupid LAN switch password

Page 28: Top Five Internal Security Vulnerabilities

Slide 28 © First Base Technologies 2011

Stupid fibre switch password

Page 29: Top Five Internal Security Vulnerabilities

Slide 29 © First Base Technologies 2011

Unprotected Infrastructure

• SNMP on by default when not used

• SNMP default community strings in use

• Ridiculously easy-to-guess passwords

• Passwords shared between staff & never changed

• No idea how to make a strong password

• Clear standards, regular network discovery checks and lots of training is the defence

Page 30: Top Five Internal Security Vulnerabilities

Slide 30 © First Base Technologies 2011

No.4 – Unused andUnpatched Services

Page 31: Top Five Internal Security Vulnerabilities

Slide 31 © First Base Technologies 2011

HP/Compaq Insight Managergives remote control of a server

Page 32: Top Five Internal Security Vulnerabilities

Slide 32 © First Base Technologies 2011

Missing RPC patch givesremote shell on Windows

Page 33: Top Five Internal Security Vulnerabilities

Slide 33 © First Base Technologies 2011

Missing Webmin patchgives remote shell on Linux

Page 34: Top Five Internal Security Vulnerabilities

Slide 34 © First Base Technologies 2011

Unused & Unpatched Services

• Internal systems not patched up to date

• Default services never reviewed or challenged

• Minority systems not properly administered

• No internal vulnerability scans conducted

• No internal penetration tests conducted

• Clear standards, regular checks and lots of training is the defence

Page 35: Top Five Internal Security Vulnerabilities

Slide 35 © First Base Technologies 2011

No.5 – UnprotectedLaptops

Page 36: Top Five Internal Security Vulnerabilities

Slide 36 © First Base Technologies 2011

If we can boot from CD or USB …

Page 37: Top Five Internal Security Vulnerabilities

Slide 37 © First Base Technologies 2011

Become Local Administrator

Ophcrack is a free Windows password cracker based on rainbow tables by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.

Page 38: Top Five Internal Security Vulnerabilities

Slide 38 © First Base Technologies 2011

Change the WindowsAdministrator password

Page 39: Top Five Internal Security Vulnerabilities

Slide 39 © First Base Technologies 2011

Simply read the hard disk

“Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds.”

Page 40: Top Five Internal Security Vulnerabilities

Slide 40 © First Base Technologies 2011

or take out the hard disk …

Page 41: Top Five Internal Security Vulnerabilities

Slide 41 © First Base Technologies 2011

.. and read it in our laptop!

Page 42: Top Five Internal Security Vulnerabilities

Slide 42 © First Base Technologies 2011

Laptop Security

• Physical security on laptops doesn’t exist

• Windows security is ineffective if you have the laptop

• Everything is visible: e-mails, spreadsheets, documents, passwords

• If it’s on your laptop - it’s stolen!

• Encryption is the best defence, coupled with lots of training!

Page 43: Top Five Internal Security Vulnerabilities

Slide 43 © First Base Technologies 2011

Peter WoodChief Executive Officer

First•Base Technologies LLP

[email protected]

Twitter: peterwoodx

Blog: fpws.blogspot.com

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Need more information?


Recommended