Post on 30-May-2018
8/14/2019 Common Info Security Weaknesses
1/36
Grant Thornton LLP. All rights reserved.
Common Enterprise Security Weaknesses
March 5th, 2009ISACA, OKC chapter
Nathan KeltnerAdvisory Services
8/14/2019 Common Info Security Weaknesses
2/36
Todays Agenda
Were going to cover:
1. Common misconceptions (Were secure because we)
2. Trusting insecure systems
3. Demos! Demos! Demos!
4. Recommendations
8/14/2019 Common Info Security Weaknesses
3/36
Who am I?
Nathan Keltner, Advisory Services Practice
Leads penetration tests for our central region (OK,KS, TX [in descending order of greatness])
Sometimes developer for the project
Someone whos hopefully about to say somethingworthwhile and interesting
8/14/2019 Common Info Security Weaknesses
4/36
Grant Thornton LLP. All rights reserved.
Were secure because weCommon misconceptions: I *know* were securebecause we
8/14/2019 Common Info Security Weaknesses
5/36
Grant Thornton LLP. All rights reserved.
We know were secure because we have antivirusedition
Common misconception #1
8/14/2019 Common Info Security Weaknesses
6/36
Antivirus doesnt help against direct attacks.
throughout the potentialperiod of the breach,Heartland did have antivirussoftware installed on itspayment processing network.
Heartland CEO Bob Carr onquarterly update call
8/14/2019 Common Info Security Weaknesses
7/36
The truth about anti-virus, part 1:
Antivirus is, for the most part, designed to pick upfingerprints of malware in the form of a particular pattern or
string of bits in a file (or going over the network)
Theyre trying to learn to watch for bad behavior, but thatcreates a ton of false positives, which makes their
customers angry
As a result of the difficulty of this problem and to appeasetheir customers, anti-virus just flat doesnt work the waypeople think
8/14/2019 Common Info Security Weaknesses
8/36
8/14/2019 Common Info Security Weaknesses
9/36
8/14/2019 Common Info Security Weaknesses
10/36
So where does anti-virus fit in?
Its still a minimum level of protection that everyorganization absolutely needs in place
It protects you from the shotgun-approach tomalware (make 1 exe, spam it a million times)
It protects you from (most) established viruses /malware
8/14/2019 Common Info Security Weaknesses
11/36
Grant Thornton LLP. All rights reserved.
We know were secure because weve never beenhacked before edition
Common misconception #2
8/14/2019 Common Info Security Weaknesses
12/36
Are you sure?
How many of you have either a) had your computerinfected by a virus before or b) known someone in your
enterprise that has?
If you dont raise your hand to either, would your IT deptgive a different answer?
Now, think about that virus as an incredibly dumb, verynoisy hacker. What if it wasnt so noisy and stupid?
Whatever avenue was used to install that malware is also alegitimate vector for an attacker.
8/14/2019 Common Info Security Weaknesses
13/36
Grant Thornton LLP. All rights reserved.
We know were secure because oh, we outsourcedthat; not my problem edition
Common misconception #3
8/14/2019 Common Info Security Weaknesses
14/36
Regardless of where data is stored, the locations itsaccessed fromand copied toare just as important as
where it sits.
Lets assume for a moment that the outsourcingprovider actually has taken proper precautions and
your data is relatively safe
You still access your customer/employee/etc data
from within your environment
If I want access to your data, I gain access to youfirst, regardless of where it is ultimately stored
8/14/2019 Common Info Security Weaknesses
15/36
Grant Thornton LLP. All rights reserved.
We know were secure because we have a firewalledition
Common misconception #4
8/14/2019 Common Info Security Weaknesses
16/36
Firewalls are only good at what they were designedto do.
Firewalls are good atblocking access to
services that arentneeded
What happens when thatservice is needed?
How about port 80? 443?(http, https)
8/14/2019 Common Info Security Weaknesses
17/36
Trends have been leading away from traditional"network security" for many years.
As an overall trend, the boundaries and walls we've built into theinternet are falling down.
Issues are discovered in various Internet enabled services,firewalls begin blocking all functionality but static web pages(up to early 1990's)
People discover they want said functionality after all and "rich"
internet applications begin stuffing that functionality into theport 80 container (~ late 1990's)
Rich application "platforms" begin to appear, allowing Joedeveloper on the internet to run their code in your browser(~2003 to present)
8/14/2019 Common Info Security Weaknesses
18/36
At this point, everyone probably knows webapplication security has been a huge field in the last
5 or more years
Custom code means that you get to reinvent the security
wheel
Were slowly learning, and battle hardened toolsets are nowavailable to programmers to protect them from themselves
Still tough to rely on someone else for your security:building an app is very different from building a server.
8/14/2019 Common Info Security Weaknesses
19/36
Guess what else flies right through your firewall?
Most of the new, highlyexploited vulnerabilitiesare in client software,which hides insideemail attachments andweb pages.
8/14/2019 Common Info Security Weaknesses
20/36
Currently unpatched 0days being exploited in thewild, right now:
Adobe expects to make available an update for AdobeReader 9 and Acrobat 9 by March 11th, 2009. Adobe isplanning to make updates for Adobe Reader 7 and 8, andAcrobat 7 and 8, available by March 18th.
Theyve known about public exploitation of this vuln sinceearly January or late December. Really? 3 months for a
patch?
8/14/2019 Common Info Security Weaknesses
21/36
So where does this leave us? The sky is falling!
No its not. At the end of the day, there will always be
0days in your environment that you cant do anything
about.
Your security infrastructure should be robust enough to
handle any single point of failure.
I re-present to you an idea you already know: defense-
in-depth. The moat approach to info sec died 10years ago.
8/14/2019 Common Info Security Weaknesses
22/36
Grant Thornton LLP. All rights reserved.
So if our battle lines have been redrawn and they arenow inside our organizations why do we implement
our security architecture in flat designs?
Trusting Insecure Systems
8/14/2019 Common Info Security Weaknesses
23/36
All too often, gaining access to a single machineleads to full domain admin access in a short period of
time (part 1)
With Administrator access on one Windowsworkstation, an attacker can:
compromise any account that is logged in
compromise (almost) any account that connectsto it in the future (sms/wsus? security
scanners?) compromise many accounts that have
connected to it since the last reboot
8/14/2019 Common Info Security Weaknesses
24/36
All too often, gaining access to a single machineleads to full domain admin access in a short period of
time (part 2)
When your database accounts havent beenproperly restricted, a single SQL injection in
who_cares_about_this_app results in:
compromising all the other databases that arealso hosted on the same server
compromising the OS and many developer / QA/ administrator accounts that connect to it
compromising other servers that have beensetup with the same credentials
8/14/2019 Common Info Security Weaknesses
25/36
All too often, gaining access to a single machineleads to full domain admin access in a short period of
time (part 3)
When your deprecated backup server doesntreceive a critical patch because who cares about it,
an attacker can:
steal all the backup data still on that server
clone the IDs that are the exact same as theones on the current backup server
start compromising all the servers that backup tothe current server
8/14/2019 Common Info Security Weaknesses
26/36
Are we seeing a trend?
In an unsegmented environment, there is no such thing asa low risk system or application.
If you want to treat a system (or application, or useraccount) as low risk, youve got to break those lines of trustbetween it and high criticality servers
This can be done, but with difficulty. Things like storedlocal administrator accounts are forgotten, or importantconfig files are left behind.
The only real answer for verification of these types ofcontrols is through output-based testing (e.g. penetrationtesting)
8/14/2019 Common Info Security Weaknesses
27/36
Where else do we place trust for corporate securitythat we may not have thought of before?
Physical security is a large part of your overallsecurity. If I can walk in and plug in a device, your
firewall was just turned invisible (again).
Social engineering has shown us that your peoplewill turn over your keys to the kingdom withoutknowing it.
In todays mobile workforce, we are often trustingevery hotel, coffee shop, and airport that ourcompany assets connect through.
8/14/2019 Common Info Security Weaknesses
28/36
But because presentations are boring withoutdemonstrations, DEMO!
Demo1: how compromising one administratoraccount through a client side exploit can result in
complete domain administrator access
Demo2: (if we have time)
8/14/2019 Common Info Security Weaknesses
29/36
Grant Thornton LLP. All rights reserved.
A few key items that will make attackers (andpenetration testers) jobs harder
Recommendations
8/14/2019 Common Info Security Weaknesses
30/36
1. Continue doing everything youve been doing sofar
Patch, patch, patch! This limits your exposure toconsecutive failures. Multiple failures in control
guarantee success for an attacker.
Continue to assess your external perimeterperiodically to ensure no one brought upservices/servers without your knowledge
If you host web applications, these are still highpriority targets for attackers keep your eyes onthem
8/14/2019 Common Info Security Weaknesses
31/36
2. Admit defeat on the small scale, but limit yourexposure
Recognize that individual control failures willhappen! That 0day does exist, your users are
stupid, and youll accidentally miss patches.
Focus on limiting access/exposure
Focus on monitoring controls to understand whatsoccurring in your environment
8/14/2019 Common Info Security Weaknesses
32/36
2. Limiting exposure (cont)
Accounts that interact with workstations should besegmented from the rest of your infrastructure
If compromised, they should grant access to theleast number of machines possible and shouldbe (at a minimum) separate from core serverIDs
Segment your network, limiting access to your coreservers from general users and developers
8/14/2019 Common Info Security Weaknesses
33/36
3. Monitor for out of the ordinary events
Creating new local accounts on a workstation or servershould cause suspicion
Service accounts creating any sort of accounts shouldcause suspicion
Accounts get locked in cracking attempts and sometimeson accident, depending on the types of activity an attackeris performing
Ensure your IT staff become the experts on what is thenorm for their environments. They will be your mostvaluable asset in identifying odd behavior.
8/14/2019 Common Info Security Weaknesses
34/36
4. Test your security infrastructure
Never assume something is operating the way youwant it to.
Dont do vulnerability assessments, dopenetration tests. VAs only assess a single lineof defense, which I can already tell you will fail.Only a PT will tell you if the subsequent layers are
in place and functioning correctly.
A penetration test doesnt truly begin until after thefirst compromise.
8/14/2019 Common Info Security Weaknesses
35/36
4. Test your security infrastructure (cont)
Regularly perform internal as well as externalsecurity assessments. Include things like physical
security and social engineering that your securityposture probably forgot about.
Your penetration tester should break in everytime. If they dont, find out what restrictions are
keeping them from gaining access (limited rules ofengagement, penetration tester skill, cost/timeallotted, etc), and that youre comfortable with thetradeoff.
8/14/2019 Common Info Security Weaknesses
36/36
Grant Thornton LLP. All rights reserved.
Questions
- and -
Open Discussion