ITrust Whitepaper: Top 10 vulnerabilities
-
Upload
itrust-cybersecurity-as-a-service -
Category
Software
-
view
81 -
download
0
Transcript of ITrust Whitepaper: Top 10 vulnerabilities
ITrust experts found that
10security breaches represent
Written by ITrust November 2013, based on the audits conducted over the past 5 years by our penetration testing team.
of the total security breaches companies are faced with
99%
« ITRUST » WHITE PAPER
2 W H I T E PA P E R Top 10 vulnerabilities by ITrust
It doesn’t come as a big surprise that last year’s headlines still talked about cybercrime. This issue is
now one of the major challenges governments are dealing with. We all still remember how mediatized the Elysée hacking was [1].
75% of companies were hacked within the last two years, according to a Cenzic study [2]. That number rose
to 90% according to our calculations. This statement is based on what the ITrust team has dilligently observed
These tests are realized both internally and externally (to test DMZ
customer services or even on websites).
You can �nd below our test distribution.
Introduction
AUDITS DISTRIBUTION PER YEAR : Total: 104 audits
Distribution by type of audit conducted
web 12 %
internal 50 %
external 38 %
The year 2013 is only based on
number of audits
Over the past 5 year, our consultants intervened over a hundred times to perform penetration tests for our customers.
during its pentest missions.
3 W H I T E PA P E R Top 10 vulnerabilities by ITrust
The stats in this white paper are recovered from the data sample we are dealing with to provide an objective view.
This article gives an overview of the 10 most commonly encountered vulnerabilities during our audits,
with case studies attached. It is therefore an accurate feedback from the ITrust’s technical teams over the last 5
years. During our aduits or incident interventions, we observed that 99% of information systems had been
compromised by at least one of these 10 breaches. Correcting these 10 main vulnerabilities would heighten
the security level of an organization.
Distribution of our customers by number of employees
Thus, we provide information concerning the business structure:
over 500 (38%) Service (19%) Bank (19%)less 500 (12%) Industry (15%) Host (6%)
less 100 (15%) Public (4%) Hotel (4%)less 20 (35 %) health/agro
(25 %)Aerospace (8%)
Distribution of our customers by field of activity
And the field of activity of our customers:
10
4 W H I T E PA P E R Top 10 vulnerabilities by ITrust
DNS Servers
DNS is an essential useful service, which insures the smooth functioning of application
services such as browsing and messaging. Most of the time, doors are opened
in the whole network.
Then, hackers use the DNS zone transfer to list all the assets within the domain.
department (R&D, Accounts).
Wordy domain controllers
Domains that are too wordy give attackers critical information to organize their attacks.
Through LDAP or Samba connections, they often get relevant information such as
for them, the domain users list.
It is possible to obtain in the same way, for each machine, the connected users.
Feedback: Top 10 vulnerabilities encountered
Fixing these vulnerabilities would
raise the level of security of an organization
LOGGING TOO VERBOSE « the network tea room »
Case study: enumerating user accounts on a domainUsing rpcclient command under windows :# > rpcclient 192.168.1.1 -p 139 -U% -c enumdomusers
session request to 192.168.0.4 failed (Called name not present)user:[Admin] rid:[0x1f4]user:[Guest] rid:[0x1f5]user:[Accounting] rid:[0x476]user:[Commercial] rid:[0x4c3]
Using rpcclient to enumerate domain administrator# > rpcclient 192.168.0.4 -p 139 -U% -c ‘querygroupmem 0x200’
session request to 192.168.0.4 failed (Called name not present)rid:[0x1f4] attr:[0x7]
This vulnerability is not exactly a real one, but is often the �rst step during penetrationtests. Even though this �aw cannot directly compromise a system, it allows usefulinformation to be collected – especially �nding out relevant targets.
In the talkative group, we �nd the 2 main servers:
Thus, they can quickly �nd out the interesting targets – by responsibility or
the domain name, the operating system version (�ngerprint) and even more useful
5 W H I T E PA P E R Top 10 vulnerabilities by ITrust
Within a UNIX environment, remote login programs (rlogin et rsh) use a poor
authentication system which also allows them to set up a trust based relationship
compromised, the hacker has easy access to the whole system of trusted machines.
In most cases, these applications are forbidden with the security policy requirements
in favour of more secured tools as SSH. But experience reveals that a bounce back is
possible because of the lack of private key protection. The related public key can
often be used on a wide range of servers. That allows the attacker to connect onto
them.
Active Directory domains. In that situation, the user directory is replicated between
the trusted domains. If an attacker can obtain an account on a « weaker » domain,
then he will have the entire access to all the domains within the account.
Need-to-know is one of the most important security concepts used to ensure the
Case study: trusted insider test - trainee exampleIn the most active directory architectures, users are assigned to several groups and shared contents are opened to some groups.
in most cases, it also points to information about user accounts that can be used to become a server administrator.
Employees are the weakest link for IT security. They
represent 50% of security risks. « Insiders are the biggest
threat »
9
between the machines (via .rhosts or hosts.equiv �le). This way, if a machine is
8
protection of con�dential data. Access rights and permissions management often
has its weaknesses: access restrictions that are too weak or even non-existent allow the recovery of strategic and con�dential information.
A trainee is added to the group of his supervisor(s). The test consists in �nding what information can be obtained.At the end of the test, the experience highlights that theperson has at least obtained con�dential data. Moreover,
Within a Windows environment, it is possible to de�ne trust relationships between
TRUST-BASED RELATIONSHIP:spreading compromise
ACCESS RIGHT MANAGEMENT:need-to-know
6 W H I T E PA P E R Top 10 vulnerabilities by ITrust
Case study: ERP - a perfect targetFor this case, the company used to let salespersons have an ERP instance on their computer in order to use it when they are on-site contact with customers. As the database
could get the company clients list and its associated o�ers. This would be a real treasure for
Even in companies where security is considered on users’ posts and servers, some
kinds of equipment are regularly forgotten, whether it’s active network elements
such as switches, routers or printers, security - these are often overlooked. Thus, default
administration passwords are rarely changed and if they are, default enabled
administration protocols remain on that kind of device.
The presence of insecure protocols used to pass unencrypted passwords is a very
important source of attacks. For instance: FTP, Telnet…
Databases are chosen targets because of the important information they detain.
When default passwords are changed, database webmasters (who manage lots of
servers) often use weak passwords depending on the name of the server. More than the
you can easily crack the password. Then, these accounts can be used to carry on the
network attack.
Nowadays, database hacking is 14% of security threats. http://bu�.ly/11umuYSGamigo’s database was pirated in 2012.
Although production equipment and the printer represent only 1% of security threats, they often are too neglected.
Case study: SNMP on a router agencyThis happened during one of our audits. A VPN router of one of our client agencies has a SNMP service activated listening on the Internet. The setup by default allows us to read and write MIB’s information. The setup scenario consisted in redirecting DNS requests to
Then, we can collect all the forwarded messages.
Case study: Production stoppedSNMP is not the only one open ad-ministration protocol. Let’s take the example of an inverter on a client’s production lines. This inverter is on
just have to log on to the admin web server with the default accounts in order to turn o� all the production services.
25 %
20 %
15 %
10 %
5 %
0 %
21% 20%
13%12%
10%
4% 3%1% 1%
laptops
workstatio
ns
network
mobile data
tablets,co
mputers
data centers
producti
on equipments
standard
s of g
uidlines
printers
7
one of our servers and to review the statistics. After this convincing �rst step, the
6
con�dential information they contain, these databases include users lists on which
attackers to �nd and re-sell.
ADMINISTRATION PROTOCOLS:the devil is in details
DATABASES
7 W H I T E PA P E R Top 10 vulnerabilities by ITrust
communication protocols (FTP, NFS, SMB…). Generally, restrictions about these
shares are weak or non-existent. Whether it is an anonymous FTP access allowed or
an access restriction to the company network for the network shares (SMB or NFS),
During our audits, we found that a hardware or software inventory is almost never
done within information systems. During an audit, when we discover not
maintained and highly vulnerable test servers or abandoned servers, administrators
are surprised as they were not even aware of these items on the network. These
servers are easy to exploit and can still detain valid and usable information. Moreover,
they are used as relay to attack more relevant targets.
Case study: management’s printerBy default, the latest printers have some shares activated to receipt scans or fax received.
management’s photocopies, scans and fax.
http://bu�.ly/ZWQ2Mv Some researchers from the Univertsity of Columbia claim
that could impact millions of companies, consumers and governmental organisms.Printers can be remotely controlled online by computer criminals.
Many systems have �le sharing. Shares may be managed via various
an attacker has the possibility to obtain a lot of con�dential information. When anattacker chooses to use the scorched earth tactic and to delete all the �les (backup,�nancial data…), the damage caused is extremely high.
4
5 FILE SHARING
ABANDONED SERVERS
8 W H I T E PA P E R Top 10 vulnerabilities by ITrust
This category could be a whole article as it is a very wide subject. In our case and
according to our sample, Web vulnerabilities do not represent the majority of
encountered vulnerabilities. However, very often, especially during the auditing of
a website, it is possible to monitor some applications’ vulnerabilities.
If we confront the 10 top web vulnerabilities given by OWASP, this is what we can
We can place the vulnerabilities we’re faced with into 2 categories:
Phase 1: Entry points
• Not updated systems
This vulnerability category is a whole top 10 paragraph:
• SQL injections
• XSS attacks
• Sessions management
Phase 2: Operation
This vulnerabilities category allows on the second hand to operate the information
• Sensitive data exposure
• Lack of restricted privileges
rightly managed, it is possible to access the server and obtain all rights. According
to the hacker’s nuisance potential, the operation can go to a website break down, to
some data loss (potentially sensible like banking data), to the creation of a zombie and,
worst case, scenario to a data deletion.
Case study: working session Hijacked / Video surveillance systems
an online access. Session cookies are not protected and allow repla ys. Thus, all users can guess the cookies format and access another company’s video surveillance system. The issue could be limited to a clients’ disclosure issue if passwords were not that weak. But
robbery.
Case study: Unprotected PHP functionsWebsites o�er the possibility to update some contents (like images for instance) and use PHP upload functionalities. If strict controls of these functio-nalities are not in place, it is possible to upload a web shell and to obtain information such as condensed passwords. This allows to access the
conclude given our �eld experience:
These vulnerabilities allow a �rst system assessment and give information.
By frequency order, we �nd:
collected in phase 1. In this category we �nd:
• Lack of secure con�guration
As soon as an operating vulnerability is identi�ed on the website, if privileges are not
3 WEB VULNERABILITY
9 W H I T E PA P E R Top 10 vulnerabilities by ITrust
96% of our customers’ audits. A trainee would be able to reach it. ThIS is an issue for
users in a company whose awareness is the most high – and it is still one of the attack
vectors the most used and the easiest to do so.
FEEDBACK:
Top 3 of the most weaknesses passwords encountered:
- Account without password
- Same login and password
- Generic password from created accounts
And let us not forget the user name password, name of the user’s kids or a word from
dictionary…
This should be the most occasional problem and is paradoxically the easiest and the
most automated to exploit. Common security vulnerabilities are known and, once
issued, the editors give patches. To be protected against risks, systems just need to be
updated. However, these vulnerabilities are the biggest attacks vector for information
systems.
We remember the hacking of the Sony’s PlayStation network. This hacking was
possible through a known vulnerability with an available update.
3 others vulnerabilities
can be added to the top
10, increasing the total
to 13 vulnerabilities.
This top 13 shows
us all exploitable
vulnerabilities of an
information system.
PASSWORDS COMMON SECURITY RISKS
> Human VulnerabilitiesFor instance: An employee gives his password to a fake system administrator-via phone or mail.
Case study: Blackberry serverTo illustrate this issue, we return to the case of a Windows server with the administrator’s password of the database left by default. With this access we can create a new user within the system and we can see that the BlackBerry
obtained.
A default or common password gives access to con�dential resources, observed in
;
The latest news involved systems not updated for many years.
> Application Flaws
> Unknown Vulnerabilities
1010In addition
to the
vulnerabilities
2 1
10 W H I T E PA P E R Top 10 vulnerabilities by ITrust
ConclusionDuring an audit, we penetrate an information system more than 9 out of ten
times. We do so starting with the common security breaches (in the top 10), through
a simple internet connection. If we can make it, so can the hackers or
malwares.
Then, what do we do?
We often meet customers who pile up on security tools instead of eliminating the
10 main breaches that would increase their security level exponentially . This is the
reason why it is necessary to set up permanent controls to check these points.
This year, a Verizon report showed that 97% of the data violations could have been
avoided through basic controls. [4].
I am a security expert for 15 years.
I have been the BNP’s trading room security director.
I am an ISS cloud expert in the National Assembly.
I am the CEO of ITrust founded 7 years ago.
incalculable number of tools, viruses, methods, schools which use their own process
or protocols.
It is a young activity, (practised for) only 20 years.
With the new threats arising, especially APTs and the cloud, our clients remain
expectant. Few of them understand why, still after 20 years, we have to keep
them. They realise that many of us lied to them promising the end of their troubles
with new tools.
We are currently at a turning point in our activity. Attacking technologies prevail
over defencing ones. The gap between the hackers and engineers is widening. The
technology, for instance), we wanted to explain to our clients and to our CISOs,
that there is another complementary way to classic medicine - through ITrust. An
alternative, but a complementary one, based on better practices and good hygiene. A
kind of “Chinese medicine” that prevents rather than cures.
Even though all problems could be avoided with very simple controls, each year
For example, did you know that 98% of the companies we checked use default
passwords?
attacks or intrusions and they don’t even know it.
attacks. We have been told for years that we must protect ourselves, but the
security principles are not respected. We remain as vulnerable as before and it is
your infrastructure.
Our activity is complex. You can �nd a lot of standards and methods. You can �nd an
improving systems with new methods and new tools. They �nd with surprise
and incredulity that �rewalls and antiviruses are no longer e�cient enough to protect
systems are extraordinarily vulnerable and the e�cient technologies are rare.
Similarly to medicine, current antibiotics are not that e�cient.
By �lling the gap between the sword and the shield (with a behavioral analysis
more companies are su�ering serious incidents related to cyber security.
You think you are not facing security problems? Of course : 8 companies out of 10 su�er from
You have �rewalls and protection systems but you are still su�ering from malicious
analysis remains terrible. Despite all the tools and signi�cant security budgets, basic
easy even for an intern to get con�dential information o� the networks. Or even for
a Korean student to get your ERP rate base or to launch a signi�cant DDOS attack on
11 W H I T E PA P E R Top 10 vulnerabilities by ITrust
To convince you,a story that deserves a conference:
Simple solutions and controlled procedures have mostly avoided major disasters:
• BP oilrig:
Valve security system was disabled due to the generation of a large amount
of false positives.
• Société Générale - Kerviel case:
The trader was also the designer of the trading tool.
• Fukushima:
Engineers were convinced that the cooling pump was open.
• Stuxnet virus:
Using the default password of Siemens devices.
• Hesel disaster:
Due to a lack of controls, too many spectators without tickets, attend the
match.
Most security incidents could have been easily avoided.
Did you know that the largest cyber attack (Stuxnet) could have been avoided by changing
the default password of Siemens devices?
Respecting what is known as common-sense security practices: simple and smart controls.
Security is something simple.
To avoid being sick, you wash your hands, you have good hygiene and eat healthy...
That is similar for the information system security; but this speech is hard to take in
given that for the last 20 years we kept on hearing that drugs were the only solution to
solve our problems.
BEST PRACTICES« .Maintain a good security policy in real time by avoiding default
best practice for SMEs.»
Hervé Schauer, security consultant expert
Leading experts and studies con�rm what we say.
The antivirus is not more e�ective in responding to new threats.
passwords and overseeing the �aws of security remains the current
You are grateful not to be stu�ed with drugs every morning.
55 avenue l’OccitaneBP 6730331 670 Labège Cedex, FranceTél : +33 (0)567.346.781Email : [email protected]/enwww.ikare-monitoring.com
WRITE PAPERLe Top 10 des vulnérabilités par ITrustPropriété exclusive © ITrust
Over the last years, other experts went along with us: 10 security vulnerabilities are
99% of encountered vulnerabilities in any kind of company.
TOP 10 FLAWS IN ALL ENTERPRISESSystems that are too verbose
Weak passwords
Rights to know
Trust between domains
Database default password
DNS servers too wordy for internal domains
Bad shares
Development servers, abandoned servers
Historical and common vulnerabilities
exponentially, better than any expensive technology.
ITrust has developed its own solution, IKare, based on these ideas. IKare continuously
checks security vulnerabilities of the information system and suggest the
appropriate corrections.
What does the police do?
Often, salvation comes from regulation. The moment when these controls
become mandatory, they will also be systematically implemented.
So?
This is a strong trend, more and more recommendations or compliance standards take
this step. These include:
• The Health safety guide from ANSSI (link...)
• New constraints related to health data, more and more recommendations
• The top 20 SANS
Bibliography
[1] http://lexpansion.lexpress.fr/high-tech/cyberguerre-comment-les-americains-ont-pirate-l-elysee_361225.html
[2] http://www.cenzic.com/resources/reg-re -quired/whitePapers/Ponemon2011/
[3] https://www.owasp.org/index.php/Top_10_2013-T10
[4] http://www.wired.com/images_blogs/threat-level/2012/03/Verizon-Data-Breach-Re -port-2012.pdf
Writers
Julien Lavesque is ITrust’s CTO. He is a security consultant, acting as an auditor, expert and trainer for sixty clients. Telecom and security engineer.
Jean-Nicolas Piotrowski , Itrust’s CEO. Security
Arbitrage trading room. He is general secretary and co-founder of Digital Place cluster.Based on a case study by Denis Ducamp, security consultant.
ITrust (www.itrust.fr) is a security company since 2007, providing its expertise and product to more than 100 customers in Europe. It develops IKare , a vulneralibity management solution. ITrust is prizewinner of Future investment, «SVC» project, and developed a breakthrough technology for behavioural analysis. ITrust was awarded in 2013 for the price of international digital, given by IEClub and Ubifrance.
Let’s �x these vulnerabilities �rst and companies security level will increase
expert since �fteen years, former CISO at BNP