Every time I attend a "Security Guru's" meeting, I'm amazed
by how much time and effort is spent on discussing complex
hacking and computer compromise of computer networks and
systems.
One person is going on about the latest "heap corruption"
vulnerability and another is discussing man-in-the-middle
techniques for compromising remote access systems.
Most of these vulnerabilities are very difficult to
successfully exploit. Some of them require specific host
platforms, special tools, in-depth knowledge of many
programming languages, and a lot of luck.
I'm not saying there are not tons of vulnerabilities and
exploits like these, it's just that they are not always easy
to take advantage of, and therefore, may not present
themselves as high risk events for most organizations.
It's The Little Things The Will Get You Every Time
During security assessments, there are times when I am able
to successfully exploit a "technical" vulnerability to gain
system or internal network access. For instance; during a
recent assessment, I identified a web application server
that appeared to be vulnerable to an IIS / ASP vulnerability
that would allow an attacker to dump all .ASP code on the
server. After some effort and a little C/C++ code, I was
able to take advantage of this exploit. After perusing
through the .ASP code on the server, I was able to gain
important information that resulted in the comprise of an
internal system.
However, the reality is it is the simple things that are the
biggest problem. Most times, internal network compromise is
the result of one or more of the following:
The installation of a web support application that has
little to no security features to begin with;
The installation of support software that has a well-known
default password for the admin account. And, the person
installing the software never bothers to change the
password;
Improperly configured communications devices such as routers
and switches;
Important, and sometimes critical documents left on web
servers. Information that only internal or technical people
should have access to;
Poor password and authentication policy. Users using weak
passwords to access accounts, especially remote access
devices that are present on the Internet;
Test servers that the have been forgotten about and are
still present on the Internet;
Poor network border architecture For instance; installing a
firewall and forgetting that there are other network that
need to be protected or should be placed behind the
firewall.
The above is just a handful of "Little Things" that get
overlooked and can result in the undoing of your networks
security measures.
As an example; Many organizations provide their internal and
external customers with a public FTP service. Most times,
this is done to allow people to easily post "non-critical"
or public information and share it with other associates.
Recently, I identified just such an FTP server. The server
allowed anonymous logons, however it contained
sub-directories that were secured. These secure directories
were only accessible by the people who owned the account. It
was obvious to me that I was not going to easily compromise
these accounts. On the other hand, sitting right in the
anonymous "root" directory was a .zip file that was rather
large. I downloaded the file, which took quite a while,
unzipped it on my desktop, and guess what it contained? It
was a compressed file of the entire FTP server, including
the secure directories.
I would bore you with what I found within these directories.
The bottom line is, I should have never had access to the
information they contained.
Conclusion
The bottom line is this; it really is the little things that
will come back to haunt you when it comes to computer
security. No system should ever be rushed into production.
This is one of the most common causes for poorly secured
systems. The team in charge of implementing new technology
needs to be educated on how to securely deploy new systems.
And if you are installing support software from outside
vendors, make sure you thoroughly review their products
security features. Also, make sure they fully disclose any
known bugs or improperly functioning features.
