Every time I attend a "Security Guru's" meeting, I'm amazed by how much time and effort is spent on discussing complex hacking and computer compromise of computer networks and systems.
One person is going on about the latest "heap corruption" vulnerability and another is discussing man-in-the-middle techniques for compromising remote access systems.
Most of these vulnerabilities are very difficult to successfully exploit. Some of them require specific host platforms, special tools, in-depth knowledge of many programming languages, and a lot of luck.
I'm not saying there are not tons of vulnerabilities and exploits like these, it's just that they are not always easy to take advantage of, and therefore, may not present themselves as high risk events for most organizations.
It's The Little Things The Will Get You Every Time
During security assessments, there are times when I am able to successfully exploit a "technical" vulnerability to gain system or internal network access. For instance; during a recent assessment, I identified a web application server that appeared to be vulnerable to an IIS / ASP vulnerability that would allow an attacker to dump all .ASP code on the server. After some effort and a little C/C++ code, I was able to take advantage of this exploit. After perusing through the .ASP code on the server, I was able to gain important information that resulted in the comprise of an internal system.
However, the reality is it is the simple things that are the biggest problem. Most times, internal network compromise is the result of one or more of the following:
The installation of a web support application that has little to no security features to begin with;
The installation of support software that has a well-known default password for the admin account. And, the person installing the software never bothers to change the password;
Improperly configured communications devices such as routers and switches;
Important, and sometimes critical documents left on web servers. Information that only internal or technical people should have access to;
Poor password and authentication policy. Users using weak passwords to access accounts, especially remote access devices that are present on the Internet;
Test servers that the have been forgotten about and are still present on the Internet;
Poor network border architecture For instance; installing a firewall and forgetting that there are other network that need to be protected or should be placed behind the firewall.
The above is just a handful of "Little Things" that get overlooked and can result in the undoing of your networks security measures.
As an example; Many organizations provide their internal and external customers with a public FTP service. Most times, this is done to allow people to easily post "non-critical" or public information and share it with other associates.
Recently, I identified just such an FTP server. The server allowed anonymous logons, however it contained sub-directories that were secured. These secure directories were only accessible by the people who owned the account. It was obvious to me that I was not going to easily compromise these accounts. On the other hand, sitting right in the anonymous "root" directory was a .zip file that was rather large. I downloaded the file, which took quite a while, unzipped it on my desktop, and guess what it contained? It was a compressed file of the entire FTP server, including the secure directories.
I would bore you with what I found within these directories. The bottom line is, I should have never had access to the information they contained.
Conclusion
The bottom line is this; it really is the little things that will come back to haunt you when it comes to computer security. No system should ever be rushed into production. This is one of the most common causes for poorly secured systems. The team in charge of implementing new technology needs to be educated on how to securely deploy new systems. And if you are installing support software from outside vendors, make sure you thoroughly review their products security features. Also, make sure they fully disclose any known bugs or improperly functioning features.
Phishing: An Interesting Twist On A Common Scam
Imagine you are the CIO of a national financial institution and you've recently deployed a state of the art online transaction service for your customers. To make sure your company's network perimeter is secure, you executed two external security assessments and penetration tests. When the final report came in, your company was given a clean bill of health. At first, you felt relieved, and confident in your security measures. Shortly thereafter, your relief turned to concern. "Is it really possible that we are completely secure?" Given you're skepticism, you decide to get one more opinion.What SPAM Means: "Stupid People Annoying Me"
Has anyone else noticed the sudden blast of unsolicited e-mail (spam) loaded with url's for the unsuspecting and curious Internet surfer to click on?Road Warrior At Risk: The Dangers Of Ad-Hoc Wireless Networking
As a network security consultant, I travel quite frequently. At times, it seems like the airport is my second home. I actually like to fly, it's a moment in time where no one can reach me by e-mail, or mobile phone.