Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment


Published on

"Case Studies in Network Vulnerability Assessments" was presented by Chris Goggans, PatchAdvisor at the TALK Cybersecurity Summit 2017.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment

  1. 1. Case Studies in Network Vulnerability Assessments
  2. 2. About Chris  I am a VP and a Senior Security Engineer at PatchAdvisor  In 1991 I started one of the first companies to ever provide comprehensive penetration testing/vulnerability assessment services  I’ve examined networks in every industry sector, in dozens of countries
  3. 3. Industry Expertise
  4. 4. Network Vulnerability Assessments  Internal and external reviews  Validation of existing security mechanisms  Detailed analysis of networked devices and services  Not merely running a commercial scanning tool  Audit for policy compliance  Prioritized recommendations for improving security posture
  5. 5. Vulnerability Assessments: WHY?  Only realistic way to determine vulnerabilities  Get a baseline of vulnerability state  Prioritize remedial actions  Correct serious problems quickly  Assure that policies address real vulnerabilities  Industry best practice
  6. 6. Vulnerability Assessments: HOW?  Internet-based attack  Preferably, should include in-depth web application assessments  On-site engagement  Internal attacks  Simultaneous war dialing / wireless / partner connections  Initial out-briefing  Report delivery  Executive briefing
  7. 7. Web Application Assessments  Comprehensive evaluation of application  Network perspective  Server configuration  Software settings  Authenticated and Unauthenticated attacks  Emulate both internet-based attacker, and valid user exceeding authorized access  Examine applications for all types of security issues  SQL Injection  XSS/CSRF  Buffer Overflows  Cookie Manipulation  URL Replay attacks  Denials of Service
  8. 8. How PatchAdvisor Sees A Network
  9. 9. The Most Common Issues  Patch management  Nearly every organization I have examined has been woefully behind in patches, especially on Non-OS/3rd party applications  Misconfigured Services  Insecure file shares, poor access control, default settings  Poor Coding  Vulnerable web applications, desktop applications & mobile apps  Passwords  Weak passwords and poor password discipline are still the number one mechanism used by attackers to gain access
  10. 10. Attacks Can Start Anywhere…  Unpassworded TELNET access into print server  SNMP Read/Write community string exposed in printer configuration menu  Community string also used on devices such as routers, switches, etc.  “Level 7” hashes in Cisco config files exposed the password “mbhafnitsoscar”  This password also used by a Windows Domain Administrator  Windows Domain also tied to NetWare eDirectory  In total, compromise of nearly 15,000 accounts and 99.99% of all systems and network devices…all from one insecure printer
  11. 11. Real War Stories – Healthcare  Internet scans found a SharePoint Server with some limited unauthenticated access  Search queries exposed numerous documents with “password”  One was a set of instructions for training new users on electronic medical records application  This included a Windows domain account and password  This account and password gave access through a Citrix remote desktop server  This gave us access to the organization’s Internal network  NOTE: I have followed this same attack path to compromise other entities, including banks, law firms, and insurance companies
  12. 12. Real War Stories – Hedge Fund  During internal network assessment, NetBIOS name spoofing exposed numerous accounts  System Administrators appeared to be remotely connecting to Windows-based systems as the Administrator account  Password was quickly cracked  Same local administrator password was used on EVERY workstation and server
  13. 13. Real War Stories – Government Agency  On the internal network several Isilon file servers were found  HDFS was running without any access control restrictions set  One directory on the file server had virtual machine images  Pulled down copies and loaded them under local VMware workstation on our attacker laptops  Extracted usernames and passwords from the virtual machine by first booting to virtual CD image of kon-boot and bypassing local login  Could have also gained access by replacing “sticky keys app”, copying SAM and SYSTEM files, etc.  Local administrator-level accounts recovered worked on numerous other servers  Used Mimikatz to recover accounts from each of the additional systems and exposed numerous Domain Administrator-level accounts  This led to the compromise of several thousand Windows-based systems
  14. 14. Real War Stories - Financial Industry  On the internal network there were numerous systems running server-based JAVA applications  Many were commercial applications from major industry leaders (IBM, HP, VMware, etc.)  Numerous attacks over JavaRMI led to remote code execution  Missing patches, insecure libraries, unauthenticated access to JMX consoles, etc.  Extracted cached accounts and plaintext passwords using Mimikatz program including Domain Administrator-level accounts
  15. 15. The Inevitable Conclusion It’s not about perfect security; it’s about DUE DILIGENCE. “Given the inevitability of computer losses, you’ll be judged not by whether you were the victim of an attack, but by how well you planned for it." - Computer Security Institute
  16. 16. In Closing…  Due diligence requires a full spectrum of countermeasures  Vulnerability assessments are a critical component of successful security programs  Understand that your organization is not as unique as you think it is
  17. 17. PatchAdvisor, Inc 703-256-0156 5510 Cherokee Ave Suite 120 Alexandria, VA. 22312