Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Top Five Internal Security Vulnerabilities


Published on

The top five internal security vulnerabilities ... and how to avoid them.

Published in: Technology
  • Be the first to comment

Top Five Internal Security Vulnerabilities

  1. 1. Top Five Internal Security Vulnerabilities Peter Wood Chief Executive Officer First • Base Technologies … and how to avoid them
  2. 2. Who is Peter Wood? <ul><li>Worked in computers & electronics since 1969 </li></ul><ul><li>Founded First • Base in 1989 (one of the first ethical hacking firms) </li></ul><ul><li>CEO First Base Technologies LLP </li></ul><ul><li>Social engineer & penetration tester </li></ul><ul><li>Conference speaker and security ‘expert’ </li></ul><ul><li>Chair of Advisory Board at CSA UK & Ireland </li></ul><ul><li>Vice Chair of BCS Information Risk Management and Audit Group </li></ul><ul><li>Vice President UK/EU Global Institute for Cyber Security + Research </li></ul><ul><li>Member of ISACA Security Advisory Group </li></ul><ul><li>Corporate Executive Programme Expert </li></ul><ul><li> Expert </li></ul><ul><li>IISP Interviewer </li></ul><ul><li>FBCS, CITP, CISSP, MIEEE, M.Inst.ISP </li></ul><ul><li>Registered BCS Security Consultant </li></ul><ul><li>Member of ACM, ISACA, ISSA, Mensa </li></ul>1969 1989
  3. 3. Traditional thinking <ul><li>Firewalls & perimeter defences </li></ul><ul><li>Anti-virus </li></ul><ul><li>SSL VPNs </li></ul><ul><li>Desktop lock down (GPOs) </li></ul><ul><li>Intrusion Detection / Prevention </li></ul><ul><li>Password complexity rules </li></ul><ul><li>HID (proximity) cards </li></ul><ul><li>Secure server rooms </li></ul><ul><li>Visitor IDs </li></ul>
  4. 4. Thinking like a hacker <ul><li>Hacking is a way of thinking: </li></ul><ul><ul><li>A hacker is someone who thinks outside the box </li></ul></ul><ul><ul><li>It's someone who discards conventional wisdom, and does something else instead </li></ul></ul><ul><ul><li>It's someone who looks at the edge and wonders what's beyond </li></ul></ul><ul><ul><li>It's someone who sees a set of rules and wonders what happens if you don't follow them </li></ul></ul><ul><ul><li>[Bruce Schneier] </li></ul></ul><ul><li>Hacking applies to all aspects of life - not just computers </li></ul>
  5. 5. No.1 – Helpful Staff
  6. 6. Why “Helpful Staff”? <ul><li>Social engineering can be used to gain access to any system, irrespective of the platform </li></ul><ul><li>It’s the hardest form of attack to defend against because hardware and software alone can’t stop it </li></ul>
  7. 7. Andy’s remote worker hack <ul><li>Buy a pay-as-you-go mobile phone </li></ul><ul><li>Call the target firm’s switchboard and ask for IT staff names and phone numbers </li></ul><ul><li>Overcome their security question: Are you a recruiter? </li></ul><ul><li>Call each number until voicemail tells you they are out </li></ul><ul><li>Call the help desk claiming to be working from home </li></ul><ul><li>Say you have forgotten your password and need it reset now, as you are going to pick up your kids from school </li></ul><ul><li>Receive the username and password as a text to your mobile </li></ul><ul><li>Game over! </li></ul>
  8. 8. Impersonating an employee
  9. 9. Cloning HID cards
  10. 10. Impersonating a supplier
  11. 11. Do-it-yourself ID cards
  12. 12. Impersonate a cleaner <ul><li>No vetting </li></ul><ul><li>Out-of-hours access </li></ul><ul><li>Cleans the desks </li></ul><ul><li>Takes out large black sacks </li></ul>
  13. 13. Data theft by keylogger
  14. 14. Keyghost log file Keystrokes recorded so far is 2706 out of 107250 ... <PWR><CAD> fsmith <tab><tab> arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella <CAD> <CAD> arabella <CAD> <CAD> arabella exit tracert telnet cisco
  15. 15. Helpful Staff <ul><li>People security is weak in most organisations </li></ul><ul><li>If an attacker has confidence, they will succeed </li></ul><ul><li>Help desks are too helpful! </li></ul><ul><li>If an attacker is in the building, they’re trusted </li></ul><ul><li>People are too polite! </li></ul><ul><li>Solid policies and lots of training is the defence </li></ul>
  16. 16. No.2 – Stupid Passwords on Privileged Accounts
  17. 17. Windows null session
  18. 18. Find service accounts and guess the password
  19. 19. Stupid Windows Administrator passwords <ul><li>67 administrators </li></ul><ul><li>43 simple passwords </li></ul><ul><li>15 were “password” </li></ul><ul><li>The worst of the rest: </li></ul>
  20. 20. What we’ve found using Windows service accounts <ul><li>Salary spreadsheets </li></ul><ul><li>HR letters </li></ul><ul><li>Usernames and passwords (for everything!) </li></ul><ul><li>IT diagrams and configurations </li></ul><ul><li>Firewall details </li></ul><ul><li>Security rotas </li></ul>
  21. 21. Grab password hashes …
  22. 22. … and crack them for impersonation
  23. 23. Stupid Passwords <ul><li>Too many service accounts (with admin privilege) </li></ul><ul><li>Obviously named service accounts </li></ul><ul><li>Ridiculously easy-to-guess passwords </li></ul><ul><li>Too much access for too many accounts </li></ul><ul><li>No idea how to make a strong password (LM hashes!) </li></ul><ul><li>Clear standards, regular penetration tests and lots of training is the defence </li></ul>
  24. 24. No.3 – Unprotected Infrastructure
  25. 25. Scan for default SNMP
  26. 26. Hacking a router Read-Write strings revealed Now we have full control of network infrastructure Default Read string in use Open door for attack Out-of-date router OS Permits break in
  27. 27. Stupid LAN switch password
  28. 28. Stupid fibre switch password
  29. 29. Unprotected Infrastructure <ul><li>SNMP on by default when not used </li></ul><ul><li>SNMP default community strings in use </li></ul><ul><li>Ridiculously easy-to-guess passwords </li></ul><ul><li>Passwords shared between staff & never changed </li></ul><ul><li>No idea how to make a strong password </li></ul><ul><li>Clear standards, regular network discovery checks and lots of training is the defence </li></ul>
  30. 30. No.4 – Unused and Unpatched Services
  31. 31. HP/Compaq Insight Manager gives remote control of a server
  32. 32. Missing RPC patch gives remote shell on Windows
  33. 33. Missing Webmin patch gives remote shell on Linux
  34. 34. Unused & Unpatched Services <ul><li>Internal systems not patched up to date </li></ul><ul><li>Default services never reviewed or challenged </li></ul><ul><li>Minority systems not properly administered </li></ul><ul><li>No internal vulnerability scans conducted </li></ul><ul><li>No internal penetration tests conducted </li></ul><ul><li>Clear standards, regular checks and lots of training is the defence </li></ul>
  35. 35. No.5 – Unprotected Laptops
  36. 36. If we can boot from CD or USB …
  37. 37. Become Local Administrator Ophcrack is a free Windows password cracker based on rainbow tables by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
  38. 38. Change the Windows Administrator password
  39. 39. Simply read the hard disk <ul><li>“ Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds.” </li></ul>
  40. 40. or take out the hard disk …
  41. 41. .. and read it in our laptop!
  42. 42. Laptop Security <ul><li>Physical security on laptops doesn’t exist </li></ul><ul><li>Windows security is ineffective if you have the laptop </li></ul><ul><li>Everything is visible: e-mails, spreadsheets, documents, passwords </li></ul><ul><li>If it’s on your laptop - it’s stolen! </li></ul><ul><li>Encryption is the best defence, coupled with lots of training! </li></ul>
  43. 43. <ul><li>Peter Wood </li></ul><ul><li>Chief Executive Officer </li></ul><ul><li>First • Base Technologies LLP </li></ul><ul><li>[email_address] </li></ul><ul><li>Twitter: peterwoodx </li></ul><ul><li>Blog: </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>Need more information?