Network security, seriously?

Peter Wood
Chief Executive Officer
First Base Technologies LLP
A CREST Member Company
Network security, seriously?
2016 Network Penetration Tests: Results and Solutions

© First Base Technologies 2016
Founder and CEO - First Base Technologies LLP
• Engineer, IT and information security professional since 1969
• Fellow of the BCS
• Chartered IT Professional
• CISSP
• Member of the Institute of Information Security Professionals
• 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group
• Senior Member of the Information Systems Security Association (ISSA)
• Member of the BCS Information Risk Management and Assurance Group
• Chair of white-hats.co.uk
• Chair of OTIS (Operational Technology and IoT Security)
• Member of ACM, IEEE, First Forensic Forum, Institute of Directors
• Member of Mensa
Peter Wood

Background
• Penetration testing since 1994 (22 years)
• Some problems just won’t go away
• Too little time, money and people?
• Ignorance?

Seriously?
Our analysis of 376 penetration tests over the
past year, across all sectors: banking,
insurance, retail …
• 244 web application tests
• 100 external infrastructure tests
• 32 internal network penetration tests

External vulnerabilities

External (244 web / 100 infra)

Absence of 2FA (68%)
Impact: An attacker who has compromised a user’s
credentials via another attack vector (such as email phishing)
can re-use SSL VPN or Citrix credentials and gain access to
the account. A brute-force attack against weak passwords
would also yield unauthorised access.
Threat Assessment: The attacker will have the same
privileges as the compromised account and can operate as a
trusted user on the network.
Links to: phishing attacks, weak passwords, poor Citrix
configuration, SSL VPNs, OWA
Fix: Implement two-factor authentication!

File upload facility (33%)
Impact: This may provide an opportunity for an attacker to
compromise the security of the web application by uploading
malicious files containing scripts, macro viruses or Trojans
Threat Assessment: An attacker requires minimal technical
knowledge to exploit this vulnerability. If an attacker is able to
upload and execute malicious files, this would give access to the
underlying web server.
Links to: missing patches, weak passwords, phishing
Fix: Uploaded files should be checked for malicious content and
sanitised. Anti-virus should be deployed on the file store.

Cross-site scripting (23%)
Impact: Keystroke logging, redirection to attacker-controlled
websites and spoofing of login forms to steal credentials.
Threat Assessment: Users of the application can be tricked into
clicking a link via a phishing attack. Code will execute
immediately in most cases (this is known as reflected cross-site
scripting).
Links to: phishing, weak passwords, missing patches
Fix: Input validation checks should be made to ensure that only
expected data is processed by the application. All user-supplied
data should be encoded before transmission to the client. These
checks should be applied to every field in the application that can
possibly accept user input, including those hidden from an
ordinary user.

Poor Citrix Configuration (21%)
Impact: The attacker can escape from the Citrix application and
access the underlying server via a hyperlink to C: and perform
actions unauthorised as the original user.
Threat Assessment: A common goal is to gain a command
prompt (via cmd.exe), which can then be used to launch attacks
against other targets on the network, or install additional
malicious tools for further penetration.
Links to: weak passwords, missing patches, insecure SMB
service, obsolete Windows OS, excessive Domain Administrators
Fix: Harden Citrix and underlying OS; implement role-based
access controls

Excessive services (20%)
Impact: The underlying server is offering a variety of services,
some of which would only be expected on an internal network.
The impact of this vulnerability is wide ranging, with a number of
instances of outdated software vulnerable to exploitation.
Threat Assessment: Services include plain text FTP and mail
services, which are vulnerable to credential capture and brute-
force logon attacks; Microsoft Directory Services which permit a
variety of Windows attacks; and database services that can be
compromised by password guessing. Where outdated software is
use, the server is at an even higher risk of compromise using
published exploits.
Fix: Audit firewall rules regularly; ensure change control includes
technical justification; scan and penetration test regularly

SQL Injection (17%)
Impact: An SQL injection exploit can read or modify the
database. It may also be possible to issue commands to the
operating system and gain complete control of the host.
Threat Assessment: Tools exist to aid in conducting SQL injection
attacks.
Fix: Input validation checks should be made on every field in the
application that can possibly accept user input, including those
hidden from an ordinary user. All user-supplied data should be
encoded before transmission to the client. Database hardening
techniques should be used, including parameterised stored
procedures and parameterised queries with bound parameters to
ensure that the database query is kept separate from the data.

Cross-site request forgery (15%)
Impact: An attacker can plant stored cross-site scripting code
within a user's profile, as well as change the user's username
and password. New users can also be added to the application.
Threat Assessment: The victim is tricked into visiting a malicious
page and/or into clicking a malicious link whilst authenticated to
the application. A script running on the page will send a request
to the application, without any input from the user.
Fix: The web application should generate a unique token
whenever a request is made to access a form, and should include
the token in the URL or within Hidden form fields. The web
application should check for the presence and validity of this
token once it receives the response back from the client. If the
token is not present and valid, the request should be terminated
immediately.

Plain text passwords (3%)
Impact: An attacker successfully exploiting a SQL injection
vulnerability or having hijacked a user's session, can extract
users’ credentials and use them to get full access to the
accounts.
Threat Assessment: An attacker will browse through the
databases in order to find tables containing valid credentials.
They can also hijack an administrator's session to view the
passwords in plain text within individual users' profiles and run
brute-force attacks against a variety of user names.
Links to: SQL injection
Fix: Passwords should be stored in a salted hashed format, for
example using SHA-256.

Internal vulnerabilities

Internal networks (32 tests)

Weak passwords (66%)
Impact: Once connected to an internal network, an attacker
without an account will attempt to guess passwords for valid
users. The use of weak passwords makes this process much
quicker and easier.
Threat Assessment: Insecure password selection significantly
shortens the amount of time required to crack a password. The
majority of users pick passwords in very predicable ways; usually
common words, places and names. Most policies enforce a
number to be included, and users will usually place this at the
end of the word and increment the number when a password
change is forced. This practice makes it simple for hackers to
compromise passwords, especially on a large network.
Fix: Utilise passphrases; educate users on the risks and benefits

Missing patches (56%)
Impact: An attacker could exploit these vulnerabilities to gain
access to the vulnerable servers, or prevent legitimate users
from accessing the services provided.
Threat Assessment: Missing patches provide attackers with a
wide range of exploits, including SYSTEM level access and
ultimately complete control of the system and the network.
Fix: Regular patching cycle; test and audit regularly; ensure
patching is applied to all third-party systems and devices as well
as Windows systems.

Default credentials (47%)
Impact: An attacker on the internal network will use default
credentials to attempt to authenticate to management interfaces
and open services.
Threat Assessment: Vulnerable devices included Dell Remote
Access Controllers, SQL databases, Apache Tomcat servers, Cisco
routers, Polycom video conferencing, HP switch managers.
Unauthorised access to these services can result in sensitive data
exfiltration and control of the entire network, often without
detection.
Fix: Replace all default credentials with strong passwords or
passphrases; audit and test regularly.

Default SNMP strings (44%)
Impact: The information obtained via SNMP can assist an attack
by identifying vulnerabilities and configuration problems. An
attacker intercepting or brute-forcing valid read-write community
strings will be able to change the configuration of any affected
devices.
Threat Assessment: An attacker requires a minimal level of
technical knowledge in order to carry out this attack. Tools can
be used to attempt interception of community strings on the
network, or to brute-force valid strings since SNMP does not offer
any lockout policies.
Fix: Upgrade to the more secure SNMP version 3, or use
complex, difficult-to-guess community strings; audit and test
regularly

Obsolete Windows OS (25%)
Impact: The absence of Microsoft support implies that no new
security patches for the products will be released. As a result,
these operating systems are likely to contain security
vulnerabilities. Furthermore, Microsoft is unlikely to investigate
or acknowledge reports of vulnerabilities.
Threat Assessment: This would be an attractive vector for
opportunistic attackers and could result in exploitation of the
underlying server and potentially the internal network.
Fix: Update the OS, or firewall the vulnerable hosts; audit and
test regularly.

SMH vulnerabilities (16%)
Info: HP System Management Homepage (SMH) is a web-based
interface that manages servers running Microsoft Windows, Linux
and HP-UX. SMH can also be used to access the HP Lights-Out
Management processor on ProLiant and Integrity servers.
Impact: Out-of-date versions of HP System Management
Homepage are potentially affected by multiple vulnerabilities,
including remote code execution, privilege escalation and web-
based attacks.
Threat Assessment: An attacker can perform actions on the
application with the privilege level of the logged-on user, and
potentially escalate these privileges.
Fix: Update to the latest version of the software; audit and test
regularly

Insecure SMB Service (13%)
Impact: Insecurely configured or unpatched SMB services can be
exploited to gain full SYSTEM access to the underlying host. An
attacker can exploit this vulnerability to escalate Windows
privileges on the target and execute arbitrary commands as
SYSTEM.
Threat Assessment: These vulnerabilities, although technical in
nature, have robust exploit code in the wild and are relatively
easy to exploit. SMB is often the first service to attack within a
Windows environment, as unpatched services can easily lead to
not only system, but domain-wide, compromise.
Fix: Apply up-to-date patches; ensure the 'Everyone' group does
not have ChangeConf (DC), WDac, or WOwn permissions; audit
and test regularly.

Key attack vectors

Phishing attacks
Finding 1: 3,066 employees clicked on a link in a phishing email,
and 2,398 users entered their username and password.
Finding 2: An analysis of the compromised passwords from email
phishing campaigns revealed single word-based passwords and
72% of passwords being 10 characters or less in length.
Impact: Email phishing is the most prevalent cyber security
threat to organisations. Passwords harvested grant the attacker
access to external services, such as VPNs and OWA.
Threat Assessment: Gaining access to these services can provide
an attacker with full remote access into the network.
Fix: Test, educate … test, educate … test, educate …

Weak passwords
Finding: Domain Admin accounts with a password of ‘password’
(and many similar poor passwords).
Impact: An attacker can exploit this issue to gain privileged
access to the domain and servers, which can be used to launch
further, more damaging attacks.
Threat Assessment: A brute-force attack is a common method of
discovering valid credentials. To minimise the risk of detection by
locking out accounts, an attacker would be likely to try one or
two select passwords against a large number of accounts and it
is likely that ‘password’ would be the first attempt.
Fix: Utilise passphrases; implement password safes; educate IT
staff and users on the risks and benefits; audit passwords
regularly.

Example external scenario 1
Service: SSL VPN, Citrix
Vuln 1: No two-factor authentication
Vuln 2: Weak passwords
Method: Password guessing, social
engineering
Result: Persistent hostile access to
internal network using legitimate
credentials. Theft of sensitive
information, massive financial or
reputational damage.

Example external scenario 2
Service: Web application
Vuln 1: SQL injection
Vuln 2: Plain-text passwords
Method: SQL injection attack
Result: Public exposure of all customer
details and passwords, leading to
major reputational damage

Example insider scenario 1
Service: Windows
Vuln: Weak passwords
Method: Password guessing
Result: Theft of sensitive information,
fraud, data destruction or
modification, massive financial or

Example insider scenario 2
Service: Network devices / services
Vuln: Default passwords
Method: Google
Result: Theft of sensitive information,
fraud, data destruction or
modification, massive financial or

peter@firstbase.co.uk
http://firstbase.co.uk
twitter: @FBTechies
Need more information?
Peter Wood
Chief Executive Officer
First Base Technologies LLP
A CREST Member Company

Network security, seriously?

More Related Content

What's hot

Viewers also liked

Similar to Network security, seriously?

More from Peter Wood

Recently uploaded

Network security, seriously?