Infrastructure Auditing


Published on

This presentation takes a look at auditing the often forgotten parts of every network, including printers, HVAC, security systems and network cameras.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Infrastructure Auditing

  1. 1. ISACA VA ChapterAuditing YourInfrastructure Presented By: Bryan Miller Syrinx Technologies
  2. 2. ISACA VA Chapter Agenda  Speaker Introduction  What‟s the Issue?  Why Bother?  Real World Examples  So How Do We Fix Things?  Summary  Q&A02/24/12 Auditing the Overlooked 2
  3. 3. ISACA VA Chapter Speaker Introduction B.S., M.S. – VCU Adjunct Faculty Member in IS and CS @ VCU CISSP, former Cisco CCIE VA SCAN, VCU FTEMS presenter ISSA InfraGard member Published author with over 25 years in the industry President, Syrinx Technologies - 200702/24/12 Auditing the Overlooked 3
  4. 4. ISACA VA Chapter What‟s the Issue?02/24/12 Auditing the Overlooked 4
  5. 5. ISACA VA Chapter Potential Areas of Compromise  Printers/Scanners/Copiers  CCTV/NetDVR/Cameras  Alarm Systems  Fire Suppression Systems  Videoconference Systems  UPS  KVM  Industrial/Machine Control02/24/12 Auditing the Overlooked 5
  6. 6. ISACA VA Chapter Recently in the news:  Feeds from thousands of Trendnet home security cameras have been breached, allowing any web user to access live footage without needing a password.  BBC News Technology, Feb. 6, 2012  NY Times Article discusses the issue of video conferencing systems that are vulnerable to compromise.  NY Times online, Jan. 12, 201202/24/12 Auditing the Overlooked 6
  7. 7. ISACA VA ChapterUsing Shodan, aquick searchrevealed “lots”of possiblyvulnerablecameras.Using the URLshown, webypassed allauthentication. 02/24/12 Auditing the Overlooked 7
  8. 8. ISACA VA Chapter02/24/12 Auditing the Overlooked 8
  9. 9. ISACA VA Chapter Notable Points Commercial Printers Accountable for Identity Theft Protection Under FTC Enforcement of FACTA Red Flag Rules„ –, 4/10/09 Electric Utilities Investing $4.1 Billion by 2018 to Secure Smart Grids –, 8/25/11 State of SCADA Security Worries Researchers –, 2/5/1202/24/12 Auditing the Overlooked 9
  10. 10. ISACA VA ChapterCBS Newsreport byArmenKeteyian onthe issuesinvolvedwith datastored onprinters.April 20, 2010 02/24/12 Auditing the Overlooked 10
  11. 11. ISACA VA Chapter28th ChaosComputingCongressPresentationIt could bepossible todiscoverwhat moviesyou watch bytheir powersignature.Can you sayShazam? 02/24/12 Auditing the Overlooked 11
  12. 12. ISACA VA ChapterSTUXNET:-Spread by USBsticks-Attacks PCsthat controlSiemens PLCs-MS SQLpassword isreleasedStuxnet is nowan “opensourceweapon” thatcan bedownloadedand improvedupon. 02/24/12 Auditing the Overlooked 12
  13. 13. ISACA VA Chapter  And the often forgotten….DUQU  Shares a code base with STUXNET  Signed using stolen digital certificates from the same Japanese company as STUXNET  DUQU appears to be an intelligence gathering agent while STUXNET just wants to do physical damage  Perhaps DUQU is gathering information for the next generation of STUXNET….02/24/12 Auditing the Overlooked 13
  14. 14. ISACA VA Chapter Why Bother?02/24/12 Auditing the Overlooked 14
  15. 15. ISACA VA Chapter  Every device on your network can possibly be leveraged to mount an attack.  New issues are making the news every week.  These devices can be configured correctly during initial installation and remove the risk.  You have enough to worry about with the complex issues.02/24/12 Auditing the Overlooked 15
  16. 16. ISACA VA ChapterWouldn‟t it be reallyannoying if all your printerssuddenly asked users todeposit $0.25 before printing?You don‟t even need a tool:prompt> telnet 9100@PJL RDYMSG DISPLAY=“foo”^]quit 02/24/12 Auditing the Overlooked 16
  17. 17. ISACA VA Chapter A True Story…02/24/12 Auditing the Overlooked 17
  18. 18. ISACA VA Chapter Real World Examples02/24/12 Auditing the Overlooked 18
  19. 19. ISACA VA ChapterConsoleScreen to FireSuppressionSystem.Downloadedmanual fromthe Internet.Installationpasswordstill valid. 02/24/12 Auditing the Overlooked 19
  20. 20. ISACA VA ChapterBuildingHVACcontrols.Downloadedmanual fromthe Internet.Adminpasswordwas valid.02/24/12 Auditing the Overlooked 20
  21. 21. ISACA VA ChapterTime clocksystem.Nocredentialsrequired foradmin access. 02/24/12 Auditing the Overlooked 21
  22. 22. ISACA VA ChapterHPIntegratedLights Out(ILO) beingvery helpfulin regards tousernamesandpasswords. 02/24/12 Auditing the Overlooked 22
  23. 23. ISACA VA ChapterPolycomVSX 7000.Downloadedthe manualfrom theInternet andlogged inwith defaultcredentials.02/24/12 Auditing the Overlooked 23
  24. 24. ISACA VA Chapter No credentials….the Directory was loaded with interesting destinations.02/24/12 Auditing the Overlooked 24
  25. 25. ISACA VA ChapterDymoLabelWriterPrint Server.Logged inwith defaultcredentialsfrom manualdownloadedfrom theInternet. 02/24/12 Auditing the Overlooked 25
  26. 26. ISACA VA Chapter Belkin Remote IP-based KVM. Logged in with default credentials.02/24/12 Auditing the Overlooked 26
  27. 27. ISACA VA ChapterAPC Smart-UPS 8000 XL web interface.Logged in with default credentials from manual. Notice the ability to turn offthe UPS, reboot it or put it to sleep. 02/24/12 Auditing the Overlooked 27
  28. 28. ISACA VA Chapter Intermec RFID reader. Logged in with default credentials from manual.02/24/12 Auditing the Overlooked 28
  29. 29. ISACA VA ChapterBlueTreeModems.Often usedas RemoteTerminalUnits (RTU)in SCADAapplications.02/24/12 Auditing the Overlooked 29
  30. 30. ISACA VA Chapter Cisco Wireless camera. The Earth replaced the actual image of the room. No credentials required for access.02/24/12 Auditing the Overlooked 30
  31. 31. ISACA VA Chapter So How Do We Fix Things?02/24/12 Auditing the Overlooked 31
  32. 32. ISACA VA Chapter  Start by recognizing that ALL network devices can be used by an attacker.  If it has an IP address and some method of storage, it can probably be used by somebody to do something bad.  Develop build lists for all devices, not just servers and desktops.  Turn off unused access methods such as HTTP, HTTPS, Telnet, FTP, SNMP.  Be careful with TCP port 9100! Where possible, control this port with a firewall.02/24/12 Auditing the Overlooked 32
  33. 33. ISACA VA Chapter  Ensure that all default login credentials are changed BEFORE connecting the device.  Never leave a device connected to your network with blank passwords.  Remember, it only takes the bad guys a few minutes to download the manual from the Internet.  Routinely test all infrastructure devices for compliance with all applicable policies.  Do this on a quarterly basis to catch the low-hanging fruit.02/24/12 Auditing the Overlooked 33
  34. 34. ISACA VA Chapter  Include the Facilities Management/Physical Security groups in the overall security and systems management process.  Help these non-IT groups develop build lists for devices that connect to the corporate networks.  Offer to include their devices in the network scans and penetration tests.02/24/12 Auditing the Overlooked 34
  35. 35. ISACA VA Chapter Summary02/24/12 Auditing the Overlooked 35
  36. 36. ISACA VA Chapter  The issues discussed in this presentation are real and they‟re not going away.  They don‟t get a lot of attention but they create opportunities for massive data breaches.  More research into applicable controls is needed to help reduce the risk.  We need to push vendors to build in more security controls and disable “features” by default.02/24/12 Auditing the Overlooked 36
  37. 37. ISACA VA Chapter Q&A02/24/12 Auditing the Overlooked 37