2. About Chris
I am a VP and a Senior Security Engineer at
PatchAdvisor
In 1991 I started one of the first companies to
ever provide comprehensive penetration
testing/vulnerability assessment services
I’ve examined networks in every industry
sector, in dozens of countries
4. Network Vulnerability Assessments
Internal and external reviews
Validation of existing security mechanisms
Detailed analysis of networked devices and
services
Not merely running a commercial scanning
tool
Audit for policy compliance
Prioritized recommendations for improving
security posture
5. Vulnerability Assessments: WHY?
Only realistic way to determine vulnerabilities
Get a baseline of vulnerability state
Prioritize remedial actions
Correct serious problems quickly
Assure that policies address real
vulnerabilities
Industry best practice
6. Vulnerability Assessments: HOW?
Internet-based attack
Preferably, should include in-depth web
application assessments
On-site engagement
Internal attacks
Simultaneous war dialing / wireless / partner
connections
Initial out-briefing
Report delivery
Executive briefing
7. Web Application Assessments
Comprehensive evaluation of application
Network perspective
Server configuration
Software settings
Authenticated and Unauthenticated attacks
Emulate both internet-based attacker, and valid user
exceeding authorized access
Examine applications for all types of security issues
SQL Injection
XSS/CSRF
Buffer Overflows
Cookie Manipulation
URL Replay attacks
Denials of Service
9. The Most Common Issues
Patch management
Nearly every organization I have examined has been
woefully behind in patches, especially on Non-OS/3rd
party
applications
Misconfigured Services
Insecure file shares, poor access control, default settings
Poor Coding
Vulnerable web applications, desktop applications & mobile
apps
Passwords
Weak passwords and poor password discipline are still the
number one mechanism used by attackers to gain access
10. Attacks Can Start Anywhere…
Unpassworded TELNET access into print server
SNMP Read/Write community string exposed in printer
configuration menu
Community string also used on devices such as routers,
switches, etc.
“Level 7” hashes in Cisco config files exposed the password
“mbhafnitsoscar”
This password also used by a Windows Domain Administrator
Windows Domain also tied to NetWare eDirectory
In total, compromise of nearly 15,000 accounts and 99.99% of
all systems and network devices…all from one insecure printer
11. Real War Stories – Healthcare
Internet scans found a SharePoint Server with some
limited unauthenticated access
Search queries exposed numerous documents with
“password”
One was a set of instructions for training new users on
electronic medical records application
This included a Windows domain account and password
This account and password gave access through a Citrix
remote desktop server
This gave us access to the organization’s Internal network
NOTE: I have followed this same attack path to
compromise other entities, including banks, law firms, and
insurance companies
12. Real War Stories – Hedge Fund
During internal network assessment, NetBIOS name
spoofing exposed numerous accounts
System Administrators appeared to be remotely
connecting to Windows-based systems as the
Administrator account
Password was quickly cracked
Same local administrator password was used on
EVERY workstation and server
13. Real War Stories – Government
Agency
On the internal network several Isilon file servers were found
HDFS was running without any access control restrictions set
One directory on the file server had virtual machine images
Pulled down copies and loaded them under local VMware workstation
on our attacker laptops
Extracted usernames and passwords from the virtual machine by first
booting to virtual CD image of kon-boot and bypassing local login
Could have also gained access by replacing “sticky keys
app”, copying SAM and SYSTEM files, etc.
Local administrator-level accounts recovered worked on numerous
other servers
Used Mimikatz to recover accounts from each of the additional systems
and exposed numerous Domain Administrator-level accounts
This led to the compromise of several thousand Windows-based
systems
14. Real War Stories - Financial Industry
On the internal network there were numerous
systems running server-based JAVA applications
Many were commercial applications from major
industry leaders (IBM, HP, VMware, etc.)
Numerous attacks over JavaRMI led to remote code
execution
Missing patches, insecure libraries,
unauthenticated access to JMX consoles, etc.
Extracted cached accounts and plaintext passwords
using Mimikatz program including Domain
Administrator-level accounts
15. The Inevitable Conclusion
It’s not about perfect security;
it’s about DUE DILIGENCE.
“Given the inevitability of computer losses, you’ll
be judged not by whether you were the victim of
an attack, but by how well you planned for it."
- Computer Security Institute
16. In Closing…
Due diligence requires a full spectrum of
countermeasures
Vulnerability assessments are a critical
component of successful security programs
Understand that your organization is not as
unique as you think it is