False confidence in IT security exposes business to attack
The issue was identified as a significant cause of high-impact vulnerabilities, according to security consultancy Context Information Security in its report ‘False Confidence: UK Corporate Vulnerability’. The report examines its key findings in 2006, including IT security issues discovered by the company, its recommendations and conclusions, and case studies on serious vulnerabilities identified and compromises effected. Examples of this misplaced confidence include the default (out-of-box) installation of security devices, an over-reliance on automated vulnerability assessment scanning solutions, and misplaced trust in encryption and authentication systems. Issues included misconfigured SSL Appliances enabling attackers to gain full access to internal, business critical applications; intrusion detection systems allowing intruders into corporate networks; and the ability to gain unauthorised access to strongly encrypted wireless LANs. Alex Church, principal consultant at Context said: “False confidence is an ever-increasing problem for corporate IT security. Throughout 2006 we’ve seen businesses fall victim to misplaced trust. Security devices are being implemented to improve corporate security, but without the right knowledge they can have the opposite effect.” False confidence – the problem with perception Examples include the default installation of security devices; the misconfiguration of security products; an over-reliance on automated vulnerability assessment scanning solutions, leading to some high-risk vulnerabilities erroneously being classified as low-risk; and misplaced trust in encryption and authentication systems and protocols. “Assumptions are often made about security based on the perception of a particular device or solution. Many people perceive an intrusion detection system (IDS) to be secure because it performs a security function, but in some cases the opposite is also true. During one test we found a poorly configured SNORT IDS solution that ironically provided us with means to compromise the client’s internal network from the internet.” Secure Socket Layer Virtual Private Network (SSL VPN) appliance misconfiguration was found to be increasingly common in 2006, with many businesses deploying SSL VPNs as a means of providing secure remote access to internal network resources and critical applications. Church comments, “Unfortunately the perception of SSL VPN appliances is that, because they are security devices, they will be secure in themselves. Many businesses forget that these appliances are similar to fully-functioning web-based applications, and therefore susceptible to similar vulnerabilities. On a number of occasions it was possible to gain external access to administration consoles running web technologies such as PHP. We discovered a number of zero day issues within these technologies, potentially enabling anyone to take full control of the system and full access to the network behind it.” Automated vulnerability scanning Church comments, “Of course there is a place for automated vulnerability scanning, but it should not be viewed as a substitute replacement for in-depth manual penetration testing. Over the past twelve months we have identified serious vulnerabilities in publicly accessible infrastructure systems which, if exploited, could have enabled an attacker to gain complete control over the system.” He adds, “In most of these cases the organisations in question had previously been relying solely on automated vulnerability assessments to identify externally exploitable weaknesses. Their perception was that these solutions were entirely suitable for the job, but they patently failed to identify some of the less obvious security issues.” In one example, a client organisation commissioned a third party to conduct a security assessment of its publicly accessible systems. The third party used an automated vulnerability scanning tool, which flagged an externally published directory listing on one of the customer’s servers. This issue was given a low risk rating and so was not investigated in any detail. Context identified the same issue in a subsequent test and their manual investigation revealed one of the documents named within the listing was called “passwords.xml”. Church pointed out, “This file had been visible and accessible for some time due to the automated scanner’s inability to discern the true risk associated with it. Our investigation revealed that the contents of the file contained usernames and passwords which enabled us to gain complete control over the system. Understandably the client was shocked; he believed that the automated scan would have picked this up.” Recommendations and conclusions • Security products are not a failsafe method of ensuring security, especially if they are put to a purpose beyond their intended use. It is worth remembering that no security device is inherently secure, however most risks can be minimised through careful configuration of the appliance: in particular, be wary of automatically installing default configurations without assessing how this relates to your own network environment. • A security solution is only as good as the person who implements it: i.e. expertise is key. Where there is a lack of expertise to do this in-house, third party specialists should be engaged. We would also recommend that any new appliance should be assessed for security weaknesses and vulnerabilities before it is deployed in a production environment. Adopting this process ensures that the device is deployed in as robust a state as possible, reducing the scope for attackers to successfully compromise it • Automated vulnerability scanning is only part of the solution, therefore businesses should be careful to avoid an over-reliance on it. While such tools play an important part in ensuring network security, they can also result in high-risk flaws being over-looked. Therefore ensure automated testing is complemented with manual testing on a regular basis • A holistic approach is required to attain 360 degree security awareness. Ensuring the security of the networks themselves is essential, however it is important to have a holistic security strategy that also considers other elements such as physical security, networked office equipment and systems, and employee dishonesty • In addition to the technical aspects surrounding network security, businesses must invest in educating their users. Without user awareness, the security process is typically more of a challenge to manage and can lead to security being compromised Church concludes, “Information security is dynamic. The shifting nature of the threat means that information security consultancies like Context need to constantly refine their techniques and methodologies to help their clients protect themselves. These are challenging times for businesses, but by taking a proactive, holistic approach to security, combining the use of well-configured and maintained security solutions with security best practice and common sense, they should be able to take full advantage of new technology while minimising the risk.”
•Date: 1st February 2007 • Region: UK/World •Type: Article •Topic: ISM
|
