Lessons from penetration testing: four simple IT security mistakes that leave a business vulnerable
- Published: Tuesday, 12 January 2016 08:41
Luke Potter looks at four of the most basic security oversights identified during penetration testing that leave businesses vulnerable to a data breach.
With businesses dedicating more time and resource to cyber-security, deploying increasingly advanced and robust solutions, and networks becoming increasingly complex, you could be forgiven for thinking that most cyber security breaches are the result of a vulnerability buried deep in the coding of a piece of software or application, that would take weeks or months to be uncovered and exploited. However, the reality couldn’t be more different, and in my experience it is often basic oversight that leaves an organization vulnerable.
These often simple errors can undermine the most advanced and complex security deployments, leaving a network vulnerable to attack. In my work as a penetration tester I see many of the same mistakes made time and time again. Let’s take a look at four of the most basic errors or oversights that we encounter during testing and that leave organizations unnecessarily vulnerable to a breach.
It has been well documented that weak passwords are the first target for attackers, especially once they have collected a cache of password hashes or usernames. As a result, businesses are starting to tackle the issue, and are introducing measures to ensure that employees use appropriate passwords that offer a suitable level of security.
However, password problems are not limited to mere strength. The issue of password sharing (employees using the same password for different logins) is often the undoing of many organizations during penetration testing. From an internal, company perspective this includes employees using the same password for general access to their machines and the network, as they do for more privileged, sensitive network areas and for logging into third party supplier portals. This not only makes any potential hackers’ job easier, as once he / she has the password it can be used to traverse the network, but also leaves a business vulnerable in the event of one of its suppliers being breached, with the attacker re-using the same credentials to access corporate systems.
To stress this point, our consultants often gain access to corporate systems on penetration tests from public ‘leaks’ of credentials from previous breaches of other companies’ systems that internal employees also use and are sharing passwords with. So it is vital that organizations encourage all employees to ensure they are using completely unique password for each system and service they use. In addition, this should also be promoted for any online services employees use outside of company systems, with each and every website or service you utilise having a unique password in place. There are many great password management tools available that can help with this process.
Exposed administrative interfaces
Most organizations that we visit go to great lengths to test their security policies and solutions internally to limit their exposure to the exploits of cyber-criminals. They will test code, integration with the network and other applications, but in paying meticulous attention to every detail they risk losing sight of the bigger picture, making an error that leaves them exposed.
The most common error that results from this mind-set is an administrative interface that is left exposed to attackers. As an example, I recently did a penetration test for a large organization that had just launched a new website. Following initial testing the website appeared to have been well secured, but after further probing we were able to find the files for the test site, which included a link to an administrative interface with weak credentials set that enabled us to not only take complete control of the website but also gain access to the company network via compromise of the web server. While the developers and IT team had gone above and beyond to ensure the site wasn’t susceptible to other common attacks, or create a vulnerability for the wider business, one oversight had left an otherwise secure site vulnerable.
The key recommendation here is to ensure that all ‘test’ functionality is correctly removed before websites / systems are put into production. In addition, administrative interfaces should only ever be accessible from trusted networks (such as the LAN or the VPN) with strong credentials set for all accounts.
Unprotected smart devices
The Internet of Things is undoubtedly in its infancy and as a result organizations are still getting to grips with the implications of Internet enabled ‘devices’ entering the business environment. This, however, has not prevented organizations permitting Internet-connected appliances from being used within the business, creating a targetable soft spot within their network infrastructure.
As an example, some of our recent projects have demonstrated weaknesses in smart TVs that can be compromised in one of two ways: either via a Wi-Fi connection or quite commonly via its Bluetooth functionality. Such an attack can be originated from outside the physical perimeter. Once the TV is compromised it can be used as a stepping-stone into the corporate network or turned into a listening device for attackers to cultivate company information.
Organizations can avoid common weaknesses in smart devices by disabling unnecessary functionality (cameras/Bluetooth/ Wi-Fi etc) and keeping such devices up to date, just as they would any other corporate system. In addition to this, these devices should be secured like any other device, for example ensuring that default password / settings are changed.
Subverted business logic
The logic that is used by many IT teams when deploying a solution is to ensure that the latest piece of software integrates with existing systems, it delivers the innovation that helps achieve business goals and equally that it is protected by a layer of security. It almost resembles a flow chart of check-boxes, which in many cases reflects standard operating procedure for IT departments.
However, this approach fails to take into consideration the logic that cyber-criminals will use when targeting an organization and relies heavily on the assumptive thinking of those that have no intention of trying to infiltrate a network. As a result, when a hacker targets a company they are playing by a different set of rules and find ways to subvert the rationale of the development team, and look for ways to use the very technology designed to protect an organization against them.
When deploying or developing new solutions and applications, organizations must approach the security from the perspective of a would-be attacker. By adopting this approach to security they will level the playing field and prevent vulnerabilities from appearing in the first place.
With business investing heavily in cyber security, it is imperative that they don’t render it worthless by making basic oversights and mistakes. With these tips in mind businesses can help to ensure that they don’t fall foul of that one vulnerability they forgot.