Ask The Experts: Why Do Security Testing of Internal Computer Networks?

Most organizations have realized the need to have vulnerability assessments of their internet-facing (external) computer networks performed periodically. Maybe they are alarmed by all the data compromises they hear about on the news or perhaps they are subject to regulatory guidance and are required to have vulnerability assessments done. But many organizations draw the line there and never have the security of their internal networks tested. This is a mistake! At least it’s a mistake if your goal is actually to protect your computer systems and the private information they store and process.

It is true that the most attacks against information systems come from external attackers, but that does not mean the internal threat is negligible. About one sixth of data compromises are due to employees and privileged insiders such as service providers and contractors. But there are many other reasons for testing the security of your internal networks besides the internal threat. For one thing, once cyber-criminals find a hole in your external defenses they are suddenly “insiders” too. And if your internal systems are not configured correctly, hardened and monitored, it becomes trivial for these attackers to own your systems and compromise all the private information you have.

The type of testing that gives you the most bang for the buck is internal vulnerability assessment. Doing this type of testing regularly has many benefits. One benefit that people usually don’t associate with internal vulnerability assessment is that it can be used to make maps and inventories of the network. These are essentials of information security. After all, if you don’t know what you have on your network and where it is, how can you protect it? Another benefit is that it allows you to view your internal network with perspective. In other words, it lets you see it the way an attacker would. It will reveal:

  • Access control issues such as default and blank passwords mistakenly left on the network during administration, open files shares or anonymous FTP sites that may contain private data or user accounts that are suspicious or inappropriate.
  • Systems that are missing security patches or that are running out of date software or operating systems that are no longer supported by the vendors.
  • Systems that have been misconfigured or that reveal too much information to unauthorized users.
  • Ports that are inappropriately left open or dangerous services such as Telnet or Terminal Services present on the network.
  • Poor network architecture that fails to properly segment and enclave information assets so that only those with a business need can access them.
  • How well third party systems present on your network are patched, updated and secured.

Also, from a business perspective, performing regular internal vulnerability assessments shows your customers that you are serious about information security; a factor that could influence them to choose your organization over others.

In addition to vulnerability testing, it is also more than just desirable to have penetration testing of the internal network performed occasionally. While vulnerability assessment shows you what flaws are available for attackers to exploit (the width of your security exposure), penetration testing shows you what attackers can actually do with those flaws to compromise your systems and data (the depth of your security exposure). Internal penetration testing can:

  • Reveal how attackers can exploit combinations of seemingly low risk vulnerabilities to compromise whole systems or networks (cascading failures).
  • Show you if the custom software applications you are using are safe from compromise.
  • Show you not only what is bad about your network security measures, but what is working well (this can really save you money and effort by helping you chose only the most effective security controls).

One other type of penetration testing that is well worth the time and expense is social engineering testing. As network perimeters become increasingly secure, social engineering techniques such as Phishing emails or bogus phone calls are being used more and more by attackers to gain a foothold on the internal network. We at MSI are very aware of just how often these techniques work. How well do you think your employees would resist such attacks?

Thanks to John Davis for this post.

Oracle CSO Online Interview

My interview with CSO Online became available over the weekend. It discusses vendor trust and information security implications of the issues with password security in the Oracle database. You can read more about it here. Thanks to CSO Online for thinking of us and including us in the article.

Threat and Vulnerability: Pay Attention to MS12-020

Microsoft today released details and a patch for the MS12-020 vulnerability. This is a remotely exploitable vulnerability in most current Windows platforms that are running Terminal Server/RDP. Many organizations use this service remotely across the Internet, via a VPN, or locally for internal tasks. It is a common, prevalent technology, and thus the target pool for attacks is likely to make this a significant issue in the near future. 

 
Please identify your exposures to this vulnerability. Exploits are likely currently being developed. We have not yet (3/13/12 – 2.15pm Eastern) seen exploitation or an increase in probes for port 3389, but both are expected to occur shortly.
 
Please let us know if you have any questions or if we may be of any assistance with this issue.
 
UPDATE: 
 
 
This article makes reference to a potential worm attack vector, which we see as increasingly likely. Our team believes the exploitation development time to be significantly less than 30 days and more like 1-3 days for resourced attackers. As such, PLEASE TREAT THIS AS A SIGNIFICANT INTERNAL VULNERABILITY as well. Certainly, IMMEDIATE consideration is needed for Internet exposed systems, but INTERNAL systems should be patched as soon as manageable as well.
 
UPDATE II:
 
 
This confirms the scope and criticality of this issue.
 
UPDATE III:
 
Just a quick note – we are seeing vast work on the MS12-020 exploit. Some evidence points to 2 working versions. Not public, yet, but PATCH NOW. Internal & protected networks too.
 
UPDATE IV:
 
MSI is proud to announce the immediate availability of a FREE version of HoneyPoint, called HPRDP2012 to help organizations monitor for ongoing scans and potential future worm activity. The application listens on port 3389/TCP and is available for OS X (Intel), Windows & Linux. This application is similar to our releases for Conficker & Morto, in that it will be operational for a set time (specifically until October 1, 2012). Simply unzip the application to where you would like to run and execute it. We hope this helps organizations manage this vulnerability and detect impacts should scans, probes or a worm emerge. Traditional HoneyPoint customers can use Agent and/or Wasp to listen for these connections and report them centrally by dilating TCP listener HoneyPoints on port 3389. Please let us know if you have any questions.
 
 
 
 
 

Reflections on a Past Vulnerability, Kind Of…

 Recently, someone asked me about a vulnerability I had found in a product 15 years ago. The details of the vulnerability itself are in CVE-1999-1141 which you can read for yourself here.

Apparently, some of these devices are still around in special use cases and some of them may not have been updated, even now, 15 years after this issue came to light and more than 13 years after Mitre assigned it a 7.5 out of 10 risk rating and an associated CVE id. That, in itself, is simply shocking, but is not what this post is about.

This post is about the past 15 years since I first made the issue public. At that time, both the world of infosec and I were different. I still believed in open disclosure, for example. However, shortly after this vulnerability research experience, I started to choke back on that belief. Today, I still research and discover vulnerabilities routinely, but I handle them differently.
 
I work with the vendor directly, consult with their developers and project teams as much as they let me, and then allow them to work through fixing their products. Some of these fixes take a very, very long time and some of them are relatively short. Sometimes the vendors/projects give me or MicroSolved public credit, but often they do not. Both are OK under the right circumstances, and I am much happier when the vendors ask us if we want to be credited publicly, but I am content if they fix the problems we find in many cases. We do our very best to be non-combative and rational with all of them in our discussions. I think it is one of the reasons why application and device testing in our lab is so popular — better service and kindness go a long way toward creating working relationships with everyone.
 
Now, I don’t want to dig into the debate about open disclosure and non-disclosure. You may have different opinions about it than I do, and I am perfectly fine with that and willing to let you have them. I choose this path in vulnerability handling because in the end, it makes the world a safer place for all of us. And make no mistake, that’s why I do what I do nearly every day and have done what I have done for more than 20 years now in information security.
 
That’s really what this post is about. It’s about change and commitment. I’m not proud of releasing vulnerability data in 1997, but I’m not ashamed of it either. Times have changed and so have I. So has my understanding of the world, crime and security. But at the bottom of all of that change, what remains rock solid is my commitment to infosec. I remain focused, as does MicroSolved, on working hard every day to make the world a safer place for you and your family.
 
In November of 2012, MSI will enter its 20th year in business. Twenty years of laser focus on this goal, on the work of data protection, and on our customers. It’s an honor. There is plenty of tradition, and plenty of change to reflect on. Thanks to all of you for giving me the opportunity to do so.
 
Now that I have nostalgia out of the way, if you are still using those old routers (you know who you are), replace those things! 
 
As always, thanks for reading and stay safe out there! 

MicroSolved’s Strategies & Tactics Talk: #3 APT: Less Advanced Than You May Think

So how “advanced” is APT?

Listen in as our tech team discusses various aspects of APT such as:

  • How it has been portrayed.
  • Why it often isn’t an advanced threat
  • Where do they originate?
  • What can companies do about APT?

Panelists:

Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Keep Your Eyes on This Adobe 0-Day

A new Adobe exploit is circulating via Flash movies in the last day or so. Looks like the vulnerability is present across many Adobe products and can be exploited on Android, Linux, Windows and OS X.

Here is a link to the Dark Reading article about the issue.

You can also find the Adobe official alert here.

As this matures and evolves and gets patched, it is a good time to double check your patching process for workstation and server 3rd party software. That should now be a regular patching process like your ongoing operating system patches at this point. If not, then it is time to make it so.

Users of HoneyPoint Wasp should be able to easily any systems compromised via this attack vector using the white listing detection mechanism. Keep a closer than usual eye out for suspicious new processes running on workstations until the organization has applied the patch across the workstation environment.

Apache Tomcat; Firefox, Thunderbird Info Leak

Some vulnerabilities in Apache Tomcat have been discovered. These vulnerabilities could allow for the manipulation of an SSL session or the disclosure of session ID’s. Administrators running Tomcat should update to version 5.5.26 or 6.0.16.
Multiple vulnerabilities in Firefox, Thunderbird, and Seamonkey have been reported. These vulnerabilities could result in memory corruption, information exposure, directory traversal, and potentially other issues. A proof of concept exists for Firefox 2.0.0.12. Users should update their Mozilla software to the latest version, and keep an eye out for any additional updates to this issue.