Category Archives: Pen Testing & Vuln Mgmt

Hosting Providers Matter as Business Partners

Posted on by
1

Hosting providers seem to be an often overlooked exposure area for many small and mid-size organizations. In the last several weeks, as we have been growing the use of our passive assessment platform for supply chain assessments, we have identified several instances where the web site hosting company (or design/development company) is among the weakest links. Likely, this is due to the idea that these services are commodities and they are among the first areas where organizations look to lower costs.

The fall out of that issue, though, can be problematic. In some cases, organizations are finding themselves doing business with hosting providers who reduce their operational costs by failing to invest in information security.* Here are just a few of the most significant issues that we have seen in this space:
  • “PCI accredited” checkout pages hosted on the same server as other sites that are clearly under the control of an attacker
  • Exposed applications and services with default credentials on the same systems used to host web sites belonging to critical infrastructure organizations
  • Dangerous service exposures on hosted systems
  • Malware infested hosting provider ad pages, linked to hundreds or thousands of their client sites hosted with them
  • Poorly managed encryption that impacts hundreds or thousands of their hosted customer sites
  • An interesting correlation of blacklisted host density to geographic location and the targeted verticals that some hosting providers sell to
  • Pornography being distributed from the same physical and logical servers as traditional businesses and critical infrastructure organizations
  • A clear lack of DoS protection or monitoring
  • A clear lack of detection, investigation, incident response and recovery maturity on the part of many of the vendors 
It is very important that organizations realize that today, much of your risk extends well beyond the network and architectures under your direct control. Partners, and especially hosting companies and cloud providers, are part of your data footprint. They can represent significant portions of your risk, and yet, are areas where you may have very limited control. 
 
If you would like to learn more about using our passive assessment platform and our vendor supply chain security services to help you identify, manage and reduce your risk – please give us a call (614-351-1237) or drop us a line (info /at/ MicroSolved /dot/ com). We’d love to walk you through some of the findings we have identified and share some of the insights we have gleaned from our analysis.
 
Until next time, thanks for reading and stay safe out there!
 
*Caveat: This should not be taken that information security is correlated with cost. We have seen plenty of “high end”, high cost hosting companies with very poor security practices. The inverse is also true. Validation is the key…

Old School Google Hacking Still Works…

Posted on by
3

Did some old school Google hacking last night.

“Filetype:xls & terms” still finds too much bad stuff.

Check for it lately for your organization?

Try other file types too. (doc/ppt/pdf/rtf, etc.)

Information leakage happens today, as it always has. Keeping an eye on it should be a part of your security program.

Clients Finding New Ways to Leverage MSI Testing Labs

Posted on by
2

Just a reminder that MSI testing labs are seeing a LOT more usage lately. If you haven’t heard about some of the work we do in the labs, check it out here.

One of the ways that new clients are leveraging the labs is to have us mock up changes to their environments or new applications in HoneyPoint and publish them out to the web. We then monitor those fake implementations and measure the ways that attackers, malware and Internet background radiation interacts with them.

The clients use these insights to identify areas to focus on in their security testing, risk management and monitoring. A few clients have even done A/B testing using this approach, looking for the differences in risk and threat exposures via different options for deployment or development.

Let us know if you would like to discuss such an approach. The labs are a quickly growing and very powerful part of the many services and capabilities that we offer our clients around the world! 

Social Media Targeting: A Cautionary Tale

Posted on by
Reply

I was recently doing some deep penetration testing against an organization in a red-team, zero knowledge type exercise. The targets were aware of the test at only the highest levels of management, who had retained myself and my team for the engagement. The mission was simple, obtain either a file that listed more than 100 of their key suppliers, or obtain credentials and successfully logon to their internal supply system from an account that could obtain such a file.

Once we laid some basic groundwork, it was clear that we needed to find the key people who would have access to such data. Given the size of this multi-national company and the thousands of employees they had across continents, we faced two choices – either penetrate the network environment and work our way through it to find and obtain the victory data and/or find a specific person or set of persons who were likely to have the data themselves or have credentials and hack them get a shortcut to victory.
 
We quickly decided to try the shortcut for a week or less, preserving time for a hack the network approach should we need it as a backup. We had approximately 6 weeks to accomplish the goal. It turned out, it took less than 6 hours…
 
We turned our TigerTrax intelligence & analytics platform to the task of identifying the likely targets for the shortcut attack. In less than 30 minutes, our intelligence team had identified three likely targets who we could direcly link to the internal systems in question, or the business processes associated with the victory condition. Of these three people, one of them was an extensive participant in their local dance club scene. Their social media profile was loaded with pictures of them dancing at various locales and reviewing local dance clubs and DJs. 
 
A plan was quickly developed to use the dance club angle as an approach for the attack, and a quick malware serving web site was mocked up to look like an new night club in the target’s city. The team them posted a few other sites pointing to a new club opening and opened a social media account for the supposed club’s new name. The next day, the penetration team tested the exploits and malware against the likely OS installs of the victim (obtained from some of their social media data that was shared publicly). Once the team was sure the exploits and malware were likely to function properly, the club’s social media account sent a tweet to the account of the target and several other people linked to the club scene, inviting them to a private “soft opening” of the club — starring the favorite DJ of the target (obtained from his twitter data). Each person was sent a unique link, and only the target’s link contained the exploit and malware. Once the hook was delivered, the team sat back and waited a bit. They continued to tweet and interact with people using the club’s account throughout the rest of the day. Within hours, the target followed the club’s account and visited the exploit site. The exploit worked, and our remote access trojan (RAT) was installed and connected back to us.
 
It took the team about an hour to hoover through the laptop of the target and find the file we needed. About the same time, an automated search mechanism of the RAT returned a file called passwords.xls with a list of passwords and login information, including the victory system in question. The team grabbed the victory files, screen shotted all of our metrics and data dashboards and cleaned up after themselves. The target was none the wiser.
 
When we walked the client through this pen-test and explained how we performed our attack, what controls they lacked and how to improve their defenses, the criticality of social media profiling to attackers became crystal clear. The client asked for examples of real world attackers using such methods, and the team quickly pulled more than a dozen public breach profiles from the last few years from our threat intelligence data.
 
The bottom line is this – this is a COMMON and EFFECTIVE approach. It is trivial for attackers to accomplish these goals, given the time and will to profile your employees. The bad guys ARE doing it. The bigger question is – ARE YOU?
 
To learn more about our penetration testing, social engineering and other security testing services, please call your account executive to book a free education session or send us an email to info@microsolved.com. As always, thanks for reading and until next time, stay safe out there!

Ask The Experts: Why Do Security Testing of Internal Computer Networks?

Posted on by
Reply

Most organizations have realized the need to have vulnerability assessments of their internet-facing (external) computer networks performed periodically. Maybe they are alarmed by all the data compromises they hear about on the news or perhaps they are subject to regulatory guidance and are required to have vulnerability assessments done. But many organizations draw the line there and never have the security of their internal networks tested. This is a mistake! At least it’s a mistake if your goal is actually to protect your computer systems and the private information they store and process.

It is true that the most attacks against information systems come from external attackers, but that does not mean the internal threat is negligible. About one sixth of data compromises are due to employees and privileged insiders such as service providers and contractors. But there are many other reasons for testing the security of your internal networks besides the internal threat. For one thing, once cyber-criminals find a hole in your external defenses they are suddenly “insiders” too. And if your internal systems are not configured correctly, hardened and monitored, it becomes trivial for these attackers to own your systems and compromise all the private information you have.

The type of testing that gives you the most bang for the buck is internal vulnerability assessment. Doing this type of testing regularly has many benefits. One benefit that people usually don’t associate with internal vulnerability assessment is that it can be used to make maps and inventories of the network. These are essentials of information security. After all, if you don’t know what you have on your network and where it is, how can you protect it? Another benefit is that it allows you to view your internal network with perspective. In other words, it lets you see it the way an attacker would. It will reveal:

  • Access control issues such as default and blank passwords mistakenly left on the network during administration, open files shares or anonymous FTP sites that may contain private data or user accounts that are suspicious or inappropriate.
  • Systems that are missing security patches or that are running out of date software or operating systems that are no longer supported by the vendors.
  • Systems that have been misconfigured or that reveal too much information to unauthorized users.
  • Ports that are inappropriately left open or dangerous services such as Telnet or Terminal Services present on the network.
  • Poor network architecture that fails to properly segment and enclave information assets so that only those with a business need can access them.
  • How well third party systems present on your network are patched, updated and secured.

Also, from a business perspective, performing regular internal vulnerability assessments shows your customers that you are serious about information security; a factor that could influence them to choose your organization over others.

In addition to vulnerability testing, it is also more than just desirable to have penetration testing of the internal network performed occasionally. While vulnerability assessment shows you what flaws are available for attackers to exploit (the width of your security exposure), penetration testing shows you what attackers can actually do with those flaws to compromise your systems and data (the depth of your security exposure). Internal penetration testing can:

  • Reveal how attackers can exploit combinations of seemingly low risk vulnerabilities to compromise whole systems or networks (cascading failures).
  • Show you if the custom software applications you are using are safe from compromise.
  • Show you not only what is bad about your network security measures, but what is working well (this can really save you money and effort by helping you chose only the most effective security controls).

One other type of penetration testing that is well worth the time and expense is social engineering testing. As network perimeters become increasingly secure, social engineering techniques such as Phishing emails or bogus phone calls are being used more and more by attackers to gain a foothold on the internal network. We at MSI are very aware of just how often these techniques work. How well do you think your employees would resist such attacks?

Thanks to John Davis for this post.

Co-Op & Municipal Utilities Get Discounts in July

Posted on by
4

Attention Co-Op & Municipal utilities — MSI is offering discounts to your organizations on professional services (policy/process, assessments, pen-testing, etc.), lab services (device & AMR/AMI assessments, threat assessments, etc.) and HoneyPoint Security Server for the month of July. Book the business before July 31’st and have the work/implementation completed before December 31st of 2014 and you receive a discount up to 30% off!

Do you need pen-testing against your business network? Need web app assessments on billing or payment systems? Have a call for risk assessments, smart grid device testing or fraud testing against your meters and field gear? All of this and more qualifies!

Check out our ICS/SCADA specific services by clicking here!

Give Allan Bergen a call today at 513-300-0194 to learn more about our program. We truly appreciate the hard work and dedication that Co-op and Municipal utility teams do, and we look forward to working with you! 

Tool Review: Lynis

Posted on by
1

Recently, I took a look at Lynis, an open source system and security auditing tool. The tool is a local scanning tool for Linux and is pretty popular.

Here is the description from their site:
Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:
– Available authentication methods
– Expired SSL certificates
– Outdated software
– User accounts without password
– Incorrect file permissions
– Configuration errors
– Firewall auditing 

As you can see, it has a wide range of capabilities. It is a pretty handy tool and the reporting is pretty basic, but very useful.

Our testing went well, and overall, we were pleased at the level of detail the tool provides. We wouldn’t use it as our only Linux auditing tool, but is a very handy tool for the toolbox. The runs were of adequate speed and when we tweaked out the configs with common errors, the tool was quick to flag them. 

Overall, we would give it a “not too shabby”. 🙂 The advice is still a bit technical for basic users, but then, do you want basic users administering a production box anyway? For true admins, the tool is perfectly adequate at telling them what to do and how to go about doing it, when it comes to hardening their systems.

Give Lynis a try and let me know what you think. You can give me feedback, kudos or insults on Twitter (@lbhuston). As always, thanks for reading! 

MSI Announces New Business Focused Security Practice

Posted on by
2

At MSI, we know security doesn’t exist for its own sake. The world cares about business and so do we. While our professional and managed service offerings easily empower lines of business to work with data more safely, we also offer some very specific business process focused security services.

 

Attackers and criminals go where the money is. They aren’t just aiming to steal your data for no reason, they want it because it has value. As such, we have tailored a specific set of security services around the areas where valuable data tends to congregate and the parts of the business we see the bad guys focus on most.

 

Lastly, we have also found several areas where the experienced eyes of security experts can lend extra value to the business. Sometimes you can truly benefit from a “hacker’s eye view” of things and where it’s a fit, we have extended our insights to empower your business.

 

Here are some of the business focused offerings MSI has developed:

 

  • Mergers & Acquisitions (M&A) practice including:
    • Pre-negotiation intelligence
    • Pre-integration assessments
    • Post purchase threat intelligence
  • Accounting systems fraud testing
  • ACH & wire transfer security validation
  • End-to-end EDI (Electronic Data Interchange) security testing
  • Business partner assessments
  • Supply chain assessments
  • Executive cyber-protection (including at home & while traveling abroad)

MSI knows that your business needs security around the most critical data and the places where bad guys can harm you the worst. We’ve built a wide variety of customized security solutions and offerings to help organizations harden, monitor and protect the most targeted areas of their organization. At MSI, we know that information security means business and with our focused security offerings, we are leading the security community into a new age.

 

At a Glance Call Outs:

Variety of business focused services

M&A offerings

Assessments of systems that move money

Fraud-based real world testing

Business partner & supply chain security

Executive protection

 

Key Differentiators:

Focused on the business, not the technology

Reporting across all levels of stakeholders

Specialized, customizable offerings

Capability to emulate & test emerging threats

Thought leading services across your business


Three Talks Not To Miss at DerbyCon

Posted on by
4

 

Here are three talks not to miss this year at DerbyCon:

1. Bill Sempf (@sempf) presents a talk about pen-testing from a developer’s point of view. (PS – He has a stable talk too, catch it if you sell stuff in the Windows store) His work is great and he is a good presenter and teacher. Feel free to also ask him questions about lock picking in the hallways. He is a wealth of knowledge and usually friendly after a cup of coffee in the morning. Beware though, if he asks you to pick the lock to get to the pool on the roof… This talk is Saturday at 6pm. 

2. Definitely catch @razoreqx as he talks about how he is going to own your org in just a few days. If you haven’t seen his bald dome steaming while he drops the knowledge about the nasty stuff that malware can do now, you haven’t lived. I hear he also may give us a bit of secret sauce about what to expect from malware in the next 6 months. You might wanna avoid the first couple of rows of seating in this talk. He often asks for “voluntolds” from the audience and you might not look good in the Vanna White dress… His chrome dome presents on Friday at 7pm.

3. Don’t miss the Keynote by @hdmoore. His keynotes are always amazing and this time it appears he is going to teach you how to port scan the entire Internet, all at once and all in an easy to manage tool and timeframe. He probably will astound you with some of his results and the things he has seen in his research. It’s worth it! The Keynote is Friday at 9am. Yes, 9am in the morning. It rolls around twice a day now… I know… 🙂

Lastly, if you want to see me speak, you can find me on Friday at 1pm as I discuss and unveil the Stolen Data Impact Model (SDIM) project. Check it out! 

PS – There will be plenty of hallway talk and shenanigans at the con. Come out and sit down and chat. I can’t wait to talk to YOU and hear what you have to say about infosec, threats, the future or just what your thoughts are on life. Seriously… I love the hang out. So, drop down next to me and have a chat! See you this weekend!

 PSS – Yes, I might wear my “hippy hacker”/”packet hugger” shirt. Don’t scream “Packet Hugger” at me in the hallway, please, it hurts my feelings…. 

Ask The Experts: New Device Check Lists

Posted on by
2

This time around on Ask The Experts, we have a question from a reader and it got some great responses from the team:

 

Q: “I need a quick 10 item or less checklist that I can apply to new devices when my company wants to put them on our network. What kinds of things should I do before they get deployed and are in use around the company?”

 

Bill Hagestad started us off with:

The Top 10 checklist items a CISO/or equivalent authority should effectively manage before installing, configuring and managing new devices on a network includes the following;

 

1)Organize your staff and prepare them for the overall task of documenting and diagramming your network infrastructure – give them your commander’s network management intent;

2)Create a physical and logical network map – encourage feedback from your team regarding placement of new hardware and software;

3)Use industry standards for your network including physical and logical security, take a good look at NIST Special Publication SP 800-XX Series;

4)Make certain that you and your team are aware of the requisite compliance standards for your business and industry, it will help to ensure you are within legal guidelines before installing new devices or perhaps you may discover the hardware or software you are considering isn’t necessary after all;

5)Ensure that after you have created the necessary network maps for your infrastructure in Step 2) above, conduct a through inventory of all infrastructure which is both critical and important to your business, then document this baseline;

6)Create a hardware/software configuration change procedure; or if you already have his inlace, have your team review it for accuracy; make certain everyone on the team knows to document all changes/moves/additions on the network;

7)Focus not only on the correlation of newly implemented devices on the internal networks but also look at the dependencies and effects on external infrastructure such as voice/data networks – nothing worse than making an internal change to your network and having your Internet go down unnecessarily;

8)Ensure that new network devices being considered integrate gracefully into your existing logging and alerting mechanisms; no need to install something new only to have to recreate the proverbial wheel in order to monitor it;

9)Consider the second & third order effects of newly installed devices on the infrastructure and their potential impact on remote workers and mobile devices used on the network;

10)Install HoneyPoint Security Server (HPSS) to agentlessly & seamlessly monitor external and potential internal threats to your newly configured network….

 

Of course a very authoritative guide is published by the national Security Agency called appropriately “Manageable Network Plan” and available for download @:

 

http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf


Jim Klun added:

1. Make sure the device is necessary and not just a whim on the part of management.   Explain that each new device increases risk. 

2. If the device’s function can be performed by an existing internal service, use that service instead. 

3. Inventory new devices by name, IP addresses, function and – most importantly – owners.  There should be a device owner and a business owner who can verify continued need for the device.  Email those owners regularly,   querying them about continued need. Make sure that these folks have an acknowledged role to support the application running on the devices and are accountable for its security. 

4. Research the device and the application(s) its support.  Have no black boxes in your datacenter.  Include an abstract of this in the inventory. 

5. Make sure a maintenance program is in place – hold the app and device owner accountable. 

6. Do a security audit of the device wehn fully configured. Hit it with vulnerability scanners and make sure that this happens at least quarterly. 

7. Make sure monitoring is in place and make very sure all support staff are aware of the device and any alerts it may generate. Do not blind-side the operations staff. 

8. If the device can log its activities ( system and application ) to a central log repository, ensure that happens as part of deployment. 

9. Make sure the device is properly placed in your network architecture. Internet-exposed systems should be isolated in an Internet DMZ.  Systems holding sensitive data should similarly be isolated. 

10. Restrict access to the device as narrowly as possible. 

 

Finally.. if you can, for every device in your environment, log its network traffic and create a summary of what is “normal” for that device.  

Your first indication of a compromise is often a change in the way a system “talks”. 

 

Adam Hostetler chimed in with: 

Will vary a lot depending on device, but here are some suggestions

 

1. Ensure any default values are changed. Passwords, SNMP strings, wireless settings etc.

2. Disable any unnecessary services

3. Ensure it’s running the latest firmware/OS/software

4. Add the device to your inventory/map, catalog MAC address, owner/admin, etc.

5. Perform a small risk assessment on the device. What kind of risk does it introduce to your environment? Is it worth it?

6. Test and update the device in a separate dev segment, if you have one.

7. Make sure the device fits in with corporate usage policies

8. Perform a vulnerability assessment against the device. 

9. Search the internet for any known issues, vulnerabilities or exploits that might effect the device.

  1. Configure the device to send logs to your logging server or SEIM, if you have one.

 

And John Davis got the last word by adding: 

From a risk management perspective, the most important thing a CISO needs to ensure is in place before new devices are implemented on the network is a formal, documented Systems Development Life Cycle or Change Management program. Having such a program in place means that all changes to the system are planned and documented, that security requirements and risk have been assessed before devices have purchased and installed, that system configuration and maintenance issues have been addressed, that the new devices are included in business continuity planning, that proper testing of devices (before and after implementation on the network) is undertaken and more. If a good SDLC/Change Management program is not in place, CISOs should ensure that development and implementation of the program is given a high priority among the tasks they wish to accomplish.

 

Whew, that was a great question and there is some amazing advice here from the experts! Thanks for reading, and until next time, stay safe out there! 

 

Got a question for the experts? Give us a shout on Twitter (@microsolved or @lbhuston) and we’ll base a column on your questions!