![Page 1: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/1.jpg)
Peter WoodChief Executive Officer
First Base Technologies LLP
Pragmatic Network Security
Avoiding Real-World Vulnerabilities
![Page 2: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/2.jpg)
Slide 2 © First Base Technologies 2014
Who is Peter Wood?
Worked in computers & electronics for 45 years
Founded First Base in 1989 (the first ethical hackers in UK)
Ethical hacker, security evangelist and public speaker
• Fellow of the BCS, the Chartered Institute for IT
• Chartered IT Professional
• CISSP
• Senior Member of the Information Systems Security Association (ISSA)
• 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group
• Member of the Institute of Information Security Professionals
• Member of the BCS Register of Security Specialists
• Deputy Chair of the BCS Information Risk Management and Audit Group
• UK Programme Chair for the Corporate Executive Programme
• Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors
• Member of Mensa
![Page 3: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/3.jpg)
Slide 3 © First Base Technologies 2014
Who are First Base Technologies?
• Web Application Testing
• Infrastructure Testing
• Network Security Testing
• Server Security Audits
• SCADA Security Testing
• PCI Penetration Testing
• Endpoint Testing
• Social Engineering
• Red Teaming
• Risk Assurance
• Transformation Consultancy
• Cloud Security
• Architectural Reviews
• Awareness Consultancy
• Keynote Seminars
• Security Evangelism
• Multimedia Training
• White-hats.co.uk User Group
Penetration Testing & Ethical Hacking Security Consultancy & Awareness
![Page 4: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/4.jpg)
Slide 4 © First Base Technologies 2014
Background
• Network security testing since 1994
• Some problems just won’t go away
• Configuration problems persist
• Simple vulnerabilities are ignored
• New technologies introduce old problems
• Silver bullets still don’t work
• Too little time, money and people
![Page 5: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/5.jpg)
Slide 5 © First Base Technologies 2014
Real and present danger
• We analysed the results from a series of network penetration tests over the past two years, in a variety of sectors including banking, insurance and retail
• We identified the most common vulnerabilities, how they can be exploited and the consequences for each business
• This presentation demonstrates in detail how criminals can take advantage of these weaknesses and how you can secure your networks using straightforward techniques.
![Page 6: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/6.jpg)
Slide 6 © First Base Technologies 2014
Results of Analysis
Category Percentage vulnerable
Easily-guessed passwords 36%
Immediate access to sensitive information 55%
Regular users able to access sensitive data 36%
Default passwords giving admin access 55%
Default passwords giving remote control 18%
Missing patches giving root access 82%
SNMP read-write giving admin access 45%
Total vulnerable 100%
Sample: 11 large corporate organisations tested in past 2 years
![Page 7: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/7.jpg)
Slide 7 © First Base Technologies 2014
Stories from the front line
To put our experience in context, we decided to use a real example – because we believe a story is more compelling than bald facts
“The story you are about to hear is true; only the names have been changed to protect the innocent vulnerable.”
![Page 8: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/8.jpg)
Slide 8 © First Base Technologies 2014
Step 1: Telephone pretexting
• Our tester (Charlie) called the reception desk at head office using a telephone number found using Internet searches
• He impersonated a real employee, using a stolen staff list
• He claimed to be new to the company and had forgotten his swipe card, but didn’t know the procedure for when he arrived at head office
• He was asked if he had any identification that he was a legitimate employee, and he said he did not
• He was told that he could sign in at the front desk
• He asked if he needed any information in order to sign in, and was told that he did not
![Page 9: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/9.jpg)
Slide 9 © First Base Technologies 2014
Step 2: Physical access
• Both testers arrived at head office by taxi, bypassing security on the main gate
• Charlie entered main reception and told the receptionist that he had forgotten his swipe card, and had spoken to a receptionist on the telephone about this
• He was asked to sign in, which he did using the previously selected employee name
• He was given a staff visitor pass, which he used to go through the staff access barriers
![Page 10: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/10.jpg)
Slide 10 © First Base Technologies 2014
Step 2: Physical access (cont’d)
• Charlie waited five minutes and then returned to main reception
• He met Harry there and told reception that he was there to sign Harry in as a visitor
• Neither Charlie nor Harry were asked for identification, and Harry was given a visitor pass
• They then walked to the second floor to assess the security of the board rooms, which were unlocked
• The security passes granted to both testers did not expire during the entire week of testing (We were informed that security passes should expire at the end of each day)
![Page 11: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/11.jpg)
Slide 11 © First Base Technologies 2014
Step 3: Password guessing
• Windows domain account for a training room using password ‘Password2’ (simple guessing)
• Enumerated user list using training room account
• Brute force attack revealed lots of users using ‘Password1’
• Browsed a file store and found two spreadsheets containing user names and passwords
• Located an Administrator-level account using ‘Password3’
• Logged in to OWA using compromised account and found password to Oracle E-Business
• Used OWA to link real names to user names
![Page 12: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/12.jpg)
Slide 12 © First Base Technologies 2014
Step 4: Sensitive data access
• Using an accounts user with password ‘Password4’, accessed company bank account information
• Connected to a server using RDP, found access to payroll data
• Connected again via RDP, using an account with Domain Admin privilege – able to access all folders and shares
• Gained access to salaries, financial strategy, directors’ data
• Logged in to OWA as a Finance Director, obtained sensitive email trails with CEO and other executives
• Obtained access to entire email archive
• Found credentials for MS-SQL databases in archive
![Page 13: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/13.jpg)
Slide 13 © First Base Technologies 2014
Step 5: Extending access
• Connected to a domain controller using an Admin account
• Turned off the anti-virus software and dumped 11,000 password hashes for the entire domain
• Over 6,000 passwords were cracked:- 3% were based on the word ‘password’- 51% were eight characters in length or less- 89% began with a capital letter and ended with a number- 18% ended with the number ‘1’
• Any one of these accounts could be used without detection
• Policy required 7 character passwords and a lockout of 30 minutes after 5 logon attempts in 30 minutes
![Page 14: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/14.jpg)
Slide 14 © First Base Technologies 2014
Step 6: Persistent access
• Found vulnerable HP Data Protector service, using a simple port scan (around 2,000 hosts)
• Exploited the service and installed a remote shell
• Connected to a machine in our offices, giving permanent root-level remote access to the server
![Page 15: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/15.jpg)
Slide 15 © First Base Technologies 2014
Summary
• We gained access to head office without valid identification
• Access was maintained for a week and no-one questioned our identities
• Weak passwords gave access to 12 directors’ accounts, including the CEO
• Executive email accounts were accessed without detection
• Corporate data held on servers could be accessed, including directors and payroll shares and user areas for all staff
• We were able to read and edit key strategic planning data
• We obtained passwords for HR systems and Oracle E-Business
• We gained administrative control over thousands of systems in the domain
• We demonstrated persistent access, allowing remote access to the network from the Internet
![Page 16: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/16.jpg)
Slide 16 © First Base Technologies 2014
![Page 17: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/17.jpg)
Slide 17 © First Base Technologies 2014
Fix 1: Telephone pretexting
Staff should be trained to:
• Never reveal corporate or sensitive information in response to a phone call unless they have verified the caller
• Report any phone calls that they suspect might be social engineering attacks
![Page 18: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/18.jpg)
Slide 18 © First Base Technologies 2014
Fix 2: Physical access
• Reception should deny access to anyone without valid identification
• Visitor passes should only be granted to visitors after they have been signed in by a staff member with a valid staff pass (not a temporary pass)
• Temporary and visitor security passes should expire at the end of each day, and should not allow access through the security gates after this period
![Page 19: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/19.jpg)
Slide 19 © First Base Technologies 2014
Fix 3: Password guessing
• Users should be educated and encouraged to choose strong passphrases
• The domain password policy should enforce a minimum length of 14 characters, but does not need to enforce number, symbols or upper case letters
• Account lockout thresholds can safely be increased as there is a negligible chance of brute forcing a valid passphrase
• Users should be educated not to store password details in plain text in personal folders
• User accounts and passwords should never be shared and service passwords should be secured in an encrypted vault
![Page 20: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/20.jpg)
Slide 20 © First Base Technologies 2014
Fix 4: Sensitive data access
• User accounts, rights and share permissions should be audited regularly
• Rights and share access should only be provided to users with a proven business requirement to access that data
• Highly sensitive data should be encrypted as a second line of defence
![Page 21: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/21.jpg)
Slide 21 © First Base Technologies 2014
Fix 5: Extending access
• See Fix 3 !
![Page 22: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/22.jpg)
Slide 22 © First Base Technologies 2014
Fix 6: Persistent access
• All services should be upgraded or patched to the latest version on all systems
• Regular vulnerability scans should be run to identify services at risk
• Services that are not required should be disabled
• Consideration should be given to deploying an intrusion detection system on key systems
• Regular log and alert monitoring should be implemented
![Page 23: Pragmatic Network Security - Avoiding Real-World Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062704/5561da7dd8b42ab33f8b5ccf/html5/thumbnails/23.jpg)
Peter WoodChief Executive Officer
First Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Twitter: @peterwoodx
Need more information?