guardians of the strategy - chapters site annual iiaisaca hacki… · • information security...
TRANSCRIPT
© 2017 Crowe Horwath LLP © 2017 Crowe Horwath LLP
Guardians of the Strategy
Piotr Marszalik Michelle Erickson
How Well-Intentioned Cybersecurity Controls Backfire
© 2017 Crowe Horwath LLP 2
Agenda
• Who are we? • Cybersecurity controls, insecure implementations, and vendor accountability • Baby Groot’s stories from 2016 and 2017 security audits
• Next gen firewall • New core banking application; I need local admin rights • New logging application - what else was installed? • Local admin account reuse • Security camera software updates; where’s my patch?
• For each example: 1. Issue and risk identification 2. Remediation, introduction of new more severe issues 3. Looking under the hood, understanding the flaws 4. Correct remediation
Baby Groot, the internal auditor for Guardian’s Spaceship
© 2017 Crowe Horwath LLP 3
Who are we?
• Piotr Marszalik
• Information Security Consultant and Manager at Crowe Horwath
• CISSP, OSCP, OSCE, CREST CRT • Speaker at BlackHat, DerbyCon • Red Team Member for the Midwest Regional Collegiate
Cyber Defense Competition (MWCCDC) • Michelle Erickson
• Information Security Consultant at Crowe Horwath with experience in Penetration Testing and performing Infrastructure Cybersecurity Assessments. The Crowe Horwath LLP cybersecurity team offers a
comprehensive suite of solutions to identify and help you manage these risks so you can strengthen the confidentiality, integrity, and availability of organizational assets.
© 2017 Crowe Horwath LLP 4
Cybersecurity Weaknesses
• Three common reasons for network security threats: • Technology weaknesses – HTTP vs. HTTPS • Policy weaknesses – Lack of Disaster Recovery Program • Configuration weaknesses – Ineffective Firewall Rules
© 2017 Crowe Horwath LLP 5
What are the risks?
Security Misconfiguration • Additional tools can introduce additional vulnerability or paths to compromise • Misconfigured security tools may lead you think you are protected when you are not • Many tools run as privileged accounts which increases risk associated with compromise
© 2017 Crowe Horwath LLP 6
Examples
© 2017 Crowe Horwath LLP 7
Next Generation Firewall
• 2016 Penetration Test • Finding: Egress filtering is too permissive • Risk: Low • Recommendation: Make more granular rules for departments / groups, based on the principles of least
privilege • Your marketing team needs access to social media • Some of your teams need access to cloud storage sites
• Solution: Install a “Next Generation Firewall”
© 2017 Crowe Horwath LLP 8
Next Generation Firewall
• 2017 Penetration Test • Finding: Assessors used your firewall to obtain control of the domain within one hour of coming on-site • Risk: High
I am Groot?
What went wrong?
© 2017 Crowe Horwath LLP 9
How does our next gen firewall work?
Rocket Raccoon's Laptop Firewall
I want to visit https://space-weapons.com
Where is this request coming from? Who are you? Are you allowed to visit these types of websites?! I need to find out!!
I’m logging in to this system to find out
Yup, this is Rocket Raccoon’s workstation alright. He is allowed to continue.
© 2017 Crowe Horwath LLP 10
How does our next gen firewall work?
Rocket Raccoon's Laptop Firewall
I want to visit https://space-weapons.com
Where is this request coming from? Who are you? Are you allowed to visit these types of websites?! I need to find out!!
I’m logging in to this system to find out
Yup, this is Rocket Raccoon’s workstation alright. He is allowed to continue.
© 2017 Crowe Horwath LLP 11
Where is the Vulnerability?
Rocket Raccoon’s exploitation steps: 1. Attempt to visit a website 2. Wait for the firewall to fingerprint your machine 3. Capture the authentication traffic 4. Parse traffic to obtain encrypted credentials 5. Crack the password
© 2017 Crowe Horwath LLP 12
Open Source and Free Tools!
• Wireshark • Used to capture all network traffic touching the workstation • https://www.wireshark.org
• Net-creds
• Parses out sensitive data from Wireshark captured traffic • https://github.com/DanMcInerney/net-creds
• Hashcat
• Password recovery tool. Takes in parsed data from net-creds • https://hashcat.net/hashcat
© 2017 Crowe Horwath LLP 13
“But you will never crack my strong password!”
• Service accounts, especially when privileged, typically use strong passwords • Raccoon(or Man)-in-the-Middle Attack:
© 2017 Crowe Horwath LLP 14
“But you will never crack my strong password!”
• Service accounts, especially when privileged, typically use strong passwords • Raccoon(or Man)-in-the-Middle Attack (SMB Relay):
“This is firewall. I want to login.” This is firewall. I want to login.
Rocket Raccoon's Laptop Random Server Housing Sensitive Data Firewall
Ok, I’ll let you login. But first I’ll give you a challenge to confirm you are authorized
“Ok, I’ll let you login. But first I’ll give you a challenge to confirm you are authorized”
Rocket Raccoon's Laptop Firewall Random Server Housing Sensitive Data
Firewall Rocket Raccoon's Laptop
Of course. I have the answer to you challenge right here “Of course. I have the answer
to you challenge right here”
Random Server Housing Sensitive Data
Firewall Rocket Raccoon's Laptop Random Server Housing Sensitive Data
ACCESS GRANTED. Welcome :) ACCESS DENIED. Try again ;)
© 2017 Crowe Horwath LLP 15
Secure Configuration
Rocket Raccoon's Laptop Firewall
I want to visit https://space-weapons.com
Where is this request coming from? Who are you? Are you allowed to visit these types of websites?! I need to find out!!
Hey Domain Controller! I’m getting a request from someone. Who is this?
Ah! That’s Rocket Raccoon’s workstation! He’s allowed to continue.
Domain Controller
© 2017 Crowe Horwath LLP 16
Secure Configuration
Rocket Raccoon's Laptop Firewall
I want to visit https://space-weapons.com
Where is this request coming from? Who are you? Are you allowed to visit these types of websites?! I need to find out!!
Hey Domain Controller! I’m getting a request from someone. Who is this?
Ah! That’s Rocket Raccoon’s workstation! He’s allowed to continue.
Domain Controller
© 2017 Crowe Horwath LLP 17
Next Generation Firewall
• How can we configure this better? • Investigate a secure configuration • Instead of authenticating to individual endpoints, firewalls should only communicate with the Domain Controller
Cost of Remediation: $$$$ Remediation Difficulty: Easy
© 2017 Crowe Horwath LLP 18
New Core Banking Application; I Need Local Admin Rights
• Background • Your company has purchased a new core banking application which all employees will be using • Vendor states that users must have local admin privileges on their workstation for the application to function • Solution: Add “Domain Users” group to local “Administrators” group
• 2017 Penetration Test • Finding: Users have excessive local administrative privileges • Risk: High
What went wrong?
© 2017 Crowe Horwath LLP 19
Excessive Local Admin Group Membership
• “Domain Users” by default includes everyone within the organization • The local administrator privilege allows the user to:
• Disable installed security software (anti-virus) • Install malware and keylogging software • Access all files and installed programs • Collect credentials of recently logged in users – cached in memory
© 2017 Crowe Horwath LLP 20
Excessive Local Admin Group Membership
• Putting “Domain Users” in the “Administrators” group gives each user administrative access to all computers on the domain.
• A user could log into anybody’s workstation and have access to all files and programs.
• How could this be done better?
© 2017 Crowe Horwath LLP 21
Excessive Local Admin Group Membership
• Add individual users as administrators on only their machine • Add ONLY users who actually need administrator privileges
• Cost: $$$$ • Remediation Difficulty: Moderate
STANDARD USER
LOCAL ADMIN USERS
© 2017 Crowe Horwath LLP 22
Excessive Local Admin Group Membership
• Configure only certain applications to run as administrator • Thycotic Privilege Manager • BeynondTrust – PowerBroker Privileged Access Management • CyberArk
• Cost: $$$$ • Remediation Difficulty: Moderate
© 2017 Crowe Horwath LLP 23
New Logging Application - What else was Installed?
• 2016 Penetration Test • Finding: Logs are not being collected and centralized. No visibility into activity within the environment. • Risk: Low • Recommendation:
• Implement a Security Information and Event Management (SIEM) technology. • Collect and store logs from all corporate systems within a centralized server. • Crate rules and active alerts on potentially malicious activity
• Solution: Hire vendor to install and set up the technology
© 2017 Crowe Horwath LLP 24
New Logging Application - What else was Installed?
• 2017 Penetration Test • Finding: Assessors leverage the newly installed services to obtain control of the domain within hours of
coming on-site • Risk: High
© 2017 Crowe Horwath LLP 25
What was installed?
• Web application management console • Pulls in and reads log events from the storage server • Correlates events, ability to configure and manage rulesets
• Vendor set-up notes: • Application console access has been restricted to only authorized individuals • Database administrators have been restricted to authorized individuals • Service account “requires administrative privileges to function”
• Configured using “Domain Admin” rights
• Backend database • Storage for the log data
© 2017 Crowe Horwath LLP 26
Application vs. Database Accounts
• The logging application has been set up so employees login with their network accounts • The application is hardened so that only users that need access are able to login
• However, the back end database for the application has its own local accounts…
© 2017 Crowe Horwath LLP 27
Microsoft SQL Default Roles
• Sysadmin • Administrative group • Full access over all server databases and resources
• Public • Very limited access unless explicitly given permission • By default, allowed to execute some not inherently malicious queries (extended stored procedures) • Common default configuration to consist of all users within the organization (“Domain Users” group)
© 2017 Crowe Horwath LLP 28
Malicious Insider Exploitation Steps
I have PUBLIC role access. Logging directly into the backend database
Welcome Rocket!
Rocket Raccoon's Laptop
Web Application Management Console
Database Please list for me all files that you can see on the below system: “Rocket Raccoon’s Laptop”
Sure!
I’m logging in to this system to find out
Done. Did not see anything interesting.
© 2017 Crowe Horwath LLP 29
Vulnerability Mitigation
• Service accounts should NEVER be configured to use domain admin privileges • Delegation of authority
• Revoke the PUBLIC role for all domain accounts • Limit default and potentially malicious extended stored procedures from the PUBLIC role
© 2017 Crowe Horwath LLP 30
What if I can’t make those changes?
• Raccoon/Man-in-the-Middle (SMB Relay) mitigating controls • Strong service account password (random characters, 15+)
• Prevent SMB capture and offline dictionary/bruteforce attacks • Server Message Block (SMB) Signing
• Communication digitally signed at the packet level • Prevents tampering of packets and man-in-the-middle attacks
Cost of Remediation: $$$$ Remediation Difficulty: Moderate
© 2017 Crowe Horwath LLP 31
Local Administrator Password Reuse
• 2016 Penetration Test • Finding: All workstations have the same local administrator
account password • Risk: Low • Recommendation: Configure each machine to use a unique
password • Solution: Outsourced vendor fixes the problem by using Group
Policy to configure unique local administrator passwords
© 2017 Crowe Horwath LLP 32
Local Administrator Password Reuse
• 2017 Penetration Test • Finding: Assessors obtained clear-text credentials for your local admin accounts within one hour of coming on-
site • Risk: High
What went wrong?
© 2017 Crowe Horwath LLP 33
Local Administrator Password Reuse
Local Administrator Account • Built-in account on the computer • Often used by IT to set up the computer before it is added to the
domain Group Policy • Group Policy stores local administrator passwords encrypted in a
central server (Domain Controller) • Everyone on the network has access to see the files that contain
those encrypted passwords • The passwords are encrypted! So what is the problem?
© 2017 Crowe Horwath LLP 34
Local Administrator Password Reuse
• Microsoft published the encryption key • United State vs. Microsoft Corporation (2001) • Microsoft is required to disclose application programming
interfaces with third-party companies • Encrypted Password + Key = Clear Text Password
© 2017 Crowe Horwath LLP 35
Local Administrator Password Reuse
• Microsoft has released communication warning NOT to use group policy to set passwords
© 2017 Crowe Horwath LLP 36
Local Administrator Password Reuse
• What should have happened? • Install Microsoft’s patch to remove the ability to
configure passwords through Group Policy • Run the Microsoft script to clean up existing passwords • Use a different method!
• Local Administrator Password Solution (LAPS) • Microsoft solution to the Group Policy vulnerability
• Disallow remote logon • Disable local admin account
Cost of Remediation: $$$$ Ease of Remediation: Moderate
© 2017 Crowe Horwath LLP 37
Default Credentials
• Background • Your company has purchased a new security camera which the
vendor has installed and configured for you
• 2017 Penetration Test • Finding: Penetration testers were able to guess the device
password and make configuration changes • Risk: High
What went wrong?
© 2017 Crowe Horwath LLP 38
Default Credentials
• Default device passwords are usually publicly available • Vendors frequently re-use default passwords among
different types of devices
© 2017 Crowe Horwath LLP 39
Default Credentials
• Always change default credentials on devices before installing them on the network • Vendors are starting to provide devices with randomized
passwords, or enforcing password change when you initially login
• Cost: $$$$ • Remediation Difficulty: Easy!
• “But the passwords are hardcoded – I can’t change
them!”
© 2017 Crowe Horwath LLP 40
Default Credentials
• Use internal network segmentation to prevent your users from directly accessing networking devices
• Cost: $$$$ • Remediation Difficulty: Difficult
• Segment based on departments • Start with high risk segments
• Separate the user segment from IT infrastructure
© 2017 Crowe Horwath LLP 41
TAKEAWAYS
• 1 - Understand new technology and test prior to deployment; no such thing as plug in and go. • 2 - What are the REAL vendor requirements. Are we following the principle of least privilege? • 3 - Are my security controls holistic? • 4 - Is ease of administration weakening my environment? • 5 - How do I deal with unfixable vulnerabilities?
© 2017 Crowe Horwath LLP 42
Questions
? ? ?
© 2017 Crowe Horwath LLP
Crowe Horwath International is a leading international network of separate and independent accounting and consulting firms that may be licensed to use "Crowe," "Crowe Horwath" or "Horwath" in connection with the provision of accounting, auditing, tax, consulting or other professional services to their clients. Crowe Horwath International itself is a nonpracticing entity and does not provide professional services in its own right. Neither Crowe Horwath International nor any member is liable or responsible for the professional services performed by any other member. © 2016 Crowe Horwath International.
In accordance with applicable professional standards, some firm services may not be available to attest clients. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure 43
Piotr Marszalik
https://www.linkedin.com/in/piotrmarszalik
630.574.1623
Michelle Erickson, Consultant
https://www.linkedin.com/in/mnerickson/
312.966.3095
Thank You! Crowe Cybersecurity Watch Blog: https://www.crowehorwath.com/cybersecurity-watch