By: Slade Griffin, Director of Security Assessments
Contextual Security Solutions | June 21, 2017 @ 10:56
I should start by identifying that I am not a blue teamer. I am not responsible for securing the intellectual property and data for any organization. This will be written from the perspective of someone who steals what you are trying to protect and my thoughts on how I would defeat those efforts. I will try to accompany any of the advice with metrics that you can also use.
Let’s start with the metrics based on our successes and failures as a penetration testing unit and then provide some quick wins that we feel would help improve any information security program. When social engineering is not involved, there has been great improvement in standard perimeter defense. Firewalls have good rulesets and almost everything is kept up to date in both version and patch management. Testing shows over 90% of the people we interact with are doing a great job at preventing us from gaining access externally. This changes drastically if social engineering is allowed. Phishing and pretexting net a credential over 90% of the time and the ability to log in remotely as that user is also almost always successful. This weakness stems from multiple dynamics in the modern corporate world ranging from ubiquitous remote access from anywhere in the world to the overuse of recreational browsing at work.
Quick wins for external security:
- Restrict who can login from where. (Bob in HR probably doesn’t need to access your VPN or his email from Malaysia)
- Require multi-factor authentication for ALL REMOTE ACCESS. (Expense should no longer be an excuse as 100% of your revenue is likely now tied to your information systems and data)
- Log and examine all communications between your internal network and the Internet. (A SIEM, and someone properly trained to tune and observe it, are needed.)
Internally the things that are done so well from an external perspective do not carry over. Achieving domain administrator privileges and then locating sensitive data have become easier primarily because of poor security practices. At least twice a quarter missing patches allow privileged access to internal data and some of those patches are from 2005. The second category which gets exploited is misconfigurations. Things are deployed that are not properly configured; examples include SMB issues, name service issues, and the use of default credentials. Once these are exploited, the lack of network segregation allows the discovery of sensitive data with quick searches. Although there are organizations that separate critical systems and data, they are not common.
Quick wins for internal security:
- Segregate sensitive systems and data to only those personnel who need access.
- Learn how to perform system hardening for the different platforms in use.
- Patch and update your systems and software.
- Log internal communications and alert the appropriate personnel on suspicious traffic. (Bob in HR should not be logging into the AD server and querying domain administrator accounts)
- Possibly fire Bob
As a leader, focus on developing the people, processes and technologies surrounding these 7 issues. Refine who owns them and how they will be performed before trying to buy the next box, system, or software application that will give you “actionable threat intelligence.” Do the basics well before trying to defend as if you’re protecting a nuclear launch code.
If you manage or are responsible for defining these technical initiatives and don’t understand how the underlying technologies work, you are at the mercy of any vendor you consult. If this is where you find yourself, learn the technologies. Many security vendors will teach you what you need to know and not try to sell you an assessment. How networks, applications, and systems work at their foundational level is where vulnerabilities are discovered and exploited. Learning this will help to remove some of the smoke and mirrors that can cloud program and purchasing decisions which are so common today.
If you have any questions regarding the content of this blog entry or are simply looking for some guidance on building/updating your information security program, please contact us directly at firstname.lastname@example.org.