With businesses dedicating more time and resource to cyber-security, deploying increasingly advanced and robust solutions, and networks becoming increasingly complex, you could be forgiven for thinking that most cyber-security breaches are the result of a vulnerability buried deep in the coding of a piece of software or application, that would take weeks or months to be uncovered and exploited. However the reality couldn’t be more different, and in our experience it is often basic oversight that leaves an organisation vulnerable.
These often simple errors can undermine the most advanced and complex security deployments, leaving a network vulnerable to attack. In my work as a penetration tester I see many of the same mistakes made time and time again. Let’s take a look at four of the most basic errors or oversights that we encounter during testing and that leave organisations unnecessarily vulnerable to a breach.
It has been well documented that weak passwords are the first target for attackers, especially once they have collected a cache of password hashes or usernames. As a result businesses are starting to tackle the issue, and are introducing measures to ensure that employees use appropriate passwords that offer a suitable level of security.
However password problems are not limited to mere strength. The issue of password sharing (employees using the same password for different logins) is often the undoing of many organisations during penetration testing. From an internal, company perspective this includes employees using the same password for general access to their machines and the network, as they do for more privileged, sensitive network areas and for logging into third party supplier portals. This not only makes any potential hackers’ job easier, as once he has the password he can use it to traverse the network, but also leaves a business vulnerable in the event of one of its suppliers being breached, with the attacker re-using the same credentials to access corporate systems.
To stress this point, our consultants often gain access to corporate systems on Penetration Tests from public ‘leaks’ of credentials from previous breaches of other companies’ systems that internal employees also use and are sharing passswords with. So it is vital that organisations encourage all employees to ensure they are using completely unique password for each system and service they use. In addition, this should also be promoted for any online services employees use outside of company systems, with each and every website or service you utilise having a unique password in place. There are many great password management tools available that can help with this process.
Exposed Administrative Interfaces
Most organisations that we visit go to great lengths to test their security policies and solutions internally to limit their exposure to the exploits of cyber-criminals. They will test code, integration with the network and other applications, but in paying meticulous attention to every detail they risk losing sight of the bigger picture, making an error that leaves them exposed.
The most common error that results from this mind-set is an administrative interface that is left exposed to attackers. As an example, I recently did a penetration test for a large organisation that had just launched a new website. Following initial testing the website appeared to have been well secured, but after further probing we were able to find the files for the test site, which included a link to an administrative interface with weak credentials set that enabled us to not only take complete control of the website but also gain access to the company network via compromise of the Web Server. While the developers and IT team had gone above and beyond to ensure the site wasn’t susceptible to other common attacks, or create a vulnerability for the wider business, one oversight had left an otherwise secure site vulnerable.
The key recommendation here is to ensure that all ‘test’ functionality is correctly removed before websites/systems are put into production. In addition, administrative interfaces should only ever be accessible from trusted networks (such as the LAN or the VPN) with strong credentials set for all accounts.
Unprotected Smart Devices
The Internet of Things is undoubtedly in its infancy and as a result organisations are still getting to grips with the implications of internet enabled ‘devices’ entering the business environment. This, however, has not prevented organisations permitting internet-connected appliances from being used within the business, creating a targetable soft spot within their network infrastructure.
As an example, some of our recent projects have demonstrated weaknesses in smart TVs that can be compromised in one of two ways: either via a Wi-Fi connection or quite commonly via its Bluetooth functionality. Such an attack can be originated from outside the physical perimeter. Once the TV is compromised it can be used as a stepping-stone into the corporate network or turned into a listening device for attackers to cultivate company information.
Organisations can avoid common weaknesses in smart devices by disabling unnecessary functionality (cameras/bluetooth/wifi etc) and keeping such devices up to date, just as they would any other corporate system. In addition to this, these devices should be secured like any other device, for example ensuring that default passwords/settings are changed.
Subverted Business Logic
The logic that is used by many IT teams when deploying a solution is to ensure that the latest piece of software integrates with existing systems, it delivers the innovation that helps achieve business goals and equally that it is protected by a layer of security. It almost resembles a flow chart of check-boxes, which in many cases reflects standard operating procedure for IT departments.
However this approach fails to take into consideration the logic that cyber-criminals will use when targeting an organisation and relies heavily on the assumptive thinking of those that have no intention of trying to infiltrate a network. As a result, when a hacker targets a company they are playing by a different set of rules and find ways to subvert the rationale of the development team, and look for ways to use the very technology designed to protect an organisation against them.
When deploying or developing new solutions and applications, organisations must approach the security from the perspective of a would-be attacker. By adopting this approach to security they will level the playing field and prevent vulnerabilities from appearing in the first place.
With business investing heavily in cyber-security, it is imperative that they don’t render it worthless by making basic oversights and mistakes. With these tips in mind businesses can help to ensure that they don’t fall foul of that one vulnerability they ‘forgot’.