How a recent DirectDefense physical penetration test for a national hotel chain to assess their PCI compliance demonstrated how thousands of credit card numbers could be stolen in 4 simple steps.
PCI compliance is required for any company that accept credit or debit cards, or EBTs, and security requirements are based on the number of transactions a business performs each year. In the case of our client, a large national hotel chain, that would be somewhere around 6 million+ transactions per year!
Our client enlisted the services of DirectDefense to perform a comprehensive PCI penetration test of their external and internal PCI networking environments to uncover any threats that could affect their PCI compliance status or overall security posture in a negative way and provide guidance and strategic support to resolve any identified issues.
The bottom line: We identified many vulnerabilities and weaknesses within the internal network environment that allowed us to uncover valid credentials for dozens of domain user accounts, which gave us access to thousands of files containing sensitive information such as unencrypted cardholder data.
Here’s how we did it in four steps, followed by four steps you can take to keep your company’s and users’ sensitive credit card data out of the hands of attackers and ensure PCI compliance!
Help Yourself to Some Clean Towels Along With our Guests’ Credit Card Information
Step 1: Obtaining Network Access
As part of our PCI Penetration Test, we visited one of the hotel properties to see to see if an attacker could gain network access due to a lack of physical security controls. It didn’t take long to gain access to the data room, which was connected to a housekeeping storage room by a door that was not locked and was missing both a large lower-panel of the door as well as the dead latch on the lower doorknob. In addition, the housekeeping storage room (which acts as a buffer between the main corridor and the data room) was also not kept locked. Once inside the unlocked data closet, an attacker could connect to a switch within the closet and the rest would be history…
Hint: Deja Vu? This isn’t the first time we found the network in a linen closet… Read that story here!
In this case, although DHCP was not enabled on the local subnet, we were able to enumerate IP information by passively capturing ARP traffic that was broadcast on the network switch within the data closet. The consultant identified an unused IP address and configured a laptop to connect to the hotel’s internal network environment.
Due to relaxed segmentation between the hotel’s network segments, we were able to gain access to other network segments within the internal network environment such as the corporate headquarters network as well as another hotel’s datacenter.
Step 2: Enumerating the Domain
We then leveraged a vulnerability identified on the hotel’s domain controllers that allows anonymous enumeration of various information, including the domain password policy. We also discovered the presence of an NFS share that allowed unauthenticated access. After mounting the share, it was determined that it contained a variety of log files.
Digging through the log files revealed an assortment of information, including a large number of domain usernames. We obtained a sample of log files and cleaned them up to extract a list of potential domain usernames. In total, 2,716 usernames were obtained.
Step 3: Check for Common Weak Passwords
Wetook the list of obtained usernames and conducted a common weak password check, or “spray”, of all accounts. The check identified a large number of accounts configured with the passwords ‘[Hotel Name]1’ and ‘Password1’. Only two passwords were checked to avoid potentially locking out valid user accounts.
Step 4: Expanding Access in the Domain
None of the credentials obtained belonged to users with administrator privileges. However, we were able to leverage the credentials to obtain additional information about the domain, such as a list of domain administrators, as well as a list of file servers.
We tested the compromised credentials against one of the file servers and observed that numerous shares were available for READ/WRITE access. Network shares on the file server, containing a large amount of information, were able to be accessed using one of the compromised accounts.
One of the shares contained a folder named “Internal Audit”. Within this folder we discovered the presence of unprotected cardholder data in a Microsoft Excel document named “CardholderActivityReport”. BINGO! This file was discovered to contain thousands of credit card numbers accompanied by other data points such as full name, employee ID number, email address, cell phone, merchant name, and others.
Achieving PCI Compliance is Possible
The above scenario might sound grim, but the good news is that there are lots of quick fixes that an organization can make to improve their PCI compliance posture. Here are four strategic steps that you can take right now to better secure your PCI networking environment and put your business on the path to achieving PCI compliance:
Step 1: Physically Secure Your Network
It might seem obvious, but keep your networking equipment in a secured location that cannot be accessed by anyone other than authorized employees. Educate personnel on the importance of physical security and discourage the practice of circumventing physical security controls to allow convenient access to sensitive areas.
Step 2: Implement Egress Filtering & Network Segmentation
Ensure perimeter firewalls are securely configured to strictly control outbound connections initiated from within the internal network environment. Best practice is to implement a policy of access by “least privilege,” where ports are closed by default, and only opened upon examination of the business need, weighed against the security risks of the required access.
Segment the internal network environment based upon data classification policy. Ensuring strong network access controls exist between network segments of differing security levels helps to increase the overall security posture of the organization. Furthermore, this is an effective way to reduce the PCI assessment scope.
Step 3: Create Strong Passwords
Enforce stricter password policies to ensure strong passwords are required within the environment. Consider the use of passphrases instead of passwords. DirectDefense recommends implementing a fifteen (15) character minimum for domain accounts. Additionally, educate personnel on the subject of creating strong passwords and passphrases. Periodically audit password strength to ensure personnel are setting strong passwords and passphrases.
Hint: Learn all about creating strong, attacker-proof passwords in this 2-part blog series!
Step 4: Properly Store Cardholder Data
Consider whether storing cardholder data is necessary to meet the needs of the business. Storing PAN data increases the organization’s scope of compliance. As such, cardholder data should not be stored unless absolutely necessary. If cardholder data, such as the full PAN, must be stored, ensure that valid technical controls are in place to protect the data in accordance with PCI DSS.
Is Your Organization PCI Compliant?
Don’t wait for an attacker to steal your user’s credit card information to find out the hard way! Enlist our team to perform a comprehensive PCI penetration test of your business to ensure your sensitive information is safe and sound. Contact us today.