So besides being well received at the two conferences we attended last week, we have already gotten several emails inquiring about our talk “Security that Works, Even on a Budget.” Namely, what the heck are we talking about?
So, to kick things off on our blog with a few more official entries, we’ve decided to cover a couple of the topics from the presentation here on our blog and news site.
Security That Works, Even on a Budget – Part 1 – Hacking Attempts:
For a quick background, many presentations and marketing events given by security vendors talk about the ever evolving threats and dangers coming from the bad guys, and typically site statistics from one or more of the following reports:
Within each of these reports, documented breaches are broken down into several categories and are assigned a root cause. The top two causes for the past several years are always Hacking Attempts and Malware, though they may change position on the charts from time to time.
After analyzing these reports, as well as leveraging our knowledge from performing penetration testing for well over 15 years now, we (DirectDefense) created a series of specific talking points and scenarios to cover the common ways we (and the “Bad Guys”) are breaking into companies and some simple common sense approaches to resolving these threats.
So with this in mind, let’s take a look at how we can resolve Hacking Attempts.
In the reports, numerous hacking attempts are cited as how a breach occurred. As penetration testers, we can tell you we constantly gain unauthorized access due to the following:
– Patching Vulnerabilities
- Operating system, database, and primary/secondary applications
– Configuration Vulnerabilities
- Default settings, default content and/or misconfiguration
- Default passwords and/or weak passwords
– Application Vulnerabilities
- Injection attacks (SQL, command, etc.) and business logic vulnerabilities
Now the truth about this list of vulnerabilities is that none of them are new threats. As an industry, we’ve been talking about patch and configuration management for well over 15 years now. We’ve been talking about password management since the beginning of computers, basically. So the only “new” threats are application vulnerabilities, which we’ve been talking about for only 10 years or so now.
So the sarcastic side of me would say that there are no new vulnerabilities, just new attack vectors against new technologies exploiting the same old tired vulnerabilities. But I digress.
To resolve hacking attempts and all the various types of vulnerabilities requires a process approach (to which there are no radical ideas here).
Step 1 – Identify your assets. Know what you are running on them and what type of data they contain, so that you can prioritize which systems need to be addressed based on the data they contain, and the services that could allow for a compromise.
How to Fix – If you do not have a budget, the best place to start is with a simple asset discovery scan using your organization’s vulnerability scanner. If you don’t already have a scanner, then download a copy of NMAP (free port and service tool). Take the results of your discovery scan and put them into a good old fashioned spreadsheet. You will not only want to log what systems are running within your environment and the services and versions they are running, but you will also want to log the asset owner, purpose of the system and services in use, and what type of data the systems stores. We cannot stress enough how invaluable this information is to have.
Step 2 – Patch your systems. Does your patch management strategy and solution cover the following?
Windows OSes, Linux/UNIX OSes, web server software, database software, email server software, SharePoint/Wiki software, Office Suites/applications, your home-grown applications, Winzip, antivirus software, Java, anything Adobe makes, etc.
If it does not, then you are going to struggle with protecting your systems and your data.
As penetration testers, we constantly see gaps in patch management strategies when we look outside of just the Windows OS environment. These are typically the same areas that are targeted by malware.
How To Fix – This one is not as easy to address when you are limited by budget, as there are some excellent enterprise patch management solutions out there today. The keyword being “Enterprise” – not just this or that OS or application.
But with that said, if you do not have the money to spare in your budget, learn to use the patching process for your various solutions. In the case of Linux OSes, nearly all of the modern solutions have their own version of “Windows Update.” Debian/Ubuntu have APT and RedHat derivatives have YUM. You can even schedule your updates.
Additionally, most vendors provide updated patching information on their support pages, so as a practice, designate someone within your organization to monitor those sites and provide a list of patches that need to be deployed on a monthly basis as a minimum effort to keep up-to-date on when you need to apply patches.
Step 3 – Learn to Harden Your Systems. The most common mistake with configuration management we see are the amount of systems and services that somehow made it into “production” with little to no post-installation configuration. All services, including web services, typically require 3-5 minutes of post-installation configuration tweaking to get them a bit more hardened or secure.
How to Fix – The most common configuration question we get asked is, “Where do we find a guide to properly configure this or that system or service?” The answer is to start with the CIS benchmarks.
They are an excellent starting point to learning how to properly harden common services and systems used by organizations today. The best part is that this type of information can be found for free or for a small membership fee.
Step 4 – Test yourself and fix any problems. With the proliferation of tools out there today, there is no reason to not be aware of your weaknesses. Vulnerability scanners for network and application vulnerabilities can be found for free that cover all of the easiest to find exploits or “low-hanging fruit” types of threats. Establish a vulnerability and remediation management program for yourself.
There are open source solutions, such as Seccubus, that allow you to extend their basic functionality and provide you with scheduling and trend reporting.
For application scanning, tools like Skipfish and Arachni do a good job and are free. Burp Suite is another solution that is pretty much the de facto tool used by everyone doing application testing and costs around $300.
Once you’ve identified your vulnerabilities, start fixing them. Remember step 1? Provide the scanning results and remediation information to the asset owner and work on getting things fixed.
Step 5 – Repeat the cycle. By going though all of these steps, you have basically established a security management process for your organization. Keep it up, and make it continual. Once a year is not continual or enough. You need to be testing your environment on a quarterly basis at the very least.
Best Approach Recommendation – Try to combine your efforts where possible. One of the main Return On Investment (ROI) points of buying a vulnerability management solution is that besides being able to test your various assets for security vulnerabilities, they typically come with some sort of asset management, ticketing, and configuration management solution bundled into the more expensive models. So when you get to the point that you have budget to obtain some tools, look for the ones that provide the most ROI for yourself and your organization.
Ultimately if you leverage the concepts we outlined above, you should be able to prevent most of the hacking attempts being leveraged by attackers and penetration testers. At the very least, you should be able to slow them down and possibly give yourself the ability to catch them in the act as they attempt more noisier attack vectors.
In Part 2, we will cover some common sense approaches to addressing the threat of malware.