By Luke Potter, Operations Manager, SureCloud
They say there's no reward without risk, but try telling that to the IT teams who have their work cut out dealing with the daily deluge of threats to their networks. Even though security information and event management products can help make sense of the overwhelming amount of threat data, they’re only part of an organisation’s security controls. Network defences need to be regularly checked and tested to ensure that there are no holes in the armour that a hacker could exploit. Here are six basic but essential steps that all organisations can take to minimise the risks of giving an attacker an easy entry point.
It’s important for firewall configurations to be regularly reviewed and independently audited to ensure that only the absolutely necessary configuration is active. When performing external penetration testing, we commonly see remote management services exposed to the public internet rather than being correctly filtered to only permit access from ‘trusted’ networks such as the LAN or VPN.
Along with checking the firewall configuration, it is important to check that segregation is working effectively across all network egress and ingress points. Businesses should check for network anomalies arising from the segregation between servers and clients. If cardholder data environments, or other secure enclaves, are insufficiently segregated, an attacker could access them by stepping across through compromised systems – as happened in the 2013 Target breach where hackers first compromised a third party supplier’s network before jumping across onto Target’s and eventually breached the POS network.
Username enumeration and strong passwords
Some of the common findings on the Internal Penetration Tests we perform include file shares without appropriate permissions and the ability to enumerate usernames due to incorrectly configured Windows domain services. These flaws often lead to privileges being gained on the network. Organisations need to ensure that all users set strong passwords that go beyond simply meeting the current password complexity criteria. We regularly see organisations which have best-practice password policies, but still have users employing weak ones such as ‘Password01,’ just to meet the policy. Organisations must encourage users to take the time to set a suitable complex password, then test them regularly to ensure that they are sufficiently strong.
Weaknesses and vulnerabilities in web applications are quickly becoming one of the main attack vectors through which organisations are compromised. The main threats usually found within client’s applications are SQL Injection, Cross Site Scripting and Parameter Tampering attacks. Along with regular web application penetration testing, all applications should be securely coded using an appropriate methodology, such as the Open Web Application Security Project (OWASP) secure coding guidelines. Whilst performing a review of applications, checks could also include ensuring that no dynamic queries are used in application code, input validation and sanitisation is correctly implemented and that authority checks are present for all user-controllable input.
Be careful with admin privileges
One common misconfiguration is assigning excessive privileges to users and network service accounts. Doing so potentially results in admin authentication tokens and Domain Admin credentials being present on all computers where these services are used. If a single domain member is compromised where one of these accounts has been used, it’s often easy to escalate privileges to that of Domain Administrator. Organisation need to ensure that Domain Administrator privileges are used only for administrating domain controllers. As a general rule, IT staff and service accounts should only be assigned local administrator access to the systems which they require access to. Organisations also need to ensure that domain token caching is prevented across the server estate.
Finally, one of the best lines of defence is to ensure that all systems and services are correctly and regularly patched. This should include third party software such as Adobe Reader, Flash and Java runtime environments and go beyond just operating system level patching. Attacks on third party software and compromise of networks through these means are continuing to increase. Vulnerability scanning can help to assure that patches are being applied effectively.
By carrying out these six checks regularly, organisations can ensure that their networks are better protected by exposing weaknesses and vulnerabilities before they can be exploited. Frequent checking of controls, complemented by independent penetration testing, vulnerability scanning, and extensive network defences can help assure that those controls are effective and processes are proficient at mitigating the risks of a network breach.