Forget new threats: It's the old-school attacks that keep getting you
Pen tester Rob Havelt has found that the most egregious security lapses have nothing to do with the latest, most-hyped threats.
By Taylor Armerding
Everybody in IT knows it is a dangerous world out there, filled with an endless variety of cyber attacks aimed at compromising and taking advantage of security flaws.
But there is still a persistent lack of awareness of specific threats and how best to confront them, according to Rob Havelt, director of penetration testing for Trustwave, an international provider of information security and compliance solutions.
The irony, he says, is that it is not necessarily the newest, scariest malware or hack technique that can compromise an enterprise.
"You see people get whipped up into a frenzy about the latest technique that requires all kinds of technical skill to exploit," he says, "while ignoring stuff that has been around since forever. One of the most common things we find on an internal network is bad password policy -- egregious things like 'admin' for an administrative password, or that the system administration password is blank."
Havelt wrote most of "Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests," which Trustwave members presented at SecTor 2011 in Toronto earlier this week. He says one of the things he urges IT leaders to realize is that a "tiny flaw," like a master default password for a PBX exchange can be "blown up into something that has a serious impact."
That, in fact, is one of his amazingly true stories. Havelt was doing a penetration test of what he describes as a "very secure" Fortune 500 financial company with an older Siemens Rolm PBX telephone exchange. While most of the default passwords had been changed, "one account they hadn't changed, which gave us better than administrative access, so we could use it to become any user."
Havelt and his team cloned mailboxes from the company's help desk, which gave them access to any voice mail.
"While we were testing, a new voice mail came in from somebody on the road, whose VPN access wasn't working. I knew how to fix it, so I called the guy and he gave me his user name, token pin and domain password. I helped him fix his problem, but with a single domain password, it's very easy to escalate your privileges. From there, we got into wealth management and the Department of Homeland Security Watch List," he says.
"All from a phone call."
In another case, Havelt and his team were able to hack into a large manufacturer's HD security cameras. Since they could control them, and since five or six of them were pointed at desks, "and they have this 10X optical zoom, we could zoom in on keyboards and desks, harvest passwords and log into other systems."
Sometimes, the vulnerabilities are, or should be, ridiculously obvious. "Things like user names and passwords that are the same, or a network account with a password of 'admin,'" he says.
"I wish I could tell you that these are isolated instances, but they're not. There are thousands of cases."
So what should the prudent IT manager do? Havelt says one problem is that "there are an inordinate number of organizations that are opposed to real pen testing. They try to limit it to a couple of machines at specific times. That's not how attacks work.
"I understand the realities of business," he says. "But it's like going to a doctor for a complete physical and telling him only to look at your hands."
Beyond that, Havelt says better security requires, "carrying things out to their logical conclusion -- looking at a vulnerability and thinking about what can be done with it."
Or, as a recently departed genius CEO was fond of saying: "Think different."
Original appearance at CSO.com