A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 4 Breadcrumb Home Insights Blog Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 4 June 03, 2016 Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 4 In this blog series I am covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering: CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation The Control Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. The Attack It is not uncommon to go into an organization and have complete access to all systems with a small set of commands within the first 30 minutes. Having been performing this testing for many years, it quickly becomes apparent that several organizations have what we call “low hanging fruit.” Low hanging fruit are common attack vectors that usually provide access to systems with significant privileges with very little effort. In my next attack, I will show how a critically vulnerability could have been easily detected if the organization had been performing regular vulnerability scanning. Then leveraging the information provided in the vulnerability scan, I will demonstrate how simple it is to gain access to the target system. In the screenshot below, we see that a vulnerability scanner was used to identify default credentials in use the Apache Tomcat Manager. Apache Tomcat Manager is a web console which allows for the deployment of web applications on the web server. This is an extremely common finding, because some applications will deploy Tomcat using the default credentials. Vulnerability scanners often tell if the actual vulnerability contains any public exploits or if it is an abuse of normal operations of the application. Organizations should focus on high-risk vulnerabilities with public exploitation details in order to improve network security. Vulnerability Scanner identified default credentials An attacker can use the Tomcat Manager Console in order to upload a malicious web application archive (WAR) file or simply use an open-source tool like Metasploit to automate the process. Using this method, it only takes eight commands for an attacker to leverage the credentials into an administrative command shell. This simplicity in identifying and exploiting the vulnerability is why we call this low hanging fruit. Exploiting the default username and password in Tomcat The Solution Vulnerability management is a time intensive process. Organizations will hire people just to perform this process. It goes far beyond simply scheduling a vulnerability scanner to run each week or month, but includes entire processes around remediation and risk ranking to be performed. It’s important to first make sure that your organization is scanning often and using the data when it is as fresh as possible. Running scans daily or weekly is not unheard of. When running vulnerability scans, it is important to ensure that the systems being scanned are authenticated to by the vulnerability scanner. Without authentication, you are only seeing a fraction of the attack surface of the machine. Authentication will allow the vulnerability scanner to log into the machine and determine much more detailed information such as patch levels, malicious software, or audit configurations. It is important that organizations are performing risk ranking on the vulnerabilities that are identified to ensure that the most important vulnerabilities are being remediated first. This process is time sensitive and takes knowledge of both the vulnerabilities as well as the system infrastructure. Some of the things that should be included in the risk ranking are: What is the Common Vulnerability Scoring System (CVSS)? Is there public exploitation details? Is this an externally accessible system? Does this system hold sensitive data? Is this system part of the critical infrastructure? What is the impact of the vulnerability? Once you have scans running on a regular basis with authentication and have developed a risk ranking process, it is important to develop a method that incorporates all parts of IT responsible for the security of systems within the organization. In most organizations, the vulnerability assessor will not be the person in charge of making the change to secure the system, but will be coordinating with IT in order to remediate. Without first making IT part of this process, they might get the wrong idea that the vulnerability assessor is trying to tell them that they are doing something wrong, instead of striving for security together through the process. The next post will cover CSC 5: Controlled Use of Administrative Privileges. By: Joshua Platz Principal Security Consultant | Optiv Joshua Platz is a principal security consultant in Optiv’s advisory services threat practice on the attack and penetration team. Joshua’s role is to execute advanced service offerings such as the advanced threat simulation purple team activity and provide thought leadership and mentorship to the practice. Joshua also executes internal and external network penetration testing, enterprise password audits, and was one of the designers and first executers of the attack surface management offering. Share: Hacker Penetration Testing Center for Internet Security Threat Cyber Attack CIA Triad Encryption
Would you like to speak to an advisor? How can we help you today? Image E-Book Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation Download Now Image Events Register for an Upcoming OptivCon Learn More Ready to speak to an Optiv expert to discuss your security needs?