Upload
others
View
5
Download
2
Embed Size (px)
Citation preview
11/13/2018
1
10 Vulnerabilities Hackers Love to Exploit
November 13, 2018
Dan Desko
• Shareholder, Cybersecurity & IT Risk Advisory Services • CISA (Certified Information Systems Auditor)• CISSP (Certified Information Systems Security Professional)• CTPRP (Certified Third-Party Risk Professional)• 14 years of experience, began career working in IT• Current outgoing ISACA Pittsburgh chapter president• Experience in delivering IT Audit, IT Security Services, Penetration
Testing and Vendor Risk Management services to a variety of industries
• Responsible for product delivery, client satisfaction and quality control
What We Do
• Provide penetration testing services that utilize realistic cyberattack methodologies and tools to help identify issues before the “bad guys” are able to exploit them.
• Provide remediation recommendations for discovered vulnerabilities and cybersecurity risks.
• Provide guidance and review throughout the remediation process for recommended security changes.
• Assist clients during and after data breach scenarios, aka incident response services.
11/13/2018
2
Agenda
• Current State of Cybersecurity
• 10 Vulnerabilities– Background– Client Experiences– Demos– Recommendations– Takeaway Questions
• Q & A
State of Cybersecurity
The following slides are highlights of the 2018 Verizon Data Breach Incident Report (DBIR)
State of Cybersecurity
• The important thing to note on this slide is that the majority of breaches occur by outsiders, but we can’t forget about the insiders as well (28%).
• The other important takeaway is that the attackers are organized criminal groups; they’re run like businesses.
11/13/2018
3
State of Cybersecurity
• Contrary to common belief, not all hacks involve a virus/malware. Only 30% of these breaches involved malware; what were the other 70%?– Stolen User Credentials– Social Attacks– Physical Access– Incorrect Privileges
State of Cybersecurity
• A large mass of breaches occur through some sort of email attack such as Phishing– Firewall technology has come a long
way, humans are often the weakest link in your security
– Traditional AV alone isn’t great at spotting malware
• A significant majority of the breaches were financially motivated
• A large number of breaches were not discovered by the breached entity, but rather a third party; Nightmare PR scenario.
State of Cybersecurity
The length of time it takes to discover a breach is far longer than it takes to compromise. We need to close this gap.
9
11/13/2018
4
POLL QUESTION #1
Are you confident that your IT department would recognize if your systems had been hacked?
– Very Confident– Somewhat Confident– Little Confidence– Confidence, what Confidence?
State of Cybersecurity
State of Cybersecurity
Photos from KrebsOnSecurity.com
11/13/2018
5
State of Cybersecurity
State of Cybersecurity
One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.
Agenda
• Current State of Cybersecurity
• 10 Vulnerabilities– Background– Client Experiences– Demos– Recommendations– Takeaway Questions
• Q & A
11/13/2018
6
POLL QUESTION #2
I use the password for my work account in multiple places (e.g. Facebook, Google, etc.)? Please note: Answers remain anonymous.
– True– False
01 – Password Issues
• Default passwords• Passwords that never expire• Passwords that are the same as usernames• Passwords reused across multiple accounts• Improper password storage• Improper password transmission• Insufficient password requirements• Weak passwords that meet sufficient requirements
– P@ssw0rd123– SportsTeam2018!– C0mp@nyName?– M0nth-$eas0n
DEMO - Capturing Hashes
11/13/2018
7
DEMO - Cracking Hashes
Password Cracking Analysis
01 – Password Issues
Mitigations• NIST Password Policy Recommendations
– 12 or More Characters / 3 out of 4 Complexity– Restrict Common Passwords– Restrict Months / Seasons / Sports Teams– Restrict Company Specific Terms– Expire Less Frequently
• Disabling Built-In Windows Accounts• Remove Administrative Privileges• Assess How “Crackable” Your Passwords Are• Password Management (e.g., LastPass)• Employee Training
11/13/2018
8
01 – Takeaway Questions
“Are we protecting/limiting any built-in Administrator accounts?”
“How strong are our passwords?”
“Are we effectively blacklisting common passwords?”
“How do our users store / share passwords?”
02 – Single-Factor Authentication
DEMO - Password Spraying
11/13/2018
9
02 – Single-Factor Authentication
Mitigations
• Block all foreign IPs (if possible)
• Detect, then block or shun IP– Failed Login Attempts (Volume / Origin)
• Windows Event Log ID: 4625
• Implement multi-factor authentication– Application (DUO, Google Authenticator, etc.)– SMS– Physical Token (Yubikey)
02 – Takeaway Questions
“Can we effectively detect password spraying on all external logins?”
“Do we block/shun IP addresses that spray us?”
“Do we check for successful login attempts from a spray attack and then change their password?”
POLL QUESTION #3
How many times have you been phished in the last month?
– 1-3 times– 4-10– 10+ – I can’t tell!
11/13/2018
10
03 – Susceptibility to Phishing
2018 Data Breach Investigation Report
• Phishing is involved in over 90% of all data breaches and cybersecurity incidents
03 – Susceptibility to Phishing
– Credential Harvesting• Cloned Login Page• Password Checker
03 – Susceptibility to Phishing
– Payload Execution• Remote Session• Ransomware
11/13/2018
11
03 – Susceptibility to Phishing
Mitigations
• Review and Purchase Top 10 Similar Domains
• Properly Configure Spam Filters– Block Similar Domains, New Domains, Known Bad Domains– Block Keywords– Block Certain Attachments (.EXE / .BAT / .VBS)
• Advanced Anti-Phishing Software (e.g., Mimecast)– Algorithmic Spam Filter (Impersonations, Context, Domain Reputation)– Rewrite Links– Sandbox Attachments
• Employee Training– Frequent Internal Simulations
03 – Takeaway Questions
“How advanced does a phishing attempt need to be to evade our spam filters?”
“Are we performing phishing simulations that sufficiently expose users to all phishing variants?”
“Do we have an effective communication channel for end-user reporting that initiates response workflow?”
04 – Overly Permissive Local Admin Rights
• Many organizations are not restricting local admin rights due to technical and/or cultural challenges
• Obtaining local admin rights is a huge advantage for a hacker– Many offensive techniques require local admin rights– Bypassing endpoint protections and security controls is
often possible with local admin rights– Local admin rights often translate to remote access– Local admin rights are often shared across multiple
machines, leading to widespread compromise
11/13/2018
12
DEMO – Abusing Local Admin Rights
04 – Takeaway Questions
“What users have local admin rights to what systems, and why?”
“What users have elevated permissions, and why?”
“Do all of those service accounts really need Domain Admin rights?”
“Is each exception to the rule documented and given additional protections?”
05 – Ineffective Anti-Virus
• Not all anti-virus products are the same
• Blind spots– Default exclusions (certain files types, certain folders, etc.)
can be exploited by attackers
• Signature-based detection ONLY– Can be evaded by basic obfuscation techniques
• Software flaws– Some Anti-Virus products can be easily disabled by
terminating services on the endpoint
11/13/2018
13
05 – Ineffective Anti-Virus
Mitigations
• Selection Process– Ensure that your anti-virus product has behavioral analysis
and memory scanning capabilities– Only looking for bad file signatures is not effective
• Proper Configuration– Ensure that your Anti-Virus product is configured to utilize its
full potential
• Routine Testing and Review– Review configuration– Confirm desired capabilities
• Update Definitions Automatically upon Release
05 – Takeaway Questions
“Is our anti-virus product configured and utilized to its fullest potential?”
“How easily can our anti-virus product be tricked or evaded?”
“Do we really need all of those manually added file and folder exclusions?”
“Can end users turn off our anti-virus?”
06 – Lack of Encryption
Effective encryption measures mitigate the following threats:
– Lost/stolen endpoints– Lost/stolen mobile devices– Lost/stolen portable media storage devices– Boot device attacks
Without encryption, any lost or stolen device can be a potential data breach, it is very easy for someone to read the data from an unencrypted device without credentials.
Without encryption, a physical attacker can boot an endpoint into a VM and export sensitive data, and even dump system credentials.
11/13/2018
14
06 – Lack of Encryption
Mitigations
• Database Encryption– Encrypt databases, full database encryption or specific columns
• Laptops AND Desktops– Utilize built-in TPM endpoint encryption capabilities
• Mobile Devices– Advanced mobile device management product (e.g., Airwatch)
• Portable Media Storage Devices– Enforce encryption of all USB devices containing sensitive data
DEMO - Unencrypted HD Hash Dump
06 – Takeaway Questions
“Do we have any unencrypted devices (including desktops) within our organization?”
“How likely is it for a device to become lost/stolen?”
“Do we have any unencrypted databases that contain sensitive data?”
11/13/2018
15
07 – Data Governance Issues
Users storing sensitive data in unprotected locations
Why hack the SQL database when sensitive data can be found in someone’s Desktop or My Documents folder?
07 – Data Governance Issues
Mitigations
• Policy– Data classification/usage policies and procedures.
• Enforcement– Advanced data governance product (e.g., Digital Guardian, Spirion)
• Audit– Routinely identify and remediate exceptions to policies
• Employee Training
07 – Takeaway Questions
“Who has access to what data and why?”
“Are users storing sensitive data in unprotected locations?”
“What exceptions exist within our network file share permissions?”
11/13/2018
16
08 – Flat Networks
Networks that allow full direct communication.
Lateral movement is much easier when an attacker has access to a wide range of communication protocols across the entire network.
• Network Enumeration• Vulnerability Scans• Download Tools• Remote Code Execution• Authentication Protocols• File Transfers
08 – Flat Networks
Mitigations
• Network Segmentation– Divide network into logical and physical groups– Use and restrict virtual local area networks (VLAN)– Protect the most critical systems from being easily
accessible from anywhere on the network
• Local Firewall Restriction– Block / restrict ports on each system– Only allow communication that necessary (inbound and
outbound)
08 – Takeaway Questions
“Is it possible to scan our entire network (including servers) from a single endpoint?”
“Why can our user endpoints ping each other?”
“Is it possible for us to restrict all unnecessary communication within our network?”
“Is our guest wireless truly segmented as intended?”
11/13/2018
17
09 – Poor Security Monitoring
Are you confident that you would detect a data breach?
09 – Poor Security Monitoring
Commonly Undetected Hacking Activities:
• Phishing attempts
• Password spraying (Failed Login Attempts)
• AD enumeration as a standard user from a remote non-domain system
• NMAP scans of various types (Internal / External)
• Nessus scans of various types (Internal / External)
• Use of PowerShell based malware
• Code execution via SMB (CrackMapExec) on numerous systems
• Duplication and extraction of a shadow copy from a domain controller
• Widespread rapid use of a single user’s credentials on multiple systems
Without detection capabilities, an attacker can utilize more aggressive tactics that generate more logs and activity, but are also more successful
DEMO - BloodHound
11/13/2018
18
DEMO - BloodHound
The GUI output from BloodHound has a default query to identify the shortest attack path to Domain Admin.
09 – Poor Security Monitoring
Mitigations
• System Logs– Ensure all desired logs are being collected properly
• Network Traffic– Network traffic should be monitored with effective rulesets
to alert on specific activity thresholds
• Configuration/Design– Ensure specific detection capabilities for each intended
attack scenario– Validate capabilities with routine attack simulations
09 – Takeaway Questions
“How many of the top hacker techniques can we effectively detect?”
“Are we routinely validating our detection capabilities with simulated attack scenarios?”
“Do each of our detection alerts initiate an appropriate incident response workflow?”
11/13/2018
19
10 – Unpatched Systems
DEMO - Exploiting ETERNAL BLUE
10 – Takeaway Questions
“Are there any systems on our network not receiving security patches?”
“Do we run our own internal vulnerability scans?”
“Are we also patching applications?”
“Do we have a process in place for emergency patching?”
11/13/2018
20
*11 – Physical Access Control Gaps
Commonly identified physical access control gaps:
• Overly agreeable guards/receptionists• Unlocked doors• Unlocked and unattended systems• Back doors that can be tailgated• Motion sensors that can be hacked• Security camera blind spots• Unsecured vents• Drop ceilings• Unsecured network closets
Why hack a system when you can just walk up to it, sit down and access it?
*11 – Physical Access Control Gaps
*11 – Physical Access Control Gaps
“Wedamagedafiberopticcablenearbyandneedtolookatyourdatacentertomakesureyournetworkperformancewasn’taffected.”
11/13/2018
21
DEMO - Hacking a Motion Sensor
11 – Takeaway Questions
“How difficult would it be for someone to access our internal office space?”
“Does everyone question the presence of someone they don’t know?”
“How many of our users leave their systems unlocked during breaks?”
Agenda
• Current State of Cybersecurity
• 10 Vulnerabilities– Background– Client Experiences– Demos– Recommendations– Takeaway Questions
• Q & A– [email protected]– Cell: 412-607-5562