Guardians of the Strategy - Chapters Site Annual IIAISACA Hacki… · • Information Security Consultant and Manager at Crowe Horwath • CISSP, OSCP, OSCE, CREST CRT • Speaker

© 2017 Crowe Horwath LLP © 2017 Crowe Horwath LLP

Guardians of the Strategy

Piotr Marszalik Michelle Erickson

How Well-Intentioned Cybersecurity Controls Backfire

© 2017 Crowe Horwath LLP 2

Agenda

• Who are we? • Cybersecurity controls, insecure implementations, and vendor accountability • Baby Groot’s stories from 2016 and 2017 security audits

• Next gen firewall • New core banking application; I need local admin rights • New logging application - what else was installed? • Local admin account reuse • Security camera software updates; where’s my patch?

• For each example: 1. Issue and risk identification 2. Remediation, introduction of new more severe issues 3. Looking under the hood, understanding the flaws 4. Correct remediation

Baby Groot, the internal auditor for Guardian’s Spaceship


Who are we?

• Piotr Marszalik

• Information Security Consultant and Manager at Crowe Horwath

• CISSP, OSCP, OSCE, CREST CRT • Speaker at BlackHat, DerbyCon • Red Team Member for the Midwest Regional Collegiate

Cyber Defense Competition (MWCCDC) • Michelle Erickson

• Information Security Consultant at Crowe Horwath with experience in Penetration Testing and performing Infrastructure Cybersecurity Assessments. The Crowe Horwath LLP cybersecurity team offers a

comprehensive suite of solutions to identify and help you manage these risks so you can strengthen the confidentiality, integrity, and availability of organizational assets.


Cybersecurity Weaknesses

• Three common reasons for network security threats: • Technology weaknesses – HTTP vs. HTTPS • Policy weaknesses – Lack of Disaster Recovery Program • Configuration weaknesses – Ineffective Firewall Rules


What are the risks?

Security Misconfiguration • Additional tools can introduce additional vulnerability or paths to compromise • Misconfigured security tools may lead you think you are protected when you are not • Many tools run as privileged accounts which increases risk associated with compromise


Examples


Next Generation Firewall

• 2016 Penetration Test • Finding: Egress filtering is too permissive • Risk: Low • Recommendation: Make more granular rules for departments / groups, based on the principles of least

privilege • Your marketing team needs access to social media • Some of your teams need access to cloud storage sites

• Solution: Install a “Next Generation Firewall”



• 2017 Penetration Test • Finding: Assessors used your firewall to obtain control of the domain within one hour of coming on-site • Risk: High

I am Groot?

What went wrong?


How does our next gen firewall work?

Rocket Raccoon's Laptop Firewall

I want to visit https://space-weapons.com

Where is this request coming from? Who are you? Are you allowed to visit these types of websites?! I need to find out!!

I’m logging in to this system to find out

Yup, this is Rocket Raccoon’s workstation alright. He is allowed to continue.


How does our next gen firewall work?





Yup, this is Rocket Raccoon’s workstation alright. He is allowed to continue.


Where is the Vulnerability?

Rocket Raccoon’s exploitation steps: 1. Attempt to visit a website 2. Wait for the firewall to fingerprint your machine 3. Capture the authentication traffic 4. Parse traffic to obtain encrypted credentials 5. Crack the password


Open Source and Free Tools!

• Wireshark • Used to capture all network traffic touching the workstation • https://www.wireshark.org

• Net-creds

• Parses out sensitive data from Wireshark captured traffic • https://github.com/DanMcInerney/net-creds

• Hashcat

• Password recovery tool. Takes in parsed data from net-creds • https://hashcat.net/hashcat

https://www.wireshark.org/

https://github.com/DanMcInerney/net-creds

https://hashcat.net/hashcat


“But you will never crack my strong password!”

• Service accounts, especially when privileged, typically use strong passwords • Raccoon(or Man)-in-the-Middle Attack:


“But you will never crack my strong password!”

• Service accounts, especially when privileged, typically use strong passwords • Raccoon(or Man)-in-the-Middle Attack (SMB Relay):

“This is firewall. I want to login.” This is firewall. I want to login.

Rocket Raccoon's Laptop Random Server Housing Sensitive Data Firewall

Ok, I’ll let you login. But first I’ll give you a challenge to confirm you are authorized

“Ok, I’ll let you login. But first I’ll give you a challenge to confirm you are authorized”

Rocket Raccoon's Laptop Firewall Random Server Housing Sensitive Data

Firewall Rocket Raccoon's Laptop

Of course. I have the answer to you challenge right here “Of course. I have the answer

to you challenge right here”

Random Server Housing Sensitive Data

Firewall Rocket Raccoon's Laptop Random Server Housing Sensitive Data

ACCESS GRANTED. Welcome :) ACCESS DENIED. Try again ;)


Secure Configuration




Hey Domain Controller! I’m getting a request from someone. Who is this?

Ah! That’s Rocket Raccoon’s workstation! He’s allowed to continue.

Domain Controller


Secure Configuration




Hey Domain Controller! I’m getting a request from someone. Who is this?

Ah! That’s Rocket Raccoon’s workstation! He’s allowed to continue.

Domain Controller



• How can we configure this better? • Investigate a secure configuration • Instead of authenticating to individual endpoints, firewalls should only communicate with the Domain Controller

Cost of Remediation: $$$$ Remediation Difficulty: Easy


New Core Banking Application; I Need Local Admin Rights

• Background • Your company has purchased a new core banking application which all employees will be using • Vendor states that users must have local admin privileges on their workstation for the application to function • Solution: Add “Domain Users” group to local “Administrators” group

• 2017 Penetration Test • Finding: Users have excessive local administrative privileges • Risk: High

What went wrong?


Excessive Local Admin Group Membership

• “Domain Users” by default includes everyone within the organization • The local administrator privilege allows the user to:

• Disable installed security software (anti-virus) • Install malware and keylogging software • Access all files and installed programs • Collect credentials of recently logged in users – cached in memory



• Putting “Domain Users” in the “Administrators” group gives each user administrative access to all computers on the domain.

• A user could log into anybody’s workstation and have access to all files and programs.

• How could this be done better?



• Add individual users as administrators on only their machine • Add ONLY users who actually need administrator privileges

• Cost: $$$$ • Remediation Difficulty: Moderate

STANDARD USER

LOCAL ADMIN USERS



• Configure only certain applications to run as administrator • Thycotic Privilege Manager • BeynondTrust – PowerBroker Privileged Access Management • CyberArk

• Cost: $$$$ • Remediation Difficulty: Moderate

http://www.sordum.org/8727/runastool-v1-0/


New Logging Application - What else was Installed?

• 2016 Penetration Test • Finding: Logs are not being collected and centralized. No visibility into activity within the environment. • Risk: Low • Recommendation:

• Implement a Security Information and Event Management (SIEM) technology. • Collect and store logs from all corporate systems within a centralized server. • Crate rules and active alerts on potentially malicious activity

• Solution: Hire vendor to install and set up the technology


New Logging Application - What else was Installed?

• 2017 Penetration Test • Finding: Assessors leverage the newly installed services to obtain control of the domain within hours of

coming on-site • Risk: High


What was installed?

• Web application management console • Pulls in and reads log events from the storage server • Correlates events, ability to configure and manage rulesets

• Vendor set-up notes: • Application console access has been restricted to only authorized individuals • Database administrators have been restricted to authorized individuals • Service account “requires administrative privileges to function”

• Configured using “Domain Admin” rights

• Backend database • Storage for the log data


Application vs. Database Accounts

• The logging application has been set up so employees login with their network accounts • The application is hardened so that only users that need access are able to login

• However, the back end database for the application has its own local accounts…


Microsoft SQL Default Roles

• Sysadmin • Administrative group • Full access over all server databases and resources

• Public • Very limited access unless explicitly given permission • By default, allowed to execute some not inherently malicious queries (extended stored procedures) • Common default configuration to consist of all users within the organization (“Domain Users” group)


Malicious Insider Exploitation Steps

I have PUBLIC role access. Logging directly into the backend database

Welcome Rocket!

Rocket Raccoon's Laptop

Web Application Management Console

Database Please list for me all files that you can see on the below system: “Rocket Raccoon’s Laptop”

Sure!


Done. Did not see anything interesting.


Vulnerability Mitigation

• Service accounts should NEVER be configured to use domain admin privileges • Delegation of authority

• Revoke the PUBLIC role for all domain accounts • Limit default and potentially malicious extended stored procedures from the PUBLIC role


What if I can’t make those changes?

• Raccoon/Man-in-the-Middle (SMB Relay) mitigating controls • Strong service account password (random characters, 15+)

• Prevent SMB capture and offline dictionary/bruteforce attacks • Server Message Block (SMB) Signing

• Communication digitally signed at the packet level • Prevents tampering of packets and man-in-the-middle attacks

Cost of Remediation: $$$$ Remediation Difficulty: Moderate


Local Administrator Password Reuse

• 2016 Penetration Test • Finding: All workstations have the same local administrator

account password • Risk: Low • Recommendation: Configure each machine to use a unique

password • Solution: Outsourced vendor fixes the problem by using Group

Policy to configure unique local administrator passwords



• 2017 Penetration Test • Finding: Assessors obtained clear-text credentials for your local admin accounts within one hour of coming on-

site • Risk: High

What went wrong?



Local Administrator Account • Built-in account on the computer • Often used by IT to set up the computer before it is added to the

domain Group Policy • Group Policy stores local administrator passwords encrypted in a

central server (Domain Controller) • Everyone on the network has access to see the files that contain

those encrypted passwords • The passwords are encrypted! So what is the problem?



• Microsoft published the encryption key • United State vs. Microsoft Corporation (2001) • Microsoft is required to disclose application programming

interfaces with third-party companies • Encrypted Password + Key = Clear Text Password



• Microsoft has released communication warning NOT to use group policy to set passwords



• What should have happened? • Install Microsoft’s patch to remove the ability to

configure passwords through Group Policy • Run the Microsoft script to clean up existing passwords • Use a different method!

• Local Administrator Password Solution (LAPS) • Microsoft solution to the Group Policy vulnerability

• Disallow remote logon • Disable local admin account

Cost of Remediation: $$$$ Ease of Remediation: Moderate


Default Credentials

• Background • Your company has purchased a new security camera which the

vendor has installed and configured for you

• 2017 Penetration Test • Finding: Penetration testers were able to guess the device

password and make configuration changes • Risk: High

What went wrong?


Default Credentials

• Default device passwords are usually publicly available • Vendors frequently re-use default passwords among

different types of devices


Default Credentials

• Always change default credentials on devices before installing them on the network • Vendors are starting to provide devices with randomized

passwords, or enforcing password change when you initially login

• Cost: $$$$ • Remediation Difficulty: Easy!

• “But the passwords are hardcoded – I can’t change

them!”


Default Credentials

• Use internal network segmentation to prevent your users from directly accessing networking devices

• Cost: $$$$ • Remediation Difficulty: Difficult

• Segment based on departments • Start with high risk segments

• Separate the user segment from IT infrastructure


TAKEAWAYS

• 1 - Understand new technology and test prior to deployment; no such thing as plug in and go. • 2 - What are the REAL vendor requirements. Are we following the principle of least privilege? • 3 - Are my security controls holistic? • 4 - Is ease of administration weakening my environment? • 5 - How do I deal with unfixable vulnerabilities?


Questions

? ? ?

© 2017 Crowe Horwath LLP

Crowe Horwath International is a leading international network of separate and independent accounting and consulting firms that may be licensed to use "Crowe," "Crowe Horwath" or "Horwath" in connection with the provision of accounting, auditing, tax, consulting or other professional services to their clients. Crowe Horwath International itself is a nonpracticing entity and does not provide professional services in its own right. Neither Crowe Horwath International nor any member is liable or responsible for the professional services performed by any other member. © 2016 Crowe Horwath International.

In accordance with applicable professional standards, some firm services may not be available to attest clients. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure 43

Piotr Marszalik

[email protected]

https://www.linkedin.com/in/piotrmarszalik

630.574.1623

Michelle Erickson, Consultant

[email protected]

https://www.linkedin.com/in/mnerickson/

312.966.3095

Thank You! Crowe Cybersecurity Watch Blog: https://www.crowehorwath.com/cybersecurity-watch

http://www.crowehorwath.com/about/legal/

Documents

Guardians of the Strategy - Chapters Site Annual IIAISACA Hacki… · • Information Security Consultant and Manager at Crowe Horwath • CISSP, OSCP, OSCE, CREST CRT • Speaker