Computerworld - As I hinted in my previous column, we weren’t too pleased with the results of our recent risk assessment. We spent close to $100,000 so that a team of outside consultants could conduct a variety of penetration tests and vulnerability assessments against portions of our infrastructure. The good news is that our externally facing resources were fairly resilient and the contractors were unable to effectively hack into our internal network from the Internet. The bad news is that we’re soft on the inside.
Although the assessment’s scope was limited, these hackers for hire basically broke open 95% of the company.
Our budget couldn’t accommodate a complete assessment. My company has over 10,000 network nodes, dozens of applications and more than a score of remote offices worldwide. Instead, we used our $100,000 to focus on some core applications and a select number of desktops and servers. In addition, we did a review of our current policies, procedures and guidelines.
The heart of the assessment was a penetration exercise in which the consultants hacked into our infrastructure. They started by scanning 100 of our computers, located all around the world and ranging from desktop PCs to Unix and NT servers. They found many servers that were vulnerable, but they focused on a single one in our Taiwan office, a Windows 2000 server running Microsoft’s Systems Management Server. We use SMS for change and configuration management of our Windows servers and desktops. This particular server is used for patch management. So imagine the embarrassment we felt when the consultants’ successful probing of this server made us realize that it hadn’t been patched in two years! It was a bitter irony, because the lack of patches meant that a server used on the front lines in our fight against vulnerabilities was itself susceptible to a number of them.
The consultants zeroed in on one, a vulnerability associated with Microsoft Plug and Play, which should have been patched with MS05-039. They ran an exploit that capitalized on that vulnerability and successfully executed programs remotely on the vulnerable server. The remote code that they chose, a program called Pwdump, dumps the password hashes from a server.
The server in Taiwan had about 25 accounts associated with it. Like any hackers worth their salt, the consultants moved the hash file to a separate computer and then used a freely available program called John the Ripper to crack the hashes and obtain the clear-text passwords for each user account.
Hold on, because things only get worse from there. One of the accounts that the consultant/hackers now had the password for happened to be the SMS service account. That wouldn’t have been a big deal, but the service account wasn’t configured properly.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
