Security Manager's Journal: I hired a hacker
Some cleaning up is needed after a third party's penetration testing uncovers some disturbing findings.
Computerworld - A very important piece of my budget is the quarterly allotment for security assessments. I usually focus on physical penetration testing of our major facilities or assessments of critical applications or our own products. This quarter, though, I decided to hire a hacker.
While I'd like to think that we have a somewhat hardened shell, I know our infrastructure is not 100% secure. The only ways to discover where your vulnerabilities lie are to run an internal assessment or, better yet, hire a hacker to do it for you -- or at least a consultancy that specializes in penetration testing.
I figured we would get a more complete picture with a truly independent assessment from a third party. I imposed only one constraint on the consultant we hired: no denial-of-service attacks. With an outside firm, I could also test my security team's effectiveness at detecting suspicious activity, so I kept the engagement stealthy; only a few trusted individuals in the IT department knew about it. Another benefit of this approach is that we would get a better idea of how well our data leak prevention and security incident and event management systems were protecting us.
Other than a list of critical applications that I wanted assessed, I gave no detailed information to the consultants. I wanted them to hack us the same way a determined individual or organization would do it.
When the report came back two weeks later, one major finding was the discovery of an external DNS server that was advertising our internal address space. What's more, this DNS server was configured to allow anyone to transfer the zone information, including the mapping of our internal infrastructure and naming conventions. This information could be used by a hacker to, among other things, map out our internal network and then focus on some juicy targets.
Another problem uncovered was the potential for unauthorized access of our infrastructure through a series of vulnerabilities. One consultant discovered a SQL injection vulnerability on an Internet-facing application and was able to issue a SQL query to obtain the password hash for a system account on one of our application servers. The password was cracked in six seconds.
That password was then used to access Microsoft Outlook Web Access, and the hacker/consultant was able to log in with the application service account. Service accounts should, as a matter of practice, never have email associated with them.
In any event, the consultant was able to enumerate our entire corporate directory and then choose the name of an employee who worked in the mailroom. He pulled as much information about that person as he could from the Internet, including home address, phone number and personal email address. Posing as the mailroom employee, the consultant called our help desk (he found the number on our corporate website). To validate the "user," the help desk technician only asked for his office extension. The hacker provided the number, and the tech cheerily reset the "user's" email password and issued him a temporary RSA SecurID passcode that was then used to log in to our employee VPN portal. From there, the hacker had access to our company intranet and various corporate applications.
As you can imagine, I have my work cut out for me. We need to establish new help desk procedures for validating employees, reconfigure a DNS server, plug SQL injection holes, incorporate two-factor authentication for Microsoft Outlook Web Access and review service accounts. Lastly, I need to figure out why my security team didn't detect any of the consultant/hacker's activity.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! Computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
Read more about Security in Computerworld's Security Topic Center.
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- Evaluating File Sync and Share Solutions: 12 Questions to Ask about Security File sync and share can increase productivity, but how do you pick a solution that works for you? Download to learn some important...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!