Security Manager's Journal: I hired a hacker
Some cleaning up is needed after a third party's penetration testing uncovers some disturbing findings.
Computerworld - A very important piece of my budget is the quarterly allotment for security assessments. I usually focus on physical penetration testing of our major facilities or assessments of critical applications or our own products. This quarter, though, I decided to hire a hacker.
While I'd like to think that we have a somewhat hardened shell, I know our infrastructure is not 100% secure. The only ways to discover where your vulnerabilities lie are to run an internal assessment or, better yet, hire a hacker to do it for you -- or at least a consultancy that specializes in penetration testing.
I figured we would get a more complete picture with a truly independent assessment from a third party. I imposed only one constraint on the consultant we hired: no denial-of-service attacks. With an outside firm, I could also test my security team's effectiveness at detecting suspicious activity, so I kept the engagement stealthy; only a few trusted individuals in the IT department knew about it. Another benefit of this approach is that we would get a better idea of how well our data leak prevention and security incident and event management systems were protecting us.
Other than a list of critical applications that I wanted assessed, I gave no detailed information to the consultants. I wanted them to hack us the same way a determined individual or organization would do it.
When the report came back two weeks later, one major finding was the discovery of an external DNS server that was advertising our internal address space. What's more, this DNS server was configured to allow anyone to transfer the zone information, including the mapping of our internal infrastructure and naming conventions. This information could be used by a hacker to, among other things, map out our internal network and then focus on some juicy targets.
Another problem uncovered was the potential for unauthorized access of our infrastructure through a series of vulnerabilities. One consultant discovered a SQL injection vulnerability on an Internet-facing application and was able to issue a SQL query to obtain the password hash for a system account on one of our application servers. The password was cracked in six seconds.
That password was then used to access Microsoft Outlook Web Access, and the hacker/consultant was able to log in with the application service account. Service accounts should, as a matter of practice, never have email associated with them.
In any event, the consultant was able to enumerate our entire corporate directory and then choose the name of an employee who worked in the mailroom. He pulled as much information about that person as he could from the Internet, including home address, phone number and personal email address. Posing as the mailroom employee, the consultant called our help desk (he found the number on our corporate website). To validate the "user," the help desk technician only asked for his office extension. The hacker provided the number, and the tech cheerily reset the "user's" email password and issued him a temporary RSA SecurID passcode that was then used to log in to our employee VPN portal. From there, the hacker had access to our company intranet and various corporate applications.
As you can imagine, I have my work cut out for me. We need to establish new help desk procedures for validating employees, reconfigure a DNS server, plug SQL injection holes, incorporate two-factor authentication for Microsoft Outlook Web Access and review service accounts. Lastly, I need to figure out why my security team didn't detect any of the consultant/hacker's activity.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! Computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: A ransomware flop, thanks to security awareness
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!