Security Manager's Journal: I hired a hacker
Some cleaning up is needed after a third party's penetration testing uncovers some disturbing findings.
Computerworld - A very important piece of my budget is the quarterly allotment for security assessments. I usually focus on physical penetration testing of our major facilities or assessments of critical applications or our own products. This quarter, though, I decided to hire a hacker.
While I'd like to think that we have a somewhat hardened shell, I know our infrastructure is not 100% secure. The only ways to discover where your vulnerabilities lie are to run an internal assessment or, better yet, hire a hacker to do it for you -- or at least a consultancy that specializes in penetration testing.
I figured we would get a more complete picture with a truly independent assessment from a third party. I imposed only one constraint on the consultant we hired: no denial-of-service attacks. With an outside firm, I could also test my security team's effectiveness at detecting suspicious activity, so I kept the engagement stealthy; only a few trusted individuals in the IT department knew about it. Another benefit of this approach is that we would get a better idea of how well our data leak prevention and security incident and event management systems were protecting us.
Other than a list of critical applications that I wanted assessed, I gave no detailed information to the consultants. I wanted them to hack us the same way a determined individual or organization would do it.
When the report came back two weeks later, one major finding was the discovery of an external DNS server that was advertising our internal address space. What's more, this DNS server was configured to allow anyone to transfer the zone information, including the mapping of our internal infrastructure and naming conventions. This information could be used by a hacker to, among other things, map out our internal network and then focus on some juicy targets.
Another problem uncovered was the potential for unauthorized access of our infrastructure through a series of vulnerabilities. One consultant discovered a SQL injection vulnerability on an Internet-facing application and was able to issue a SQL query to obtain the password hash for a system account on one of our application servers. The password was cracked in six seconds.
That password was then used to access Microsoft Outlook Web Access, and the hacker/consultant was able to log in with the application service account. Service accounts should, as a matter of practice, never have email associated with them.
In any event, the consultant was able to enumerate our entire corporate directory and then choose the name of an employee who worked in the mailroom. He pulled as much information about that person as he could from the Internet, including home address, phone number and personal email address. Posing as the mailroom employee, the consultant called our help desk (he found the number on our corporate website). To validate the "user," the help desk technician only asked for his office extension. The hacker provided the number, and the tech cheerily reset the "user's" email password and issued him a temporary RSA SecurID passcode that was then used to log in to our employee VPN portal. From there, the hacker had access to our company intranet and various corporate applications.
As you can imagine, I have my work cut out for me. We need to establish new help desk procedures for validating employees, reconfigure a DNS server, plug SQL injection holes, incorporate two-factor authentication for Microsoft Outlook Web Access and review service accounts. Lastly, I need to figure out why my security team didn't detect any of the consultant/hacker's activity.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! Computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts