Security Manager's Journal: I hired a hacker
Some cleaning up is needed after a third party's penetration testing uncovers some disturbing findings.
Computerworld - A very important piece of my budget is the quarterly allotment for security assessments. I usually focus on physical penetration testing of our major facilities or assessments of critical applications or our own products. This quarter, though, I decided to hire a hacker.
While I'd like to think that we have a somewhat hardened shell, I know our infrastructure is not 100% secure. The only ways to discover where your vulnerabilities lie are to run an internal assessment or, better yet, hire a hacker to do it for you -- or at least a consultancy that specializes in penetration testing.
I figured we would get a more complete picture with a truly independent assessment from a third party. I imposed only one constraint on the consultant we hired: no denial-of-service attacks. With an outside firm, I could also test my security team's effectiveness at detecting suspicious activity, so I kept the engagement stealthy; only a few trusted individuals in the IT department knew about it. Another benefit of this approach is that we would get a better idea of how well our data leak prevention and security incident and event management systems were protecting us.
Other than a list of critical applications that I wanted assessed, I gave no detailed information to the consultants. I wanted them to hack us the same way a determined individual or organization would do it.
When the report came back two weeks later, one major finding was the discovery of an external DNS server that was advertising our internal address space. What's more, this DNS server was configured to allow anyone to transfer the zone information, including the mapping of our internal infrastructure and naming conventions. This information could be used by a hacker to, among other things, map out our internal network and then focus on some juicy targets.
Another problem uncovered was the potential for unauthorized access of our infrastructure through a series of vulnerabilities. One consultant discovered a SQL injection vulnerability on an Internet-facing application and was able to issue a SQL query to obtain the password hash for a system account on one of our application servers. The password was cracked in six seconds.
That password was then used to access Microsoft Outlook Web Access, and the hacker/consultant was able to log in with the application service account. Service accounts should, as a matter of practice, never have email associated with them.
In any event, the consultant was able to enumerate our entire corporate directory and then choose the name of an employee who worked in the mailroom. He pulled as much information about that person as he could from the Internet, including home address, phone number and personal email address. Posing as the mailroom employee, the consultant called our help desk (he found the number on our corporate website). To validate the "user," the help desk technician only asked for his office extension. The hacker provided the number, and the tech cheerily reset the "user's" email password and issued him a temporary RSA SecurID passcode that was then used to log in to our employee VPN portal. From there, the hacker had access to our company intranet and various corporate applications.
As you can imagine, I have my work cut out for me. We need to establish new help desk procedures for validating employees, reconfigure a DNS server, plug SQL injection holes, incorporate two-factor authentication for Microsoft Outlook Web Access and review service accounts. Lastly, I need to figure out why my security team didn't detect any of the consultant/hacker's activity.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! Computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
- Security Manager's Journal: Learning to let go and offshore
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts