With businesses dedicating substantial resource to cyber-security, deploying advanced solutions, and networks becoming increasingly complex, you could be forgiven for thinking that most breaches are the result of a vulnerability buried deep in software or application coding. However the reality couldn't be more different, and in our experience it is often basic oversight that leaves an organisation vulnerable.
These often simple errors can undermine the most advanced security deployments, leaving a network vulnerable to attack. In my work as a penetration tester I see many of the same mistakes made repeatedly. Here are four of the most basic errors that we encounter that leave organisations vulnerable.
It's well known that hackers target weak passwords, especially once they have collected a cache of password hashes or usernames. So businesses respond by introducing measures to ensure that employees use stronger passwords.
However password problems are not limited to mere strength. Password sharing (using the same password for different logins) is often the undoing of organisations during penetration testing. From an internal perspective this includes employees using the same password for general access to their machines, as they do for more privileged network areas and for logging into third-party supplier portals. This not only makes any potential hackers' job easier, but also leaves a business vulnerable in the event of one of its suppliers being breached, with the attacker able to re-use the same credentials to access other systems.
Our consultants often gain access to corporate systems on penetration tests from public ‘leaks' of credentials from previous breaches of other companies' systems that internal employees also use. Organisations must encourage employees to ensure they are using a completely unique password for each system and service they use. This should be promoted for any online services employees use outside of company systems - there are many password management tools available that can help with this process.
Exposed administrative interfaces
Most organisations that we visit test their internal security policies and solutions rigorously, testing code, integration with the network and other applications. But by focusing on the fine detail, they risk losing sight of the bigger picture and making an error that leaves them exposed.
The most common problem caused by this mind-set is an exposed administrative interface. I recently did a penetration test for a large organisation that had just launched a new website. Following initial testing the website appeared to be well secured, but after further probing we found the files for the test site, which included a link to an administrative interface with weak credentials, enabling us to not only take complete control of the website but also gain access to the company network by compromising the Web Server. While the project team had gone above and beyond to ensure the site wasn't susceptible to other common attacks, one oversight had left an otherwise secure site vulnerable.
So it's critical that all ‘test' functionality is correctly removed before websites/systems are put into production. In addition, administrative interfaces should only ever be accessible from trusted networks (such as the LAN or the VPN) with strong credentials set for all accounts.
Unprotected smart devices
The Internet of Things is in its infancy, but this hasn't prevented internet-connected appliances from being used within the businesses, creating a targetable soft spot within their network infrastructure.
Some of our recent projects have demonstrated weaknesses in smart TVs that can be compromised either via a Wi-Fi connection or quite commonly via its Bluetooth functionality. Once the TV is compromised it can be used as a stepping-stone into the corporate network or turned into a listening device for attackers to cultivate company information.
Organisations can avoid common weaknesses in smart devices by disabling unnecessary functionality and keeping such devices up to date, just as they would any other corporate system. Additionally, these devices should be secured like any other device, for example ensuring that default passwords/settings are changed.
Subverted business logic
The logic used by many IT teams when deploying a solution is to ensure that the latest piece of software integrates with existing systems, delivers the required innovation and that it is secure. It almost resembles a flow chart of check-boxes, which in many cases reflects standard operating procedure for IT departments.
However this approach fails consider the logic that cyber-criminals will use and relies heavily on the assumptive thinking of those that have no intention of trying to infiltrate a network. As a result, when a hacker targets a company they are playing by a different set of rules and find ways to subvert the rationale of the development team, and look for ways to use the very technology designed to protect an organisation against them.
When deploying or developing new solutions and applications, organisations must approach the security from the perspective of a would-be attacker. By adopting this approach to security they will level the playing field and prevent vulnerabilities from appearing in the first place. With these tips in mind businesses can help to ensure that they don't fall foul of that one vulnerability they ‘forgot'.
Contributed by Luke Potter, operations manager at SureCloud