Even in 2016 poor security practices are ubiquitous and provide a medium for hackers to compromise networks and critical infrastructure.
What are some examples of poor security practices you may be guilty of?
Implementing insecure services:
- Telnet – this is one of the worst services that you can have open on your network, telnet provides no encryption which means your login and password are sent across the network every time you login. Once logged in, every action that you take at the command line can be captured in ASCII clear text. Even using telnet internally is a poor practice as an insider can still capture this traffic. Common devices and servers that still run telnet regularly are legacy unix servers, these reveal OS information and kernel information as well allowing an attacker the chance to find an exploitable vulnerability for this host. Additionally, virtually every telnet daemon has an exploit for it that will brute force offsets until it successfully exploits the system. Common unix systems vulnerable to these attacks are every version of Linux, Solaris, IRIX and *BSD. If you must use telnet, use it with SSL over port 993.
- FTP – Just like telnet, all credentials are sent over clear text and exploits exist for virtually all major distributions of FTP services. Some prime examples are Wu-ftpd and proftpd. To use FTP in a secure manner you should use a program such as filezilla and connect via SFTP using SSH
- E-mail sending and reading, the use of SMTP over port 25 and reading e-mail via POP3 over port 110 and IMAP4 over 143 basically means you are inviting others to view your conversations. These are not secure protocols by themselves. Always run these services with SSL or encrypt e-mails prior to sending them.
- Network Printers – one of the most commonly vulnerable devices within your organization. Printers may seem harmless and after turning them on are usually neglected. The administrator account is usually not password protected, allowing anyone with physical access to walk up and enable services or install software directly onto the machine. Printers by default usually have unnecessary services running such as TELNET, FTP, SNMP and unencrypted remotely accessible HTTP servers for management. High end printers these days are equipped with enough RAM or hard drive space that an attacker can install a small linux operating system on the machine or a backdoor service such as dropbear SSH daemon allowing them remote access to the device. Printers are often left off network scan lists which prevent their vulnerabilities from even being discovered until it is too late.
- Lack of proper ACLs that allow remote access to services such as SNMP, DNS, NTP, SSDP, TFTP and Chargen to name a few. These services should be ACL protected to allow only internal and trusted systems to query them, they should never respond to outside request. Attackers can leverage these UDP based services to become attack machines in a DrDoS botnet. For instance if an NTP service responds to a request for the monlist, the server will return the list back to the host which requested it and the data is around 512 bytes. This may seem harmless but given that there are 10,000+ NTP servers on the internet today that will respond to this request from the outside and it only requires a few bytes to send the request an attacker can issue this command thousands of times leveraging thousands of servers and spoofing the return address to a target for attack resulting in gigabytes per second flooding a network.
- Auto-lockout and lazy employees are also another concern, employees that do not lock or logout of their workstations when leaving the room or area leave their system available for an insider threat to simply walk up and install a backdoor or access sensitive data.
- Web servers – In particular web servers that allow authentication over port 80 and don’t force SSL. Once again, registation information is passed in clear text which may include PII or personally identifiable information and username and passwords. Administration login pages should also force HTTPS but additionally they should not allow public access to them, this means that your admin login page must be ACL restricted to prevent brute force attacks and other attacks such as passing the hash and authentication bypass.
- PKI & Tokens – Public Key Infrastructure is crucial in today’s world, all employees and administrators should take login and passwords out of the picture completely. Users write down their login information, they put it on sticky notes, they are vulnerable to shoulder surfing and keylogger attacks. Using smart cards and multi-factor authentication is the best protection from this, even if someone is able to guess a users PIN number for the smart card they would still need physical access to the card itself to login. Taking it a step further the use of RSA tokens for instance is an even stronger technique as the token will generate a new PIN every 60 seconds, if someone is able to guess or identify the PIN a user logged in with after 60 seconds it will no longer be of any use to them. An additional layer should be added when using tokens which requires the owner of the token to also set a password or pin of their own so when they login to a site they have to type in their pin/password and then the RSA token PIN.
Please follow and like us: