10 vulnerabilities hackers love to exploit november 13, 2018 › userfiles › file › 10...10...

11/13/2018

1

10 Vulnerabilities Hackers Love to Exploit

November 13, 2018

Dan Desko

• Shareholder, Cybersecurity & IT Risk Advisory Services • CISA (Certified Information Systems Auditor)• CISSP (Certified Information Systems Security Professional)• CTPRP (Certified Third-Party Risk Professional)• 14 years of experience, began career working in IT• Current outgoing ISACA Pittsburgh chapter president• Experience in delivering IT Audit, IT Security Services, Penetration

Testing and Vendor Risk Management services to a variety of industries

• Responsible for product delivery, client satisfaction and quality control

What We Do

• Provide penetration testing services that utilize realistic cyberattack methodologies and tools to help identify issues before the “bad guys” are able to exploit them.

• Provide remediation recommendations for discovered vulnerabilities and cybersecurity risks.

• Provide guidance and review throughout the remediation process for recommended security changes.

• Assist clients during and after data breach scenarios, aka incident response services.

11/13/2018

2

Agenda

• Current State of Cybersecurity

• 10 Vulnerabilities– Background– Client Experiences– Demos– Recommendations– Takeaway Questions

• Q & A

State of Cybersecurity

The following slides are highlights of the 2018 Verizon Data Breach Incident Report (DBIR)


• The important thing to note on this slide is that the majority of breaches occur by outsiders, but we can’t forget about the insiders as well (28%).

• The other important takeaway is that the attackers are organized criminal groups; they’re run like businesses.

11/13/2018

3


• Contrary to common belief, not all hacks involve a virus/malware. Only 30% of these breaches involved malware; what were the other 70%?– Stolen User Credentials– Social Attacks– Physical Access– Incorrect Privileges


• A large mass of breaches occur through some sort of email attack such as Phishing– Firewall technology has come a long

way, humans are often the weakest link in your security

– Traditional AV alone isn’t great at spotting malware

• A significant majority of the breaches were financially motivated

• A large number of breaches were not discovered by the breached entity, but rather a third party; Nightmare PR scenario.


The length of time it takes to discover a breach is far longer than it takes to compromise. We need to close this gap.

9

11/13/2018

4

POLL QUESTION #1

Are you confident that your IT department would recognize if your systems had been hacked?

– Very Confident– Somewhat Confident– Little Confidence– Confidence, what Confidence?



Photos from KrebsOnSecurity.com

11/13/2018

5



One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

Agenda



• Q & A

11/13/2018

6

POLL QUESTION #2

I use the password for my work account in multiple places (e.g. Facebook, Google, etc.)? Please note: Answers remain anonymous.

– True– False

01 – Password Issues

• Default passwords• Passwords that never expire• Passwords that are the same as usernames• Passwords reused across multiple accounts• Improper password storage• Improper password transmission• Insufficient password requirements• Weak passwords that meet sufficient requirements

– P@ssw0rd123– SportsTeam2018!– C0mp@nyName?– M0nth-$eas0n

DEMO - Capturing Hashes

11/13/2018

7

DEMO - Cracking Hashes

Password Cracking Analysis

01 – Password Issues

Mitigations• NIST Password Policy Recommendations

– 12 or More Characters / 3 out of 4 Complexity– Restrict Common Passwords– Restrict Months / Seasons / Sports Teams– Restrict Company Specific Terms– Expire Less Frequently

• Disabling Built-In Windows Accounts• Remove Administrative Privileges• Assess How “Crackable” Your Passwords Are• Password Management (e.g., LastPass)• Employee Training

11/13/2018

8

01 – Takeaway Questions

“Are we protecting/limiting any built-in Administrator accounts?”

“How strong are our passwords?”

“Are we effectively blacklisting common passwords?”

“How do our users store / share passwords?”

02 – Single-Factor Authentication

DEMO - Password Spraying

11/13/2018

9

02 – Single-Factor Authentication

Mitigations

• Block all foreign IPs (if possible)

• Detect, then block or shun IP– Failed Login Attempts (Volume / Origin)

• Windows Event Log ID: 4625

• Implement multi-factor authentication– Application (DUO, Google Authenticator, etc.)– SMS– Physical Token (Yubikey)


“Can we effectively detect password spraying on all external logins?”

“Do we block/shun IP addresses that spray us?”

“Do we check for successful login attempts from a spray attack and then change their password?”

POLL QUESTION #3

How many times have you been phished in the last month?

– 1-3 times– 4-10– 10+ – I can’t tell!

11/13/2018

10

03 – Susceptibility to Phishing

2018 Data Breach Investigation Report

• Phishing is involved in over 90% of all data breaches and cybersecurity incidents


– Credential Harvesting• Cloned Login Page• Password Checker


– Payload Execution• Remote Session• Ransomware

11/13/2018

11


Mitigations

• Review and Purchase Top 10 Similar Domains

• Properly Configure Spam Filters– Block Similar Domains, New Domains, Known Bad Domains– Block Keywords– Block Certain Attachments (.EXE / .BAT / .VBS)

• Advanced Anti-Phishing Software (e.g., Mimecast)– Algorithmic Spam Filter (Impersonations, Context, Domain Reputation)– Rewrite Links– Sandbox Attachments

• Employee Training– Frequent Internal Simulations


“How advanced does a phishing attempt need to be to evade our spam filters?”

“Are we performing phishing simulations that sufficiently expose users to all phishing variants?”

“Do we have an effective communication channel for end-user reporting that initiates response workflow?”

04 – Overly Permissive Local Admin Rights

• Many organizations are not restricting local admin rights due to technical and/or cultural challenges

• Obtaining local admin rights is a huge advantage for a hacker– Many offensive techniques require local admin rights– Bypassing endpoint protections and security controls is

often possible with local admin rights– Local admin rights often translate to remote access– Local admin rights are often shared across multiple

machines, leading to widespread compromise

11/13/2018

12

DEMO – Abusing Local Admin Rights


“What users have local admin rights to what systems, and why?”

“What users have elevated permissions, and why?”

“Do all of those service accounts really need Domain Admin rights?”

“Is each exception to the rule documented and given additional protections?”

05 – Ineffective Anti-Virus

• Not all anti-virus products are the same

• Blind spots– Default exclusions (certain files types, certain folders, etc.)

can be exploited by attackers

• Signature-based detection ONLY– Can be evaded by basic obfuscation techniques

• Software flaws– Some Anti-Virus products can be easily disabled by

terminating services on the endpoint

11/13/2018

13

05 – Ineffective Anti-Virus

Mitigations

• Selection Process– Ensure that your anti-virus product has behavioral analysis

and memory scanning capabilities– Only looking for bad file signatures is not effective

• Proper Configuration– Ensure that your Anti-Virus product is configured to utilize its

full potential

• Routine Testing and Review– Review configuration– Confirm desired capabilities

• Update Definitions Automatically upon Release


“Is our anti-virus product configured and utilized to its fullest potential?”

“How easily can our anti-virus product be tricked or evaded?”

“Do we really need all of those manually added file and folder exclusions?”

“Can end users turn off our anti-virus?”

06 – Lack of Encryption

Effective encryption measures mitigate the following threats:

– Lost/stolen endpoints– Lost/stolen mobile devices– Lost/stolen portable media storage devices– Boot device attacks

Without encryption, any lost or stolen device can be a potential data breach, it is very easy for someone to read the data from an unencrypted device without credentials.

Without encryption, a physical attacker can boot an endpoint into a VM and export sensitive data, and even dump system credentials.

11/13/2018

14

06 – Lack of Encryption

Mitigations

• Database Encryption– Encrypt databases, full database encryption or specific columns

• Laptops AND Desktops– Utilize built-in TPM endpoint encryption capabilities

• Mobile Devices– Advanced mobile device management product (e.g., Airwatch)

• Portable Media Storage Devices– Enforce encryption of all USB devices containing sensitive data

DEMO - Unencrypted HD Hash Dump


“Do we have any unencrypted devices (including desktops) within our organization?”

“How likely is it for a device to become lost/stolen?”

“Do we have any unencrypted databases that contain sensitive data?”

11/13/2018

15

07 – Data Governance Issues

Users storing sensitive data in unprotected locations

Why hack the SQL database when sensitive data can be found in someone’s Desktop or My Documents folder?

07 – Data Governance Issues

Mitigations

• Policy– Data classification/usage policies and procedures.

• Enforcement– Advanced data governance product (e.g., Digital Guardian, Spirion)

• Audit– Routinely identify and remediate exceptions to policies

• Employee Training


“Who has access to what data and why?”

“Are users storing sensitive data in unprotected locations?”

“What exceptions exist within our network file share permissions?”

11/13/2018

16

08 – Flat Networks

Networks that allow full direct communication.

Lateral movement is much easier when an attacker has access to a wide range of communication protocols across the entire network.

• Network Enumeration• Vulnerability Scans• Download Tools• Remote Code Execution• Authentication Protocols• File Transfers

08 – Flat Networks

Mitigations

• Network Segmentation– Divide network into logical and physical groups– Use and restrict virtual local area networks (VLAN)– Protect the most critical systems from being easily

accessible from anywhere on the network

• Local Firewall Restriction– Block / restrict ports on each system– Only allow communication that necessary (inbound and

outbound)


“Is it possible to scan our entire network (including servers) from a single endpoint?”

“Why can our user endpoints ping each other?”

“Is it possible for us to restrict all unnecessary communication within our network?”

“Is our guest wireless truly segmented as intended?”

11/13/2018

17

09 – Poor Security Monitoring

Are you confident that you would detect a data breach?


Commonly Undetected Hacking Activities:

• Phishing attempts

• Password spraying (Failed Login Attempts)

• AD enumeration as a standard user from a remote non-domain system

• NMAP scans of various types (Internal / External)

• Nessus scans of various types (Internal / External)

• Use of PowerShell based malware

• Code execution via SMB (CrackMapExec) on numerous systems

• Duplication and extraction of a shadow copy from a domain controller

• Widespread rapid use of a single user’s credentials on multiple systems

Without detection capabilities, an attacker can utilize more aggressive tactics that generate more logs and activity, but are also more successful

DEMO - BloodHound

11/13/2018

18

DEMO - BloodHound

The GUI output from BloodHound has a default query to identify the shortest attack path to Domain Admin.


Mitigations

• System Logs– Ensure all desired logs are being collected properly

• Network Traffic– Network traffic should be monitored with effective rulesets

to alert on specific activity thresholds

• Configuration/Design– Ensure specific detection capabilities for each intended

attack scenario– Validate capabilities with routine attack simulations


“How many of the top hacker techniques can we effectively detect?”

“Are we routinely validating our detection capabilities with simulated attack scenarios?”

“Do each of our detection alerts initiate an appropriate incident response workflow?”

11/13/2018

19

10 – Unpatched Systems

DEMO - Exploiting ETERNAL BLUE


“Are there any systems on our network not receiving security patches?”

“Do we run our own internal vulnerability scans?”

“Are we also patching applications?”

“Do we have a process in place for emergency patching?”

11/13/2018

20

*11 – Physical Access Control Gaps

Commonly identified physical access control gaps:

• Overly agreeable guards/receptionists• Unlocked doors• Unlocked and unattended systems• Back doors that can be tailgated• Motion sensors that can be hacked• Security camera blind spots• Unsecured vents• Drop ceilings• Unsecured network closets

Why hack a system when you can just walk up to it, sit down and access it?



“Wedamagedafiberopticcablenearbyandneedtolookatyourdatacentertomakesureyournetworkperformancewasn’taffected.”

11/13/2018

21

DEMO - Hacking a Motion Sensor


“How difficult would it be for someone to access our internal office space?”

“Does everyone question the presence of someone they don’t know?”

“How many of our users leave their systems unlocked during breaks?”

Agenda



• Q & A– [email protected]– Cell: 412-607-5562