[ISN] Security audit

From: InfoSec News (isn@private)
Date: Thu Oct 23 2003 - 00:42:25 PDT

  • Next message: InfoSec News: "[ISN] Defense Department begins six months of IPv6 interoperability tests"

    http://www.nwfusion.com/research/2003/1020audit.html
    
    By Joel Shore
    Network World, 10/20/03
    
    Only a security audit can expose the truth about a network's
    vulnerability. To see how well-prepared a typical enterprise network
    is, we found a business willing to let us tag along while a
    professional auditing company poked and probed 28 of its servers, and
    then delivered its findings in a face-to-face meeting.
    
    The results were frightening - and should sound the alarm for IT
    directors everywhere.
    
    The company, a major New England medical center (we agreed to conceal
    the name), has thousands of network devices, but had never been
    audited. It relies instead on a "high level of confidence in our
    senior engineers and technicians," says the company's technical
    services director. The idea of an audit, he concedes, had "come to
    mind time and again."
    
    Finally, the time had come.
    
    
    Let the audit begin
    
    Networks Unlimited operates from a 19th-century hilltop Victorian
    mansion framed by giant sycamore trees. The Hudson, Mass., company
    audits a diverse mix of businesses - banks, retailers, law firms and
    government agencies - and provides security solutions. Business is
    booming.
    
    The purpose of a security audit, says company President Harry Segal,
    is not to access or corrupt sensitive data. Rather, it is a controlled
    demonstration that these acts could be carried out. Documenting the
    breaches and identifying files at risk makes you a security auditor.  
    Access those files and you've crossed the line into hackerdom.
    
    In what was once the dining room, under an ornate gas-lit chandelier,
    Segal and security engineer Shawn Bernard huddle over a PC, eager to
    begin a complete security audit of 28 servers, hand-picked from
    hundreds by the hospital's IT staff. Sitting under a wall adorned with
    security and vendor certifications, they'll pass this night probing
    the network, searching for weaknesses, exposing the potential for
    digital dastardliness. Two weeks later they'll present their findings
    - and advice - to managers in the hospital's technical services group.
    
    Bernard is gregarious, quick to talk about his family and just as
    quick to note that he maintains close ties to the hacker community -
    to better learn about their latest exploits, techniques and tools.  
    Segal spent years at NEC Information Systems and erstwhile modem maker
    Microcom.
    
    "We will always find issues that must be addressed quickly," Segal
    says. The top reason for security breakdowns, he says, is almost
    laughable: company policies that limit server maintenance to just a
    few weekend hours. "If you discover a security breach - fix it! Now!"  
    he says. "Wait for the weekend maintenance window, and by Monday there
    might be no business to come back to."
    
    Bernard's PC is loaded with a software smorgasbord any hacker would
    envy; his tool of choice is Internet Scanner from Internet Security
    Systems. Internet Scanner provides automated network-vulnerability
    assessment across servers, desktops and infrastructure devices. It
    also probes network services, operating systems, routers, switches,
    servers and firewalls.
    
    "We'll be testing for 1,211 different types of vulnerabilities,"  
    Bernard says. One mouse click, and the audit is underway.
    
    Segal adds that this audit is testing only for vulnerabilities from
    the outside world. A complete audit would also look for - and
    inevitably would find - internal vulnerabilities.
    
    This audit is somewhat different than most because the IT staff was
    warned. Usually, the rank-and-file IT staff receives no advance
    notice. It's not until the final report is presented at a department
    meeting that the secret is revealed. "We don't want people running
    around in a frenzy plugging holes," Segal says. "An audit should be a
    snapshot of business as usual."
    
    
    Easy access - too easy
    
    As Segal is talking, Bernard suddenly perks up. He's discovered what
    seems, at first, merely odd, then surprising, then unimaginable.  
    "We've found servers running Compaq's Insight Web management
    software," he says. "This is not a good thing."
    
    By using one server as a proxy, the other servers let Bernard bypass
    the perimeter security of the network firewall. In just moments, he
    gains access to a BayStack hub, residing between two Nokia firewall
    devices. The hub's factory default password was still in place, easy
    pickings for an attacker who quickly could disable the device,
    plunging an entire network segment into digital darkness.
    
    "This is pretty serious," Bernard says, noting that it might be
    possible to reach any of the hospital's hundreds of servers, not just
    the 28 in this audit. Bernard takes a few notes and moves on.
    
    Probing further, Bernard stumbles across a Compaq server running the
    hospital's HP Jetadmin printer-management software. Why this
    application or the Insight Web management software would be Internet
    facing, that is, visible to anyone who would bother to look, is
    anyone's guess. Although possibly no more than a configuration error,
    it is akin to a flashing neon sign, extending an engraved invitation
    to the malicious mind bent on amusement or criminal mischief. Except
    that neither Bernard nor an attacker would know the password.
    
    Not a problem. He visits a favorite Web site, one that, for better or
    worse, publishes common logon ID and password combinations for
    thousands of products.
    
    It takes one try. One try! We're in. We see the name, model, network
    address and physical location of each printer. We can check toner
    levels, firmware version numbers, page counts. Could we actually
    intercept a print job? Anything is possible. Not easy, but possible.
    
    "I can go in and change the control-panel language on hundreds of
    printers," Bernard says. "I can swap queues. I can send print jobs to
    every printer saying 'you've been hacked.' I can take them offline. I
    am in total command."
    
    But wait, there's more.
    
    * Bernard finds a server running an outdated copy of Microsoft
      Internet Information Services that's badly in need of an updated
      security patch.
    
    * A mail server is running the Simple Mail Transfer Protocol verify
      command, which an attacker could use to validate the existence of
      specific e-mail accounts.
    
    * A proxy service, vulnerable to a denial-of-service attack, is
      several patches out of date.
    
    * A server running the pcAnywhere remote-access program is discovered.
    
    * A server is running Network News Transfer Protocol, a service that
      could let users post to and read from newsgroups without
      authorization.
    
    * Ports galore are open, for no apparent reason.
    
    With the sun rising, Segal and Bernard call it quits. Confident that
    the breaches they've unearthed is enough to mortify IT director, they
    save their mountains of data, log off and head home.
    
    Tomorrow, the pair will start compiling the results from thousands of
    port scans, vulnerability checks and surveys of software versions,
    resulting in a report nearly an inch thick. Then it's off to the
    client with the bad news.
    
    
    Don't shoot the messenger
    
    Two weeks later, we pile into Segal's minivan. It's report-card day,
    when the hospital's IT staff learns if its network is healthy or needs
    immediate surgery. As we enter an IT conference room, the technical
    services director and about 15 staffers shuffle in, coffee mugs in one
    hand, notepads in the other. Expressions range from "I think we're OK"  
    to downright fear.
    
    Moving quickly to defuse a potentially adversarial meeting, a
    diplomatic Segal says, "We're here to help you do your jobs better."  
    No one nods to agree. "Security here is already very good, but we've
    found a few things you can improve," he says. Later, Segal
    acknowledges he would have used harsher language if the presentation
    had been a one-on-one with the technical services director. On this
    day, IT has safety in numbers.
    
    Bernard takes over, handing out his inch-thick report, explaining it
    page by page.
    
    All 28 audited servers are listed, led by the most vulnerable. First
    place goes to the server running the Compaq management software. It
    should never have been visible outside the firewall, because anything
    it talks to, a hacker can, too.
    
    It's all there: IP address, domain name, operating system and version.  
    The problem with Compaq Web-based Management Software Version 4.7,
    installed on Port 2301 - the default, open to anyone - is described in
    detail. Bernard describes how a hacker, sending a username containing
    exactly 460 bytes could cause a buffer overflow, allowing the
    execution of arbitrary code with administrator privileges.
    
    Fixing this potentially deadly breach is easy: download and apply the
    appropriate patch as listed in Compaq Security Advisory SSRT0705. Skip
    it and risk everything.
    
    And on it goes. Bernard describes each vulnerability in detail and
    suggests a remedy. Sometimes it's a patch, stopping an unneeded
    process or closing a port that's open.
    
    Tempers never flared. The discussion was surprisingly placid. "Yeah,
    we already knew about that one and planned to fix it" eventually gave
    way to relief that most breaches were someone else's problem.
    
    "Some things we don't control," one staffer said.
    
    "They had to subvert another group to get to my group," another said.
    
    "The executives here are focused on the hospital's clinical mission,"  
    yet another said.
    
    Not at all a good reaction, according to Segal and Bernard. "If this
    was a bank," heads would be rolling. "This is a hospital. Security is
    no less critical. It's everybody's problem," Segal says.
    
    As for the technical services director, the IT manager who agreed to
    the audit, his calm reaction to the litany of potentially catastrophic
    security breaches was an enigma to Segal.
    
    "I was pleased to see that the majority of the findings were
    relatively benign," he said in a follow-up interview. "We had fully
    addressed all but one of them by the next day."
    
    Not nearly good enough, Segal says. "This is a business that should be
    extremely security-conscious," he says. "In certain areas, I could see
    a determined effort by the IT staff to have strong security, but they
    failed miserably in others."
    
    Harsh words from a man who just played the diplomat. Bernard says:  
    "Their senior engineers and technicians deserve praise, but having
    'good people' is not the same as having proper security. Good people
    make honest mistakes."
    
    
    Lessons for all
    
    The Networks Unlimited audit could have been much worse. This audit
    was unusually narrow in scope, but a more sweeping audit undoubtedly
    would have uncovered additional failures.
    
    "This was a limited external audit," Bernard says. "We didn't look at
    internal security, but you can be certain they haven't implemented
    adequate internal security to protect critical data and operations
    from unauthorized access."
    
    On the ride home, Segal gets philosophical. "Every business is
    vulnerable," he says. "This one is no different. Hire an auditor and
    fix the problems before it's too late."
    
    Was it too late for our patient, the regional medical center? "Darn
    lucky," he says. "Darn lucky."
    
    
    -=-
    
    
    Do
    
    * Estimate the cost of a break-in to guide your security decisions.
     
    * Configure firewalls to deny all traffic, then open needed ports.
     
    * Change default passwords before deploying software or hardware.
     
    * Delete unnecessary user accounts (guests, anonymous).
     
    * Establish and adhere to a process for obtaining and applying
      patches.
     
    * Use only VPNs for remote access.
     
    * Implement intrusion prevention to stop attacks that can pass
      unimpeded through the firewalls.
     
    * Beware of internal attacks that might be initiated not by a user,
      but by the user’s machine.
    
    
    
    Don't
    
    * Don't connect unpatched machines directly to the Internet.
     
    * Don't ignore old servers whose purpose and ownership are uncertain.
     
    * Don't assume anti-virus programs protect against all malicious
      activity: Many hacker tools use legitimate software not detected by
      anti-virus programs.
     
    * Don't trust your staff - or yourself: Have an experienced
      third-party review security regularly.
     
    * Don't believe that firewalls protect all: Many attacks appear as
      legitimate traffic.
     
    * Don't ignore the security threat from internally connected laptops
       or VPN-connected remote systems.
     
    * Don't let external PCs connect via remote-control software.
     
    * Don't provide unlimited network access to business partners.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 03:38:50 PDT