Tech Insight: The Most Common Vulnerabilities Found By Penetration TestsProfessional pen testers share which holes they find the most in clients' networks
Headlines of hacked networks and successful attack campaigns, such as the recent Anonymous attack against the top 100 universities, regularly leave organizations wondering how the bad guys got in and why it seems so easy. What common mistakes are being made in these different organizations that are being attacked? What are some of the top vulnerabilities that are being exploited to get in?
We asked a variety of penetration testers -- some working in university and business environments, and others who are full-time security consultants performing penetration tests every week for clients of all types -- which main flaws they are typically able to exploit.
Nearly every pen tester we talked to had a similar list of vulnerabilities. At the top of every list was SQL injection, cross site scripting (XSS), or insecure websites, in general. Surprising? Not really. Often, the entry method of choice we hear about from Anonymous' exploits is through SQL injection. Once the Web server and underlying database server have been compromised, it's relatively easy to exploit those servers' trust relationships and stored passwords to hop to other juicy targets.
Christian von Kleist, senior security analyst at Include Security, said that Web servers are typically what he notices first during an external pen test. "Many of my pen-testing engagements have been successful only because I was able to exploit insecure Web applications on networks that were otherwise very secure," he says.
When von Kleist was asked why he thought Web applications are often full of vulnerabilities, he said it's the disconnect between those creating the software and those left to secure the network. "They work in isolation, with security having little involvement until it's too late and the [vulnerable] end result has already been deployed into production."
What else made the list? Exposed administration and management interfaces for application servers, network devices, and content management systems came up often, followed by information leaked by devices printers and videoconferencing systems; outdated and/or unsupported software, often with insecure default settings; and exposed Web services.
"We often find that administrative or management interfaces are available to an external attacker," says Kevin Johnson, senior security consultant at Secure Ideas. Some of the examples mentioned include Web-based management interfaces for JBoss, Tomcat, and ColdFusion, and administration services like SSH and SNMP.
Johnson stated that software packages are often installed that include ColdFusion or JBoss servers without realizing whose servers include admin consoles. "These admin consoles regularly have default credentials or vulnerabilities," Christian said
In addition to accidentally exposed management interfaces, pen testers are leveraging information leakage from Internet-facing network devices. Some of these exposures include printers and videoconferencing systems. With default credentials or no password set on the printers and videoconferencing systems, attackers can steal usernames, passwords, and internal IP addresses, and even launch attacks against internal systems.
Last year, HD Moore, CSO at Rapid7, demonstrated how videoconferencing systems could be easily identified through network scanning used to bug conference rooms. He found 5,000 systems sitting on the Internet waiting to automatically accept calls. On some of them, he was able to "listen into nearby conversations and record video of the surrounding environment -- even read e-mail from a laptop screen and passwords off of a sticky note that was 20 feet away," he said.
Secure Ideas' Johnson said that one of the worst things his team sees is the exposure of Web services or business and points.
"These services are often used by business partners or applications, such as mobile apps use by the marketing department," he said. "Since these endpoints are designed to be communicated with using client applications instead of directly by users, developers often feel that they require fewer controls since the application is 'trusted.'"
Why such a concern over exposed Web services? Johnson said lack of security controls make them a great entry point for a determined attacker. During their penetration tests, they can directly show the business impact an exploit once they've been compromised.
The big question, of course, is how should enterprises address these issues so they don't become another statistic or feather in the cap of a pen tester? In almost every case, knowing what's on the network is critical. Security teams should be performing regular network scans to identify new systems and services as soon as they come online.
A common area where enterprises fail is knowing what's externally accessible. Capabilities need to be in place so that the organization can scan all externally facing IP addresses for new hosts and services in addition to regular vulnerability scans that would detect most of the vulnerabilities discussed. Beyond the regular scans, security needs to be more involved in the development, purchase, and deployment of Web applications -- but we all know that's much easier said than done.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.