Vulnerabilities / Threats
10/19/2012
04:49 PM
50%
50%

Tech Insight: What Penetration Testers Find Inside Your Network

Inside flaws include unpatched systems, open file shares or information stores, and lack of proper network segmentation

In our previous Tech Insight, we focused on some of the top vulnerabilities that professional penetration testers discover when performing an external penetration test. This time, we are turning inward and looking at the prominent vulnerabilities found in an internal penetration test.

So what's the difference? With an external assessment, the penetration testers should be simulating the attacks that an attacker outside of your organization would be performing. They will be looking at perimeter defenses, exposed services, and anything that will gain them a foothold into the network from the outside. Often, an external test is validating that the security controls put in place at the perimeter are actually effective.

An internal penetration test tends to be more scenario-based, focusing on the biggest fears that the company faces, such as an internal employee going rogue, an internal machine getting compromised with a remote access Trojan, or an attacker physically gaining access to the network and plugging in his machine. Will the attacker be able to gain access to critical databases or trade secrets? What call do you dread receiving from your CSO at 2 a.m.?

These are the types of questions that internal penetration tests try to answer. Unfortunately, more often than not, experienced penetration testers show how easy it is to realize these fears once they gain internal access to the internal network.

Dark Reading spoke with several professional penetration testers to get a better understanding of the most common types of vulnerabilities they find in internal tests, why they are the most common, and the risk they pose to enterprises. The top issues include unpatched systems, open file shares or information stores, and lack of proper network segmentation.

"Many times, organizations will focus on externally facing applications and systems, relegating internal systems to the 'catch up and patch when they can' category," says Kevin Johnson, senior security consultant at Secure Ideas.

Considering the number of client-side zero day vulnerabilities in Java, Adobe Acrobat, and Flash that keep showing up, this may seem surprising. Johnson says that it's often based on the failed assumption that the systems are internal, so an attacker can't reach them. "But this idea couldn't be further from the truth," Johnson says. "Disgruntled employees or attackers who have gained access to the network can use these vulnerable systems to elevate their access or [to] compromise sensitive data."

Chris Sanders, an InGuardians senior security consultant, concurs that unpatched systems are definitely a problem. He says he regularly finds vendor-provided solutions that include a Web-based front-end riding on top of the vulnerable version of Apache Tomcat or JBoss. "When presented to clients at the end of the test, they are shocked to find these technologies exist on their network, not realizing it was part of a product they purchased," Sanders says.

The presence of open file shares or information stores are also a gold mine for attackers. Several security professionals interviewed for this article say they find a wealth of information stored on file servers with poor access control. Many of the items they find include password lists, database backups containing sensitive information, and documentation about internal systems. Not only is this data valuable from the perspective of showing the risk of open shares to the client, it also gives the penetration tester more information and clues on where to dig deeper into the network.

File servers aren't the only juicy information stores when it comes to internal tests: SharePoint and Wikis provide plenty of valuable information, as well. "When we perform internal tests, we often find that the permissions are either completely exposed or available to more people than they should be," Secure Ideas' Johnson says. From there, he uses the open permissions to steal files and documents with everything from passwords and connection information to credit cards and personal information.

The lack of proper network segmentation is a recurring theme among the findings of these penetration testers. More often than not, once on the network, they have free reign to move about as they wish. InGuardians' Sanders says that high-value assets often have no logical separation from user workstations or other low-value assets. "Once one asset is compromised, it's incredibly easy to move laterally to target higher profile systems," he says.

Why is network segmentation so important? "Today there is still more focus on the perimeter than on internal network segmentation. Network engineers don't realize that one successful social engineering or client-side attack could mean 'game over' once the attacker has that foothold," Sanders says. Segmentation based on asset importance and level of trust is one of the most effective ways to prevent many of the attacks advanced attackers -- and even himself -- perform once inside a target network, he says.

All of the top vulnerabilities found by the penetration testers fall within basic IT security fundamentals: system patching, principal of least privilege (and related access controls), and proper network segmentation.

Is it time for companies to get back to the basics and stop trying to buy the next hot security product that promises to solve all of their problems? It sure seems that way.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.