Vulnerabilities / Threats

04:49 PM

Tech Insight: What Penetration Testers Find Inside Your Network

Inside flaws include unpatched systems, open file shares or information stores, and lack of proper network segmentation

In our previous Tech Insight, we focused on some of the top vulnerabilities that professional penetration testers discover when performing an external penetration test. This time, we are turning inward and looking at the prominent vulnerabilities found in an internal penetration test.

So what's the difference? With an external assessment, the penetration testers should be simulating the attacks that an attacker outside of your organization would be performing. They will be looking at perimeter defenses, exposed services, and anything that will gain them a foothold into the network from the outside. Often, an external test is validating that the security controls put in place at the perimeter are actually effective.

An internal penetration test tends to be more scenario-based, focusing on the biggest fears that the company faces, such as an internal employee going rogue, an internal machine getting compromised with a remote access Trojan, or an attacker physically gaining access to the network and plugging in his machine. Will the attacker be able to gain access to critical databases or trade secrets? What call do you dread receiving from your CSO at 2 a.m.?

These are the types of questions that internal penetration tests try to answer. Unfortunately, more often than not, experienced penetration testers show how easy it is to realize these fears once they gain internal access to the internal network.

Dark Reading spoke with several professional penetration testers to get a better understanding of the most common types of vulnerabilities they find in internal tests, why they are the most common, and the risk they pose to enterprises. The top issues include unpatched systems, open file shares or information stores, and lack of proper network segmentation.

"Many times, organizations will focus on externally facing applications and systems, relegating internal systems to the 'catch up and patch when they can' category," says Kevin Johnson, senior security consultant at Secure Ideas.

Considering the number of client-side zero day vulnerabilities in Java, Adobe Acrobat, and Flash that keep showing up, this may seem surprising. Johnson says that it's often based on the failed assumption that the systems are internal, so an attacker can't reach them. "But this idea couldn't be further from the truth," Johnson says. "Disgruntled employees or attackers who have gained access to the network can use these vulnerable systems to elevate their access or [to] compromise sensitive data."

Chris Sanders, an InGuardians senior security consultant, concurs that unpatched systems are definitely a problem. He says he regularly finds vendor-provided solutions that include a Web-based front-end riding on top of the vulnerable version of Apache Tomcat or JBoss. "When presented to clients at the end of the test, they are shocked to find these technologies exist on their network, not realizing it was part of a product they purchased," Sanders says.

The presence of open file shares or information stores are also a gold mine for attackers. Several security professionals interviewed for this article say they find a wealth of information stored on file servers with poor access control. Many of the items they find include password lists, database backups containing sensitive information, and documentation about internal systems. Not only is this data valuable from the perspective of showing the risk of open shares to the client, it also gives the penetration tester more information and clues on where to dig deeper into the network.

File servers aren't the only juicy information stores when it comes to internal tests: SharePoint and Wikis provide plenty of valuable information, as well. "When we perform internal tests, we often find that the permissions are either completely exposed or available to more people than they should be," Secure Ideas' Johnson says. From there, he uses the open permissions to steal files and documents with everything from passwords and connection information to credit cards and personal information.

The lack of proper network segmentation is a recurring theme among the findings of these penetration testers. More often than not, once on the network, they have free reign to move about as they wish. InGuardians' Sanders says that high-value assets often have no logical separation from user workstations or other low-value assets. "Once one asset is compromised, it's incredibly easy to move laterally to target higher profile systems," he says.

Why is network segmentation so important? "Today there is still more focus on the perimeter than on internal network segmentation. Network engineers don't realize that one successful social engineering or client-side attack could mean 'game over' once the attacker has that foothold," Sanders says. Segmentation based on asset importance and level of trust is one of the most effective ways to prevent many of the attacks advanced attackers -- and even himself -- perform once inside a target network, he says.

All of the top vulnerabilities found by the penetration testers fall within basic IT security fundamentals: system patching, principal of least privilege (and related access controls), and proper network segmentation.

Is it time for companies to get back to the basics and stop trying to buy the next hot security product that promises to solve all of their problems? It sure seems that way.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kaspersky Lab Seeks Injunction Against US Government Ban
Jai Vijayan, Freelance writer,  1/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.