Vulnerabilities / Threats
04:49 PM

Tech Insight: What Penetration Testers Find Inside Your Network

Inside flaws include unpatched systems, open file shares or information stores, and lack of proper network segmentation

In our previous Tech Insight, we focused on some of the top vulnerabilities that professional penetration testers discover when performing an external penetration test. This time, we are turning inward and looking at the prominent vulnerabilities found in an internal penetration test.

So what's the difference? With an external assessment, the penetration testers should be simulating the attacks that an attacker outside of your organization would be performing. They will be looking at perimeter defenses, exposed services, and anything that will gain them a foothold into the network from the outside. Often, an external test is validating that the security controls put in place at the perimeter are actually effective.

An internal penetration test tends to be more scenario-based, focusing on the biggest fears that the company faces, such as an internal employee going rogue, an internal machine getting compromised with a remote access Trojan, or an attacker physically gaining access to the network and plugging in his machine. Will the attacker be able to gain access to critical databases or trade secrets? What call do you dread receiving from your CSO at 2 a.m.?

These are the types of questions that internal penetration tests try to answer. Unfortunately, more often than not, experienced penetration testers show how easy it is to realize these fears once they gain internal access to the internal network.

Dark Reading spoke with several professional penetration testers to get a better understanding of the most common types of vulnerabilities they find in internal tests, why they are the most common, and the risk they pose to enterprises. The top issues include unpatched systems, open file shares or information stores, and lack of proper network segmentation.

"Many times, organizations will focus on externally facing applications and systems, relegating internal systems to the 'catch up and patch when they can' category," says Kevin Johnson, senior security consultant at Secure Ideas.

Considering the number of client-side zero day vulnerabilities in Java, Adobe Acrobat, and Flash that keep showing up, this may seem surprising. Johnson says that it's often based on the failed assumption that the systems are internal, so an attacker can't reach them. "But this idea couldn't be further from the truth," Johnson says. "Disgruntled employees or attackers who have gained access to the network can use these vulnerable systems to elevate their access or [to] compromise sensitive data."

Chris Sanders, an InGuardians senior security consultant, concurs that unpatched systems are definitely a problem. He says he regularly finds vendor-provided solutions that include a Web-based front-end riding on top of the vulnerable version of Apache Tomcat or JBoss. "When presented to clients at the end of the test, they are shocked to find these technologies exist on their network, not realizing it was part of a product they purchased," Sanders says.

The presence of open file shares or information stores are also a gold mine for attackers. Several security professionals interviewed for this article say they find a wealth of information stored on file servers with poor access control. Many of the items they find include password lists, database backups containing sensitive information, and documentation about internal systems. Not only is this data valuable from the perspective of showing the risk of open shares to the client, it also gives the penetration tester more information and clues on where to dig deeper into the network.

File servers aren't the only juicy information stores when it comes to internal tests: SharePoint and Wikis provide plenty of valuable information, as well. "When we perform internal tests, we often find that the permissions are either completely exposed or available to more people than they should be," Secure Ideas' Johnson says. From there, he uses the open permissions to steal files and documents with everything from passwords and connection information to credit cards and personal information.

The lack of proper network segmentation is a recurring theme among the findings of these penetration testers. More often than not, once on the network, they have free reign to move about as they wish. InGuardians' Sanders says that high-value assets often have no logical separation from user workstations or other low-value assets. "Once one asset is compromised, it's incredibly easy to move laterally to target higher profile systems," he says.

Why is network segmentation so important? "Today there is still more focus on the perimeter than on internal network segmentation. Network engineers don't realize that one successful social engineering or client-side attack could mean 'game over' once the attacker has that foothold," Sanders says. Segmentation based on asset importance and level of trust is one of the most effective ways to prevent many of the attacks advanced attackers -- and even himself -- perform once inside a target network, he says.

All of the top vulnerabilities found by the penetration testers fall within basic IT security fundamentals: system patching, principal of least privilege (and related access controls), and proper network segmentation.

Is it time for companies to get back to the basics and stop trying to buy the next hot security product that promises to solve all of their problems? It sure seems that way.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.