I had the opportunity recently to sit down with Amit Bagree, one of our principal security consultants, for a chat about the most common weak points in network security. Amit has been breaking things apart since childhood, has been working in the security field for almost 10 years, and is a graduate of the prestigious Carnegie Mellon University Master’s program in Information Security Technology and Management. In the first installment of the interview, we discussed three weaknesses. This second part of the conversation addresses two more.
Previously, we talked about weak points primarily caused by simple configuration issues or user error. At the end of the last blog, you mentioned taking advantage of how Windows networks do name resolution. What is that?
Openness and ease of configuration are the weaknesses here. When a resource is requested that the server does not recognize, the end-client sends out a broadcast message to everyone in order to find it. Any device can respond to that broadcast claiming to be the missing resource, and the client may end up sending out its password or hash information. Since users frequently mistype the names of shared resources, such as printers or network drives, an attacker inside the network does not have to wait long to get an opening.
When passwords are sent across the network, they obviously should not be sent as clear text, and when they are hashed they should not be easily reversible. It is common to see unencrypted traffic such as http on an internal network. And unfortunately, the hash commonly used by older Microsoft systems (known as the LAN Manager Hash or LM Hash) uses a relatively short key space that current computing power can break quickly in a brute-force attack. Newer systems (post-Windows XP and Server 2003) use a more robust hash now, but it is still common to find some older systems on the network. Although Microsoft ends extended support for Windows 2003 Server in July 2015, people always procrastinate. There are still millions of these servers out there needing to be upgraded or replaced.
The best way to close this off is to upgrade all servers to something newer than 2003, and change the system configurations to refuse the LM hash. In addition, only encrypted traffic should be used on the network. Tools are available to monitor and detect spoofing attacks based on this vulnerability.
Speaking of vulnerabilities, what happens after a vulnerability is published? Is there some inflection point when the risk of being successfully attacked increases?
Unfortunately, yes. There are several online sources for exploits that attackers can easily search, specifying desired target and level of access. Once an exploit for a particular vulnerability becomes publicly available, the risk of attack increases substantially. Of the weaknesses we have discussed, public exploits generate the most attack traffic.
Defense-in-depth is the best approach to combating these types of attacks. First, develop a patch management strategy. Second, make sure your strategy keeps systems up to date. Third, even with up-to-date patches, regularly scan your network for vulnerabilities, especially those with available exploits.
Thanks Amit, any closing thoughts?
Too many breaches start with an easily gained foothold in some innocuous part of the network, and then work into systems that are more sensitive. Closing these five vulnerabilities can significantly improve your defenses and reduce your attack surface.
For more details on these security issues, read Amit’s detailed white paper, Low Hanging Fruits: The Top Five Easiest Ways to Hack or Get Hacked