Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/19/2012
04:49 PM
50%
50%

Tech Insight: What Penetration Testers Find Inside Your Network

Inside flaws include unpatched systems, open file shares or information stores, and lack of proper network segmentation

In our previous Tech Insight, we focused on some of the top vulnerabilities that professional penetration testers discover when performing an external penetration test. This time, we are turning inward and looking at the prominent vulnerabilities found in an internal penetration test.

So what's the difference? With an external assessment, the penetration testers should be simulating the attacks that an attacker outside of your organization would be performing. They will be looking at perimeter defenses, exposed services, and anything that will gain them a foothold into the network from the outside. Often, an external test is validating that the security controls put in place at the perimeter are actually effective.

An internal penetration test tends to be more scenario-based, focusing on the biggest fears that the company faces, such as an internal employee going rogue, an internal machine getting compromised with a remote access Trojan, or an attacker physically gaining access to the network and plugging in his machine. Will the attacker be able to gain access to critical databases or trade secrets? What call do you dread receiving from your CSO at 2 a.m.?

These are the types of questions that internal penetration tests try to answer. Unfortunately, more often than not, experienced penetration testers show how easy it is to realize these fears once they gain internal access to the internal network.

Dark Reading spoke with several professional penetration testers to get a better understanding of the most common types of vulnerabilities they find in internal tests, why they are the most common, and the risk they pose to enterprises. The top issues include unpatched systems, open file shares or information stores, and lack of proper network segmentation.

"Many times, organizations will focus on externally facing applications and systems, relegating internal systems to the 'catch up and patch when they can' category," says Kevin Johnson, senior security consultant at Secure Ideas.

Considering the number of client-side zero day vulnerabilities in Java, Adobe Acrobat, and Flash that keep showing up, this may seem surprising. Johnson says that it's often based on the failed assumption that the systems are internal, so an attacker can't reach them. "But this idea couldn't be further from the truth," Johnson says. "Disgruntled employees or attackers who have gained access to the network can use these vulnerable systems to elevate their access or [to] compromise sensitive data."

Chris Sanders, an InGuardians senior security consultant, concurs that unpatched systems are definitely a problem. He says he regularly finds vendor-provided solutions that include a Web-based front-end riding on top of the vulnerable version of Apache Tomcat or JBoss. "When presented to clients at the end of the test, they are shocked to find these technologies exist on their network, not realizing it was part of a product they purchased," Sanders says.

The presence of open file shares or information stores are also a gold mine for attackers. Several security professionals interviewed for this article say they find a wealth of information stored on file servers with poor access control. Many of the items they find include password lists, database backups containing sensitive information, and documentation about internal systems. Not only is this data valuable from the perspective of showing the risk of open shares to the client, it also gives the penetration tester more information and clues on where to dig deeper into the network.

File servers aren't the only juicy information stores when it comes to internal tests: SharePoint and Wikis provide plenty of valuable information, as well. "When we perform internal tests, we often find that the permissions are either completely exposed or available to more people than they should be," Secure Ideas' Johnson says. From there, he uses the open permissions to steal files and documents with everything from passwords and connection information to credit cards and personal information.

The lack of proper network segmentation is a recurring theme among the findings of these penetration testers. More often than not, once on the network, they have free reign to move about as they wish. InGuardians' Sanders says that high-value assets often have no logical separation from user workstations or other low-value assets. "Once one asset is compromised, it's incredibly easy to move laterally to target higher profile systems," he says.

Why is network segmentation so important? "Today there is still more focus on the perimeter than on internal network segmentation. Network engineers don't realize that one successful social engineering or client-side attack could mean 'game over' once the attacker has that foothold," Sanders says. Segmentation based on asset importance and level of trust is one of the most effective ways to prevent many of the attacks advanced attackers -- and even himself -- perform once inside a target network, he says.

All of the top vulnerabilities found by the penetration testers fall within basic IT security fundamentals: system patching, principal of least privilege (and related access controls), and proper network segmentation.

Is it time for companies to get back to the basics and stop trying to buy the next hot security product that promises to solve all of their problems? It sure seems that way.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.