It’s that time of the year again. We’ll soon be inundated with ravenous hordes of Halloween fans seeking brains/candy. While costumes, scary movies and haunted houses are the stuff of fantasy, there are plenty of things that “go bump in the network” that can’t be dealt with using wooden stakes, silver bullets, or cauldrons filled with frog legs. These are the things that can lead to nightmares like those being lived right now by Experian, Scottrade, and Hilton.
As a CISSP, CCFP, and HCISPP with more than a decade of penetration testing experience in the medical, finance and governmental sectors, I’ve seen some seriously spooky stuff. Below I present the scariest things I’ve had the misfortune to have encountered “in the flesh” during pen tests.
- Passwords and other sensitive material lying around in plain text. I have yet to participate in a pen test where a scan for the word “password” on an open network share doesn’t yield something interesting. Often times its developer or admin accounts to production systems, including databases with sensitive information. Eek!
- Unpatched machines with vulnerabilities that are too old, we’re talking corpse-like. Like clockwork, there is always one system tucked away in a dank, musty corner of the network. You get tired of seeing MS08-067 vulnerable boxes on a network. The best, however, was a print server with several 25-year-old unpatched vulnerabilities. Vulnerabilities that were old enough to rent a car. That’s legit nightmare-fuel for network administrators.
- Hidden passages aren’t just for creepy settings in horror films. The most innocuous things, intentional or otherwise can leave you vulnerable to attack. Like the network port in the lobby that was helpfully wired up, or the VOIP phone in the reception area that never had the data port disabled.
- Zombied printers. Nobody thinks to update the firmware on printers, or apply ACLs. That’s why the bad guys like using these living dead machines to establish hidden bridgeheads into your network.
- TOR exit nodes. While one can appreciate what TOR (The Onion Router) was designed to do, if you find one running on your network, you *really* don’t want to know what else you might find on that machine, ESPECIALLY if it’s not officially sanctioned. Some of my experience acquired in forensic investigations involved folks that had gotten themselves involved in the, shall we say, shadier sides of the internet. And having to catalog the remnants of those involvements, generally of the pornographic variety, is especially soul-numbing.
Every single one of these things was found on otherwise well run, well maintained, and well staffed networks. There’s no excuse. Letting these fester puts not only you, but also your virtual neighbors at risk. And you probably won’t get the luxury of taking a personal day when the neighbors storm the gates with pitchforks and torches. How can you prevent that from happening? How can you slay the monsters hiding in the datacenter?
You should be carrying out penetration tests quarterly, and anytime changes occur on your network. Penetration tests evaluate an organization’s ability to protect its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. By embracing more frequent and comprehensive penetration testing, organizations can more effectively anticipate emerging security risks and prevent unauthorized access to critical systems and valuable information, setting a course towards banishing the monsters from their networks for good.