Common Pen Test Findings That Are Easy to Fix

We do a lot of penetration tests for a wide range of clients; whether they be healthcare, retail, nonprofit, insurance, banks, industrial or anything in between. Even though this includes a diverse range of industries, they all seem to make the same mistakes that result in the same findings test after test, year after year.

Albeit most of these findings are not critical and don’t typically result in us compromising your systems, they do provide vulnerabilities that could leave an attacker with a foothold on your network. Also, from a compliance standpoint, many of these findings fail basic compliance requirements.

Luckily, most of these findings are easy to fix, and most of them involve web server misconfigurations. This article provide an overview of what those vulnerabilities are, and why they are vulnerabilities. In a follow up to this article, I will include technical “how tos” so that you can resolve these issues.

In no particular order:

Clickjacking

To quote Wikipedia, clickjacking is “a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.”

Now really, Brandon, what does that mean? Here’s the scenario:

  • Your company has a website, acmecorp.com that includes a login screen, or some sort of form that collects information. Your website doesn’t protect against clickjacking

  • I’m looking to target your users. So I buy acmecor.com (one letter off…), I make a simple page that loads your website. The trick is that I “magically” have hidden fields on top of your username and password field that users can’t see.

  • Your users come to my website because I’ve lured them somehow

  • As they enter their username and password, I capture it. If I’m “nice” I throw them over to your website and let the user continue using your application. I now have their username and password.

Why is this a problem? Because I can “steal” your website without your users realizing it. About 99% of pen tests and Web Application Scans identify clickjacking as an issue! Best of all, it’s a 5 minute fix!

Server Information Disclosures

Like a lot of things you buy, they require a little customization. If you buy a new car, you adjust the radio, the seats, the mirrors, etc. Maybe you buy some new floor mats or those window deflector things. Either way, you don’t just jump in it and drive away. The same goes for your web servers.

Straight “out of the box” most web servers give away too much information and aren’t configured for the Internet. Most like to brag who they are by exclaiming to the world what product they are, and often time their exact version. They also give us lots of information about what their capabilities are, and sometimes allow us access to stuff we shouldn’t.

This is a vulnerability because as an attacker I can look up every vulnerable your server us vulnerable to. I might even be given the scripts or software I need to break in. It’s almost like telling me your security code on your home security system.

What can you do? Basically, it comes down to taking the time to “lock down” your servers. I explain how in the next couple of posts. This leads me to our next common vulnerability

Out of Date Systems

Now that your server told me EXACTLY what version it is running, I can quickly Google that the server was released in 2012, or whatever. I know there are 20 newer versions of the server, and that the server has 25 serious vulnerabilities. However, if you ran the latest and greatest, and hid a lot of the details, I’d have a much harder time getting in. First, because you locked it down as I suggested above I don’t know the exact version you’re running, but secondly, you’re running the latest version. With that, few if any vulnerabilities are known and finding a way in is much harder. Now I have to painstakingly search underground hacker forums, the “dark web”, and other nefarious locations that expose me to the threat of malware and all the other bad of the Internet.

Forgotten, Abandoned or Test Systems

This one is especially for those that develop their own systems or have a large number of systems. In this case, test sites get forgotten about. You upgrade your portal but leave the old one one. Whatever it may be. In either case, you’ve neglected it, didn’t configure it right, and left the front door wide open.

We have had complete compromises of our clients from systems in which the client responded “Oh crap, I forgot that even existed!” Guess what, as a hacker, we didn’t “forget” because we just found it!

In short, if you don’t need it, don’t put it on the Internet.

Web Application Firewalls

Many of the attacks that you’ll see are “well known” and have been around for, in many cases, decades. However, many sites are still vulnerable to them. Sometimes your password standards are weak or a user uses a weak password. In many of these cases, a Web Application Firewall could help protect against the known threats and block them altogether. It can also “lock out” an account if someone tries to brute force it.

Some options include appliances such as Netscaler, Barracuda, or F5; some as web services such as Cloudflare or AWS; some are features on your firewall like Sophos XG or Watchguard; and some are even modules to your webserver such as Apache’s modsecuriy.

In any case, you should have one, and fine tune it to block common threats like brute force attacks, SQL injections and Cross Site Scripting (XSS)

SSL Ciphers and Protocols

SSL ciphers and protocols are often overlooked because they’re misunderstood. First let’s get the 10,000 foot view of what we mean by protocols and ciphers.

When a web browser connects to a web server (or two email servers connect to each other, etc) they do so using a protocol. That protocol, or in its simplest term, the language the two computers use to talk to each other, is either SSL or TLS. Once they’ve established which protocol they’ll use, they agree on which ciphers will be used for the actual encryption of the communications. To use an analogy, the protocol is whether you’re going to ship a package via UPS or the Post Office, while the cipher suite is how well you secure the package itself during delivery. This is overly simplistic, but hopefully somewhat useful.

With that said, the web browser and web server need to agree on which protocol and ciphers they’ll use. You can’t control which browsers are used to connect to your website, but you can control the list of available protocols and ciphers. PCI requires you use “modern’ and “secure” protocols and ciphers. For protocols it’s simple; you must use TLS 1.1 or newer (TLS 1.2 is preferred). That leaves out TLS 1.0 and all of SSL.

For protocols, we don’t have to have any in depth knowledge of what to use. What we do need is knowledge on how to get them set correctly. Configuration all depends on your web server. For Apache or Nginix we use a web utility called the Mozilla SSL Configuration Generator. With the proper config in hand (select “modern”), we simply copy and paste into our virtual host. IIS is actually easier to configure because of a free utility called IIS Crypto. Download and install this utility on your webserver and then select the PCI template from the template screen. Apply and reboot and you’re done.

In addition to Nginiz, Apache, and IIS, ciphers and protocols can be configured on many type of servers and appliances such as Citrix Netscaler, Exchange, F5, etc.

To test that you’ve “got them right”, you can utilize Qualys’ free tool called SSL Labs. This handy website will give you a grade and lengthy details of where you’ve gone astray. Scoring an A+ is not hard to do and you should be doing it for all of your web servers.

Conclusion

Did you notice a pattern here? Three of the five common findings are directly related to your web server configurations. In fact, we could argue all five relate to web servers. The reason is pretty simple and straightforward: web servers are the most commonly deployed web technology, and they’re the most varied in their content and configurations. Further, they’re easy to “set and forget” which is the worst thing you can do.

While these are only five findings, they are on at least 80+% of all pen test reports we create; and most importantly they’re all easy to fix. Stick around and I’ll (hopefully) have up some tutorials on how to better configure your web servers. I’m working on articles for Apache and IIS, which accounts for about 95% of all web servers we encounter.

How to (better) Protect Email

Last week we alerted our insurance colleagues to multiple instances of spear-phishing as they relate to a new trend toward using OneDrive as a means of spreading phishing attacks. Today I’d like to take a few minutes to provide you with some easy ways to help protect you and your company against phishing attacks.

The goal of these types of phishing attacks are two-fold: one, they want your email username and password, or two, they want to give you malware. In the past six months, Cyber Defense Institute has seen both, with devestating consequences.

For those in the Insurance industry, we’ve been told by the DFS superintendant that: “ the majority of successful breaches… have involved phishing attacks, social engineering threats, and issues relating to password composition and security and email security.” The superintendant goes on to say:

More specifically, a significant number of the events reported to DFS involved breaches that stemmed from employees providing credentials in response to attractive emails that trick a user to provide confidential information. In these cases, the intruder sends a legitimate-seeming e-mail to a company's employee or employees. These attacks are carefully planned to appear from a source that the employee will trust, perhaps even appear to be an email from a customer or client of that employee and a subject that will peak their interest. The employee is prompted 2 to enter his or her e-mail credentials, and the intruder gains access to the company's e-mails on the system, which can contain consumers' personal identifying information.

If you’re interested in seing what the whole attack looked like, look at this article I previously posted

So, we know the threat is real, but what can we do about it. Here is a list of specific, actionable things you can do to protect yourself:

Security Awareness Training

One of the best things we can do is train our employees on what to look for in a phishing email. In our opinion, this training should be ongoing and multi-faceted. We sell KnowBe4 security awareness training because we can provide our users with frequent phishing tests, weekly security newletters, training content, and much more,

What to do

Ensure you provide frequent Security Awareness Training. We recomend bi-weekly phishing tests, quarterly or even monthly training videos, and weekly newsletters. We also recomend conversations in meetings, and having an teamwork approach to questionable email.

If you don’t have a robust program, contact us and we can get you a quote for KnowBe4, or click here for more information on KnowBe4, including a free trial.

Two-Factor Authentication

After security awareness training, two-factor authentication is incredibly reliable at protecting your email. If you have Office 365, two-factor authentication is FREE and it is not as burdensome as you may think. You are not required to enter a code from your phone every time you open your email. That’s a misnomer.

In reality, you enter the code ONCE for Outlook, and you enter the code ONCE if you use the Outlook app for your phone. If you log into Outlook Web Access or any of the other Microsoft 365 products, you can configure Microsoft to remember your login for any number of days.

What to do

For Office 365, here is the docuemntation: https://support.office.com/en-gb/article/set-up-2-step-verification-for-office-365-ace1d096-61e5-449b-a875-58eb3d74de14

For G-Suite: https://support.google.com/a/answer/9176657?hl=en

For hosted Exchange you will need to add an OAUTH provider such as Duo, and taht’s way outside the scope of this post

Don’t Store Sensitive Data

You can’t fully control what comes into your inbox, but you can control what you do with that data. Having sensitive data in your email can pose a serious threat. If your email is compromised and it contains sensitive information, the data usually has to be considered breached, and therefor reportable. If you don’t have sensitive emails, you don’t have a breach (however, in DFS world you still have to report a compromised email account).

What to do

  1. Don’t SEND sensitive information through email such as credit card numbers, health information, SSNs, etc.

  2. If you RECEIVE sensitive email:

    1. Delete the email

    2. Contact the sender and ask them to not send sensitive data. Ask them to encrypt it, fax it, or use a “proper channel”

  3. Implement Data Loss Prevention (DLP) technologies. I admit this isn’t always easy for small companies, but some Anti-Virus and Email Protection products include this feature. Ideally, your spam filter should be able to look for, and block sensitive data such as credit card numbers, SSN’s health information or even account numbers.

Advanced Threat Protection

Default spam filters that come with Office 365 and Gmail provide some coverage, but not enough. Exchange offers no protection. With Advanced Threat Protection or ATP, your spam filter will do additional checks on your incoming email such as “clicking” on the links and opening any attachments to see if they’re safe. I admit, ATP isn’t able to get around the OneDrive attack that opened this post, but it’s still important.

What to do

For Office 365 add “Advanced Threat Protection” to your account. It’s $1 per user, per year (https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp )

For G-Suite, enable the :enhanced” protections (https://support.google.com/a/answer/7577854?hl=en )

Alternatively, purchase a spam system such as Barracuda, Sophos, or ProofPoint

Anti-Malware

Make sure you have agood anti-virus protection. And by good, I mean one that you purchased. Ideally, it should be centrally managed (cloud is better), and have Advanced Threat Protection and web protection. In the case of the attacks from last week, my anti-virus and firewall’s web protection blocked one of the two attacks. 50% is pretty poor, but it’s a start.

What to do

  • Purchase Anti-Malware that includes web protection

  • Purchase so called “Next Generation Anti-Malware.” Other terms include “Deep learning”, “Endpoint Detection and Response”, etc.

  • Add Advanced Threat Protection to your firewall that looks for bad URLs

Example of Next Generation products include Sophos Central with Intercept X, Carbon Black., Cylance, or TrendMicro XGen

Anti-Spoofing

Some of these attacks take advantage of misconfigured (or non-configured) DNS records that are meant to prevent spoofing. By properly configuring Anti-Spoofing on your email domain spammers can’t send emails that look like they came from your domain. This has two benefits: you can’t receive emails that spoof your domain, and the rest of teh world can’t either.

What to do

Configure SPF, DKIM, and DMARC dns records for your email. Explainign these are far outside the scope of this post, but pass it along to your system administrator. If you’re really interested, here is a post that explains it all: https://www.bettercloud.com/monitor/spf-dkim-dmarc-email-security/

Office 365 Secure Score and Login Branding

If you have Office 365, Microsoft offers “Secure Score” which is set of scored configuration options that better protection your email and Office 365 environment. By making suggested changes, you increase your score and therefore increase your security.

Also, Microsoft allows you to “brand” your Office 365 login page with your company logo and custom background. This is extremely helpful because phishing emails target you by making the login screen look like Microsoft’s login page to get you to enter your password. However, if you’ve branded your login screen, users will know to look for your background picture and logo. Here’s an example of how Cyber Defense Institute brands our logon page, as well as what it looks like unbranded

Branded

Branded

Unbranded

Unbranded

What to Do

For Microsoft Secure Score, go to https://securescore.microsoft.com

For branding instructions, go to https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding

Audit

If an account is compromised, audditing of the account is going to be extremely important to determine if a breach occured, and what data was accessed. Without auditting, it must be assumed that all sensitive data in a compromised email account has been breached, and therefore reported. With auditting, it’s possible to contain a compromised account to just that, and not a breach (although it;s reportable if you’re DFS regulated).

What to do

For Office 365, https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing

For G-Suite it’s already on

For Exchange, https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019

OneDrive Insurance Phishing Scam

This Friday (4/26/19) we investigated a phishing campaign for one of our insurance clients and we learned quickly that it spanned at least two other CNY area insurance companies.  For that reason Jim and I thought it was appropriate to blast out an ad-hoc "alert" to all of our insurance contacts.
 

Details

Here's what we know so far:

  • It appears that the email accounts of some of our local insurance colleagues have been compromised

  • The bad actors are then spamming everyone in the user's address book (mostly insurance colleagues)

  • The email is a file share request from Microsoft's OneDrive

  • The incredible thing is in at least one case the file being shared is named "3rd Party Service Provider"

  • The text of the email is short and sweet, something like "please open the document"

  • The sender has "BCC'd" you, in other words, the "From" and "To" are both the same

In this case, "Think, Don't Click"

Here is a sample:

Phishing Scam



What if I clicked?

  • If you clicked on the OneDrive link, you're probably OK.  Clicking on the OneDrive link takes you to a PDF in OneDrive that is the phish.

  • However, if you clicked on the link from the link you might be in trouble!

If you clicked on the link in OneDrive:

  1. Change your email password immediately

  2. If it's been more than, say, 30 minutes you might've been compromised and will need to have your account checked for signs of intrusion. 

  3. Either call us immediately, call your IT support staff, or check the following:

    1. Check your Sent Items for emails you didn't send

    2. Check your Deleted Items for emails you didn't send

    3. In Outlook, click "Recover" at the top of your Deleted Items and check to see if there are emails you didn't send

      1. If there are no emails in your "Recover Deleted Items Folder" you've probably got a problem

    4. In Outlook, click "File" then "Manage Rules & Alerts" check for rules you didn't create

    5. In Outlook, click "File", then click the link next to Account Settings that says "Access this account on the web"

      1. Once there, make sure the "The new Outlook" slider in the upper-right corner is on

      2. Then click the settings "gear"

      3. Click "View all Outlook Settings" at the bottom

      4. Click "Forwarding"

      5. Ensure your email isn't being forwarded

Stay safe and have a good weekend.  If you have questions please contact us, we're here to help!