Defending Against the Trojan Horses in Your Organization
As we come to the end of our series covering the 2014 Top Attack Vector, we find ourselves facing, yet again, an easily mitigated, but highly exploited attack vector. A misconfigured system, whether it is an operating system, such as Windows or Linux, or a device, such as a router or firewall, it still results in the same result: a breach in our defenses!
Misconfigured systems and devices make up 13.72% of attacks according to the 2014 Attack Vector Report. While this statistic may seem small in terms of the big picture, the outcomes of this attack is often devastating. Attackers are able to manipulate misconfigured systems or devices to provide them with sensitive information or access that can be leveraged as a pivot to gain deeper entry to an organization. As attackers leverage these pivots, they find additional misconfigured systems or devices that allow them deeper access, until they gain persistence. Once an attacker is allowed to gain persistence in an organization, it is extremely difficult to contain them and cut off their communications. Due to the difficulty of containing these attackers, and the abundance of misconfigured systems and/or devices, these attackers are able to remain on our networks for months.
How can we make it more difficult for the attacker?
The remediation begins well in advance of the system or device being deployed into production. We need to focus on the purpose, logical placement, life expectancy, and how it fits into our patch and vulnerability management programs. If we account for these key areas in advance of the deployment and build a security baseline program around our environment, we can increase the difficulty level an attacker will face as they attempt to breach our organizations.
- Who is ultimately responsible for this system or device?
- How will they maintain it once it reaches the production phase?
- What can we do about the systems already in production?
All of these questions are answered when we assess an organization’s logical footprint. The discovery process is extremely crucial in making sure we have a full understanding of what’s out there and what will be deployed at a later date. Once we have a list of all the assets, we can divide the assets into groups, with responsible parties for each group. The division of these assets can be based on function, role, department, system, or device type, but the key is developing a plan of action and assigning a responsible party.
Responsible parties are important, but having a baseline of the system is even more crucial. These baselines will speed up future deployments and help mitigate many common mistakes. These mitigations happen because multiple people are able to weigh in on the baseline. This can include System Administrators, Database Administrators, End Users, or for network devices, Network Administrators or Firewall Administrators. The key is to obtain input from each section on what they need from that system or device. This helps build the requirements and becomes your test group for later steps. We leverage all of this hard work by comparing the assets against the baselines we just developed. Typically, we discover that many systems are configured with default settings or have applications used for a single project and forgotten about. Unfortunately, attackers do not forget these systems! We then need to leverage the baselines to remediate the findings, which ties into the patch and vulnerability management programs.
So we are done now, right?
No, now we must monitor these systems and devices for negative results from the changes and vulnerabilities from future-released patches. Once we find a change in our baseline, we must re-assess the environment and update the baseline accordingly. While we now have a good handle on what is in the organization, we continue to look for newly deployed systems or devices that may have slipped past or were not updated. This cycle is a living program, always moving forward, always evolving as the organization evolves, as demonstrated below:
By building this cycle and developing it as a living part of your organization, system or device misconfigurations will soon become a thing of the past. Keep in mind: as soon as the cycle stops and the process is no longer followed, you immediately introduce vulnerabilities into your organization!