Not that we need more proof of the average Joe’s lack of security awareness, but Verizon are out with their annual security breach report stating exactly how the bad guys are getting in to our networks and it does not look good for the average Joe.
The answer, Phishing, Bad Web Security and Weak Passwords. Two out of every three attacks were based on using legitimate user credentials to access the compromised systems. These credentials were gained via one of two common methods, brute force the password or just ask the user to provide you the login details via a Phishing email.
Brute forcing a password works if you know the Admin or Root user account name, as these accounts will not typically be locked out after multiple failed login attempts. How could hackers possibly know the Admin user or Root username? Well, unfortunately our security pro’s protecting our data often do not rename the Admin/Root account away from the default setting of the device, thereby making a quick Google search for the default device administrator name a simple task. Half the problem solved.
It gets worse, some security pro’s don’t even change the password away from the vendor defaults, making breaching a network pretty simple, don’t laugh it happens all the time.
Basic Security Rule Number One: Change the default Admin/Root username to some obscure name that is not easily guessable, and no, Admin1 does not count, nor does Platform-Name-Admin, such as CiscoAdmin, WindowsAdmin or LinuxAdmin.
Phishing attempts are a little more complicated, as we need to educate users not to open attachments from unknown sources. Most users know not to open executable attachments, in fact in this day and age if an executable is making it down to your user mailbox you are doing something wrong, this should be filtered out by the mail system.
However Word documents, Excel documents, PDF documents and even Image files will often make it pass your email filter, and this is where a lot of the risk lies. These documents can be used to establish a foot hold in your network, once the user opens an infected document the dropper will download the Trojans to the user PC.
If I am a sophisticated hacker I will attempt to use known vulnerabilities against your applications. The challenge is I can only see a limited number of your applications from the Internet, the ones with Ports open on your Firewall, and as you know this is where the risk is, you have likely patched those systems. So what I need to do is get behind your Firewall and I achieve that by using Phishing emails. Once your user has opened my infected PDF document I now have a platform I can use (their Workstation or Laptop) to see all of the internal servers.
I can now run known vulnerabilities against all of your internal servers and spread to where the critical assets are.
Of course this does rely on you not patching all of your internal servers or me having a zero day exploit where a patch does not exists, which is not always guaranteed, unless I am a well-funded hacking enterprise, you know, like a state nation.
Of course there is an easier way. Rather than send an attachment through to the target of my attack, why not just send them a well-constructed email designed to get them to “reset their password”.
How the Hackers Attack
First I ring the organization I want access to, asking the receptionist for the email of the help desk, sales manager or some other front facing person that would normally deal with public requests. I send an email requesting information, I am not interested in the information of course.
What I am interested in is the email address format, if the user is Bob Smith and their email is Bob.Smith@companyX.com, I now have a pretty good idea of what the email address format is going to be for other organizational users. I also get the standard company signature at the bottom of the response email.
I now have everything I need to launch a targeted Phishing attack. I go to LinkedIn find out a who works at your company, take a guess what their email address is likely to be based on the previously discovered email address format.
I send an email to your team members asking them to reset their password immediately as we believe we have had a breach, all they need to do is “Click Here” and they will be redirected to the company’s website, which will look exactly like the real company website, to reset your password. The email will have the standard company signature and will come from the security team email address. Job Done.
What can we do to stop the bad guys?
Reading through the Verizon report they have some key takeaways to improve your security.
1. Security awareness training is now pretty critical for most organisations, it absolutely needs to be part of your security policy and should be conducted at least yearly.
2. Rename default admin accounts to something that can not be guessed
3. Use separate accounts to access separate systems, if one account gets compromised you limit your damage to a single system
4. Use two factor authentication everywhere
5. Collect your audit and accounting logs in a central location, and have an expert go through them with automated tools, like a SIEM.
6. Patch your systems, within 24 hours of new patches becoming avliable
7. Implement Server Integrity Monitoring so you see changes to critical infrastructure, such as file or registry changes.
8. Change passwords on a regular basis