One of the most common traits underlying the worst breaches I’ve seen, and indeed many that are publicly disclosed, is related to external attackers connecting to a server on the organization’s Active Directory domain.
It seems that many an IT architect or Windows administrator are blind to the threat this poses. An application vulnerability, misconfiguration and so on can provide a foothold to an attacker to essentially take over the entire network.
This is just an example, but it’s a commonly exploited tactic. Staff members performing architecture-type roles really need to have some awareness and understanding of common attacker tactics in order to intelligently weigh design points in an IT system or network.
We are all familiar with the shellshock issue in bash. We know that it’s exploitable via CGI on web servers, through the DHCP client on Linux systems, and can bypass restrictions in SSH. Yesterday, a new spate of techniques were discussed pretty widely, through OpenVPN, SIP. and more.
This isn’t necessarily a problem with OpenVPN and SIP. This is still a problem with bash. These discoveries should highlight the importance of patching a for problem like shellshock quickly, rather than assuming our system is safe just because we are not running a web server, using a static IP and don’t rely on SSH restrictions. If it’s running OpenVPN, it’s exploitable (if username/password authentication is used). The broader point however, is that we could be finding innovative new ways to exploit shellshock through different services for months.
Just patch bash. And get on with life.
We are pretty well aware of the malware risks that our users and family members face from spear phishing, watering holes, exploit kits, tainted downloads and so on.
As IT and security people, most of us like to think of ourselves as immune to these threats – we can spot a phish from a mile away. We would never download anything that would get us compromised. But, the reality is that it does happen. To us. We don’t even realize theat copy of WinRar was trojaned. And now we are off doing our jobs. With uninvited visitors watching. It happens. I’ve been there to clean up the mess afterward and it’s not pretty.
The computers that we use to manage IT systems and applications are some are some of the most sensitive in the average business. We ought to consider treating them appropriately.
Here are my recommendations:
- Perform administrative functions on a PC that is dedicated to the task, not used to browse the Internet, check email or edit documents.
- Isolate computers used for these administrative functions onto separate networks that have the minimum inbound and outbound access needed.
- Monitor these computers closely for signs of command and control activity.
- Consider how to implement similar controls for performing such work from home.
What do you do to protect your IT users?
Tomorrow starts National Cyber Security Awareness Month. Many different organizations will be posting security awareness information to help your employees not get cryptolockered and to help your friends and family keep their private selfies private.
I’m going take a different path with this site for the month of October. I’m going to talk about security awareness for US – IT and infosec people.
I have been working in this field for a long time. I see stunningly bad decisions by IT behind the worst incidents I’ve been involved in. These decisions weren’t malicious, but rather demonstrate a lack of awareness about how spectacularly IT infrastructures can fail when they are not designed well, when we misunderstand the limitations of technology and when we’re simply careless while exercising our administrative authority.