itrust whitepaper: top 10 vulnerabilities

ITrust experts found that

10security breaches represent

Written by ITrust November 2013, based on the audits conducted over the past 5 years by our penetration testing team.

of the total security breaches companies are faced with

99%

« ITRUST » WHITE PAPER

2 W H I T E PA P E R Top 10 vulnerabilities by ITrust

It doesn’t come as a big surprise that last year’s headlines still talked about cybercrime. This issue is

now one of the major challenges governments are dealing with. We all still remember how mediatized the Elysée hacking was [1].

75% of companies were hacked within the last two years, according to a Cenzic study [2]. That number rose

to 90% according to our calculations. This statement is based on what the ITrust team has dilligently observed

These tests are realized both internally and externally (to test DMZ

customer services or even on websites).

You can �nd below our test distribution.

Introduction

AUDITS DISTRIBUTION PER YEAR : Total: 104 audits

Distribution by type of audit conducted

web 12 %

internal 50 %

external 38 %

The year 2013 is only based on

number of audits

Over the past 5 year, our consultants intervened over a hundred times to perform penetration tests for our customers.

during its pentest missions.


The stats in this white paper are recovered from the data sample we are dealing with to provide an objective view.

This article gives an overview of the 10 most commonly encountered vulnerabilities during our audits,

with case studies attached. It is therefore an accurate feedback from the ITrust’s technical teams over the last 5

years. During our aduits or incident interventions, we observed that 99% of information systems had been

compromised by at least one of these 10 breaches. Correcting these 10 main vulnerabilities would heighten

the security level of an organization.

Distribution of our customers by number of employees

Thus, we provide information concerning the business structure:

over 500 (38%) Service (19%) Bank (19%)less 500 (12%) Industry (15%) Host (6%)

less 100 (15%) Public (4%) Hotel (4%)less 20 (35 %) health/agro

(25 %)Aerospace (8%)

Distribution of our customers by field of activity

And the field of activity of our customers:

10


DNS Servers

DNS is an essential useful service, which insures the smooth functioning of application

services such as browsing and messaging. Most of the time, doors are opened

in the whole network.

Then, hackers use the DNS zone transfer to list all the assets within the domain.

department (R&D, Accounts).

Wordy domain controllers

Domains that are too wordy give attackers critical information to organize their attacks.

Through LDAP or Samba connections, they often get relevant information such as

for them, the domain users list.

It is possible to obtain in the same way, for each machine, the connected users.

Feedback: Top 10 vulnerabilities encountered

Fixing these vulnerabilities would

raise the level of security of an organization

LOGGING TOO VERBOSE « the network tea room »

Case study: enumerating user accounts on a domainUsing rpcclient command under windows :# > rpcclient 192.168.1.1 -p 139 -U% -c enumdomusers

session request to 192.168.0.4 failed (Called name not present)user:[Admin] rid:[0x1f4]user:[Guest] rid:[0x1f5]user:[Accounting] rid:[0x476]user:[Commercial] rid:[0x4c3]

Using rpcclient to enumerate domain administrator# > rpcclient 192.168.0.4 -p 139 -U% -c ‘querygroupmem 0x200’

session request to 192.168.0.4 failed (Called name not present)rid:[0x1f4] attr:[0x7]

This vulnerability is not exactly a real one, but is often the �rst step during penetrationtests. Even though this �aw cannot directly compromise a system, it allows usefulinformation to be collected – especially �nding out relevant targets.

In the talkative group, we �nd the 2 main servers:

Thus, they can quickly �nd out the interesting targets – by responsibility or

the domain name, the operating system version (�ngerprint) and even more useful


Within a UNIX environment, remote login programs (rlogin et rsh) use a poor

authentication system which also allows them to set up a trust based relationship

compromised, the hacker has easy access to the whole system of trusted machines.

In most cases, these applications are forbidden with the security policy requirements

in favour of more secured tools as SSH. But experience reveals that a bounce back is

possible because of the lack of private key protection. The related public key can

often be used on a wide range of servers. That allows the attacker to connect onto

them.

Active Directory domains. In that situation, the user directory is replicated between

the trusted domains. If an attacker can obtain an account on a « weaker » domain,

then he will have the entire access to all the domains within the account.

Need-to-know is one of the most important security concepts used to ensure the

Case study: trusted insider test - trainee exampleIn the most active directory architectures, users are assigned to several groups and shared contents are opened to some groups.

in most cases, it also points to information about user accounts that can be used to become a server administrator.

Employees are the weakest link for IT security. They

represent 50% of security risks. « Insiders are the biggest

threat »

9

between the machines (via .rhosts or hosts.equiv �le). This way, if a machine is

8

protection of con�dential data. Access rights and permissions management often

has its weaknesses: access restrictions that are too weak or even non-existent allow the recovery of strategic and con�dential information.

A trainee is added to the group of his supervisor(s). The test consists in �nding what information can be obtained.At the end of the test, the experience highlights that theperson has at least obtained con�dential data. Moreover,

Within a Windows environment, it is possible to de�ne trust relationships between

TRUST-BASED RELATIONSHIP:spreading compromise

ACCESS RIGHT MANAGEMENT:need-to-know


Case study: ERP - a perfect targetFor this case, the company used to let salespersons have an ERP instance on their computer in order to use it when they are on-site contact with customers. As the database

could get the company clients list and its associated o�ers. This would be a real treasure for

Even in companies where security is considered on users’ posts and servers, some

kinds of equipment are regularly forgotten, whether it’s active network elements

such as switches, routers or printers, security - these are often overlooked. Thus, default

administration passwords are rarely changed and if they are, default enabled

administration protocols remain on that kind of device.

The presence of insecure protocols used to pass unencrypted passwords is a very

important source of attacks. For instance: FTP, Telnet…

Databases are chosen targets because of the important information they detain.

When default passwords are changed, database webmasters (who manage lots of

servers) often use weak passwords depending on the name of the server. More than the

you can easily crack the password. Then, these accounts can be used to carry on the

network attack.

Nowadays, database hacking is 14% of security threats. http://bu�.ly/11umuYSGamigo’s database was pirated in 2012.

Although production equipment and the printer represent only 1% of security threats, they often are too neglected.

Case study: SNMP on a router agencyThis happened during one of our audits. A VPN router of one of our client agencies has a SNMP service activated listening on the Internet. The setup by default allows us to read and write MIB’s information. The setup scenario consisted in redirecting DNS requests to

Then, we can collect all the forwarded messages.

Case study: Production stoppedSNMP is not the only one open ad-ministration protocol. Let’s take the example of an inverter on a client’s production lines. This inverter is on

just have to log on to the admin web server with the default accounts in order to turn o� all the production services.

25 %

20 %

15 %

10 %

5 %

0 %

21% 20%

13%12%

10%

4% 3%1% 1%

laptops

workstatio

ns

network

mobile data

tablets,co

mputers

data centers

producti

on equipments

standard

s of g

uidlines

printers

7

one of our servers and to review the statistics. After this convincing �rst step, the

6

con�dential information they contain, these databases include users lists on which

attackers to �nd and re-sell.

ADMINISTRATION PROTOCOLS:the devil is in details

DATABASES


communication protocols (FTP, NFS, SMB…). Generally, restrictions about these

shares are weak or non-existent. Whether it is an anonymous FTP access allowed or

an access restriction to the company network for the network shares (SMB or NFS),

During our audits, we found that a hardware or software inventory is almost never

done within information systems. During an audit, when we discover not

maintained and highly vulnerable test servers or abandoned servers, administrators

are surprised as they were not even aware of these items on the network. These

servers are easy to exploit and can still detain valid and usable information. Moreover,

they are used as relay to attack more relevant targets.

Case study: management’s printerBy default, the latest printers have some shares activated to receipt scans or fax received.

management’s photocopies, scans and fax.

http://bu�.ly/ZWQ2Mv Some researchers from the Univertsity of Columbia claim

that could impact millions of companies, consumers and governmental organisms.Printers can be remotely controlled online by computer criminals.

Many systems have �le sharing. Shares may be managed via various

an attacker has the possibility to obtain a lot of con�dential information. When anattacker chooses to use the scorched earth tactic and to delete all the �les (backup,�nancial data…), the damage caused is extremely high.

4

5 FILE SHARING

ABANDONED SERVERS


This category could be a whole article as it is a very wide subject. In our case and

according to our sample, Web vulnerabilities do not represent the majority of

encountered vulnerabilities. However, very often, especially during the auditing of

a website, it is possible to monitor some applications’ vulnerabilities.

If we confront the 10 top web vulnerabilities given by OWASP, this is what we can

We can place the vulnerabilities we’re faced with into 2 categories:

Phase 1: Entry points

• Not updated systems

This vulnerability category is a whole top 10 paragraph:

• SQL injections

• XSS attacks

• Sessions management

Phase 2: Operation

This vulnerabilities category allows on the second hand to operate the information

• Sensitive data exposure

• Lack of restricted privileges

rightly managed, it is possible to access the server and obtain all rights. According

to the hacker’s nuisance potential, the operation can go to a website break down, to

some data loss (potentially sensible like banking data), to the creation of a zombie and,

worst case, scenario to a data deletion.

Case study: working session Hijacked / Video surveillance systems

an online access. Session cookies are not protected and allow repla ys. Thus, all users can guess the cookies format and access another company’s video surveillance system. The issue could be limited to a clients’ disclosure issue if passwords were not that weak. But

robbery.

Case study: Unprotected PHP functionsWebsites o�er the possibility to update some contents (like images for instance) and use PHP upload functionalities. If strict controls of these functio-nalities are not in place, it is possible to upload a web shell and to obtain information such as condensed passwords. This allows to access the

conclude given our �eld experience:

These vulnerabilities allow a �rst system assessment and give information.

By frequency order, we �nd:

collected in phase 1. In this category we �nd:

• Lack of secure con�guration

As soon as an operating vulnerability is identi�ed on the website, if privileges are not

3 WEB VULNERABILITY


96% of our customers’ audits. A trainee would be able to reach it. ThIS is an issue for

users in a company whose awareness is the most high – and it is still one of the attack

vectors the most used and the easiest to do so.

FEEDBACK:

Top 3 of the most weaknesses passwords encountered:

- Account without password

- Same login and password

- Generic password from created accounts

And let us not forget the user name password, name of the user’s kids or a word from

dictionary…

This should be the most occasional problem and is paradoxically the easiest and the

most automated to exploit. Common security vulnerabilities are known and, once

issued, the editors give patches. To be protected against risks, systems just need to be

updated. However, these vulnerabilities are the biggest attacks vector for information

systems.

We remember the hacking of the Sony’s PlayStation network. This hacking was

possible through a known vulnerability with an available update.

3 others vulnerabilities

can be added to the top

10, increasing the total

to 13 vulnerabilities.

This top 13 shows

us all exploitable

vulnerabilities of an

information system.

PASSWORDS COMMON SECURITY RISKS

> Human VulnerabilitiesFor instance: An employee gives his password to a fake system administrator-via phone or mail.

Case study: Blackberry serverTo illustrate this issue, we return to the case of a Windows server with the administrator’s password of the database left by default. With this access we can create a new user within the system and we can see that the BlackBerry

obtained.

A default or common password gives access to con�dential resources, observed in

;

The latest news involved systems not updated for many years.

> Application Flaws

> Unknown Vulnerabilities

1010In addition

to the

vulnerabilities

2 1


ConclusionDuring an audit, we penetrate an information system more than 9 out of ten

times. We do so starting with the common security breaches (in the top 10), through

a simple internet connection. If we can make it, so can the hackers or

malwares.

Then, what do we do?

We often meet customers who pile up on security tools instead of eliminating the

10 main breaches that would increase their security level exponentially . This is the

reason why it is necessary to set up permanent controls to check these points.

This year, a Verizon report showed that 97% of the data violations could have been

avoided through basic controls. [4].

I am a security expert for 15 years.

I have been the BNP’s trading room security director.

I am an ISS cloud expert in the National Assembly.

I am the CEO of ITrust founded 7 years ago.

incalculable number of tools, viruses, methods, schools which use their own process

or protocols.

It is a young activity, (practised for) only 20 years.

With the new threats arising, especially APTs and the cloud, our clients remain

expectant. Few of them understand why, still after 20 years, we have to keep

them. They realise that many of us lied to them promising the end of their troubles

with new tools.

We are currently at a turning point in our activity. Attacking technologies prevail

over defencing ones. The gap between the hackers and engineers is widening. The

technology, for instance), we wanted to explain to our clients and to our CISOs,

that there is another complementary way to classic medicine - through ITrust. An

alternative, but a complementary one, based on better practices and good hygiene. A

kind of “Chinese medicine” that prevents rather than cures.

Even though all problems could be avoided with very simple controls, each year

For example, did you know that 98% of the companies we checked use default

passwords?

attacks or intrusions and they don’t even know it.

attacks. We have been told for years that we must protect ourselves, but the

security principles are not respected. We remain as vulnerable as before and it is

your infrastructure.

Our activity is complex. You can �nd a lot of standards and methods. You can �nd an

improving systems with new methods and new tools. They �nd with surprise

and incredulity that �rewalls and antiviruses are no longer e�cient enough to protect

systems are extraordinarily vulnerable and the e�cient technologies are rare.

Similarly to medicine, current antibiotics are not that e�cient.

By �lling the gap between the sword and the shield (with a behavioral analysis

more companies are su�ering serious incidents related to cyber security.

You think you are not facing security problems? Of course : 8 companies out of 10 su�er from

You have �rewalls and protection systems but you are still su�ering from malicious

analysis remains terrible. Despite all the tools and signi�cant security budgets, basic

easy even for an intern to get con�dential information o� the networks. Or even for

a Korean student to get your ERP rate base or to launch a signi�cant DDOS attack on


To convince you,a story that deserves a conference:

Simple solutions and controlled procedures have mostly avoided major disasters:

• BP oilrig:

Valve security system was disabled due to the generation of a large amount

of false positives.

• Société Générale - Kerviel case:

The trader was also the designer of the trading tool.

• Fukushima:

Engineers were convinced that the cooling pump was open.

• Stuxnet virus:

Using the default password of Siemens devices.

• Hesel disaster:

Due to a lack of controls, too many spectators without tickets, attend the

match.

Most security incidents could have been easily avoided.

Did you know that the largest cyber attack (Stuxnet) could have been avoided by changing

the default password of Siemens devices?

Respecting what is known as common-sense security practices: simple and smart controls.

Security is something simple.

To avoid being sick, you wash your hands, you have good hygiene and eat healthy...

That is similar for the information system security; but this speech is hard to take in

given that for the last 20 years we kept on hearing that drugs were the only solution to

solve our problems.

BEST PRACTICES« .Maintain a good security policy in real time by avoiding default

best practice for SMEs.»

Hervé Schauer, security consultant expert

Leading experts and studies con�rm what we say.

The antivirus is not more e�ective in responding to new threats.

passwords and overseeing the �aws of security remains the current

You are grateful not to be stu�ed with drugs every morning.

55 avenue l’OccitaneBP 6730331 670 Labège Cedex, FranceTél : +33 (0)567.346.781Email : [email protected]/enwww.ikare-monitoring.com

WRITE PAPERLe Top 10 des vulnérabilités par ITrustPropriété exclusive © ITrust

Over the last years, other experts went along with us: 10 security vulnerabilities are

99% of encountered vulnerabilities in any kind of company.

TOP 10 FLAWS IN ALL ENTERPRISESSystems that are too verbose

Weak passwords

Rights to know

Trust between domains

Database default password

DNS servers too wordy for internal domains

Bad shares

Development servers, abandoned servers

Historical and common vulnerabilities

exponentially, better than any expensive technology.

ITrust has developed its own solution, IKare, based on these ideas. IKare continuously

checks security vulnerabilities of the information system and suggest the

appropriate corrections.

What does the police do?

Often, salvation comes from regulation. The moment when these controls

become mandatory, they will also be systematically implemented.

So?

This is a strong trend, more and more recommendations or compliance standards take

this step. These include:

• The Health safety guide from ANSSI (link...)

• New constraints related to health data, more and more recommendations

• The top 20 SANS

Bibliography

[1] http://lexpansion.lexpress.fr/high-tech/cyberguerre-comment-les-americains-ont-pirate-l-elysee_361225.html

[2] http://www.cenzic.com/resources/reg-re -quired/whitePapers/Ponemon2011/

[3] https://www.owasp.org/index.php/Top_10_2013-T10

[4] http://www.wired.com/images_blogs/threat-level/2012/03/Verizon-Data-Breach-Re -port-2012.pdf

Writers

Julien Lavesque is ITrust’s CTO. He is a security consultant, acting as an auditor, expert and trainer for sixty clients. Telecom and security engineer.

Jean-Nicolas Piotrowski , Itrust’s CEO. Security

Arbitrage trading room. He is general secretary and co-founder of Digital Place cluster.Based on a case study by Denis Ducamp, security consultant.

ITrust (www.itrust.fr) is a security company since 2007, providing its expertise and product to more than 100 customers in Europe. It develops IKare , a vulneralibity management solution. ITrust is prizewinner of Future investment, «SVC» project, and developed a breakthrough technology for behavioural analysis. ITrust was awarded in 2013 for the price of international digital, given by IEClub and Ubifrance.

Let’s �x these vulnerabilities �rst and companies security level will increase

expert since �fteen years, former CISO at BNP

itrust whitepaper: top 10 vulnerabilities

Software