Forget new threats: It's the old-school attacks that keep getting you
Pen tester Rob Havelt has found that the most egregious security lapses have nothing to do with the latest, most-hyped threats.
October 21, 2011 — CSO —
Everybody in IT knows it is a dangerous world out there, filled with an endless variety of cyber attacks aimed at compromising and taking advantage of security flaws.
But there is still a persistent lack of awareness of specific threats and how best to confront them, according to Rob Havelt, director of penetration testing for Trustwave, an international provider of information security and compliance solutions.
The irony, he says, is that it is not necessarily the newest, scariest malware or hack technique that can compromise an enterprise.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
"You see people get whipped up into a frenzy about the latest technique that requires all kinds of technical skill to exploit," he says, "while ignoring stuff that has been around since forever. One of the most common things we find on an internal network is bad password policy -- egregious things like 'admin' for an administrative password, or that the system administration password is blank."
Havelt wrote most of "Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests," which Trustwave members presented at SecTor 2011 in Toronto earlier this week. He says one of the things he urges IT leaders to realize is that a "tiny flaw," like a master default password for a PBX exchange can be "blown up into something that has a serious impact."
That, in fact, is one of his amazingly true stories. Havelt was doing a penetration test of what he describes as a "very secure" Fortune 500 financial company with an older Siemens Rolm PBX telephone exchange. While most of the default passwords had been changed, "one account they hadn't changed, which gave us better than administrative access, so we could use it to become any user."
Havelt and his team cloned mailboxes from the company's help desk, which gave them access to any voice mail.
"While we were testing, a new voice mail came in from somebody on the road, whose VPN access wasn't working. I knew how to fix it, so I called the guy and he gave me his user name, token pin and domain password. I helped him fix his problem, but with a single domain password, it's very easy to escalate your privileges. From there, we got into wealth management and the Department of Homeland Security Watch List," he says.
"All from a phone call."
Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.