Chapter 12
IN THIS CHAPTER
Exploring the need for recommendations
Offering ways to shore up security
Looking at general areas of security to strengthen
Showing how to defend against attacks
Understanding and protecting vectors
In this chapter, I try to capture the most common issues you might encounter and recommendations you’ll likely want to make based on your tools. The chapter focuses on the tools, the report, the output, and your report findings and fuse those with best practices found in the industry today.
Most of what you find in this chapter (and in real life) is that most of the recommendations revolves around systems that are not up to date and need security and other forms of patching or misconfigurations that lead to security risks in your infrastructure, network, and applications.
This is your time to shine! You can highlight many of the items you will learn in your report, create a separate report or put a presentation together and/or give a training class or awareness seminar. All this is part of post-test assessment and recommendations that you can provide your company or clients based on your findings.
You may be given tasks where you just run the pen test, collect the findings, and report them. Other times, you are expected to recommend how to remediate some of the issues you’ve identified.
Before you report any recommendations, think about these key considerations:
Not all recommendations are actionable. You’ll find accepted risks (which are noted on the risk register), and you may have to have alternative solutions in place to mitigate the threat. For example, a router may need to remain exposed.
The recommendation normally would be to block access to the router. Because it needs to be accessed, hardening it with access control lists may be the viable solution in this case.
Some recommendations may not solve the problem. You may make recommendations that are industry-standard solutions that often come from the vendors, but they may not mitigate the risk.
There may be more risks hidden within the solution. This is where retesting (which I cover in the next chapter) comes into play and is a critical piece of pen testing.
When you’re making recommendations, keep in mind you might need to consider information from various sources and that you might need to supply information to someone else. The latter case happens when you’re only running the test and submitting a report, but another person or team actually makes the recommendations.
Here’s where you most likely get information to build a recommendation list, if you’re responsible for this task:
Your first steps are to review what you have conducted and start to develop a recommendations list from your reported findings.
In Figure 12-1 is a snapshot from Nessus that highlights findings I put into a report after a pen test. If I were to create a series of recommendations from this snapshot alone, I may come up with some of the most obvious, such as reviewing the organization’s use of the Firefox web browser installed on Apple OS and whether an upgrade or a patch is needed. At this point, I’m getting the lay of the land if you will.
These are some of the easiest assessment-based recommendations to make because you have a blueprint to follow. You should also use the priority flags from the toolset to provide a priority level to each item for your risk register.
A recommendation to make here may also expand beyond a patch or a security update. You may do some research and find that the browser itself is flawed, it is unable to be fixed (perhaps it’s not fixed by the vendor yet), and is so critical that you need to disable the use of this browser across your organization until it’s fixed.
Making recommendations to harden your network can come from the current pen test and report you conducted and completed. You may have found a series of ports open that allowed access to systems or credentials to devices that were easily cracked and accessed.
There are many ways to secure and harden a network:
www.cisco.com
) is one of the premier vendors of network equipment and software. Cisco provides a hardening guide (as most vendors do) so that you know how to increase your security posture and allow for your systems to be in a higher state of protection then if you didn’t apply many of the suggestions they make.
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Also, many of these same suggestions (such as using a centralized log collection) can be further used and suggested on other systems regardless of make or vendor. Some of the suggestions are best practices no matter what product you use.
Networks can be laid out in many ways, but most (if not all) generally follow basic standards. You can see most of them in Figure 12-2. The figure shows the most common, which is the division of the internal and external networks (usually by the demarcation of the public or private owned vendor network) that allows you to gain or get access into and out of your internal network. Along the external edge is where most hackers attempt to penetrate because this is where you’re visible on the public Internet.
To access an internal company network, you have to use a public facing connection to then connect in from the edge into the company network to access their core. The core is commonly referred to as the high-speed center of any network that is configured.
Depending on the size of the network, you could say that most core networks at least have a distribution, or access, layer where other switches connect and wired and wireless segments connect together. Most of these segments are configured with different IP address blocks and further configured as virtual local area networks (VLANs). Segmentation (physically by device or logically by VLAN) can help you protect each portion with access lists or firewalls so you can control what people can or can’t access based on what they’re permitted to do.
Making recommendations to secure a local internal network are fairly straightforward:
A major challenge with wireless networks is that they aren’t always set up correctly. An example may be where a hacker is able to see and get a signal from a wireless access point from the external network (refer to Figure 12-2). This can be a hacker with a transmitter hacking from the parking lot with a high-powered antenna to see whether any SSIDs respond to beaconing.
If you show you can in fact gain access this way, here are a few recommendations to make:
The external network is hard to secure because most times you don’t own the systems that the ISP provides. You also need to consider that you are limited in what you can secure, but this is the true power of the pen test and the pen test report. If you find that you scan the provider and edge leading into your private network (the demarcation is considered the DMZ, or demilitarized zone) where you may even host public facing systems, you can show where they need to lock down their own system or if you own them, lock down your own.
Whether you pen test and report on Windows, Linux, Unix, Apple OS, or basically any other operating system in your organization, you will find some form of vulnerability that needs to be patched, fixed, reconfigured, or examined. With the nature of changing technology, there will always be updates that cause more problems later. Most, if not all, pen test output shows operating systems that need patching or protected against some form of threat in the wild.
In general, you can apply across the board some of these common guidelines:
Lock down local administrator rights and privileges. You limit access rights for any user, admin, or anyone permitted to use the system so that they only have rights to do exactly what they need to do.
Because default administrator accounts have access to literally everything, consider making them honeypot accounts to ensnare unsuspecting hackers looking to attempt to use them. Or disable them and give rights to the named accounts of your users and admins with logging enabled to ensure that no unnamed accounts remain in use with the power to do anything on your systems.
You secure servers by hardening them using vendor recommendations. For example, if you have a Windows Server system, a large number of services specific to that vendor are available. You must consider turning all those services on or shutting them off based on what you captured during your pen test.
To generalize, if you run Unix or Windows, you want to make sure that they are both not running extraneous services (like telnet) and secure them with SSH as an example.
No matter what you pen test (and report on), when you’re making recommendations, include general or standard server recommendations and then you make those more specific. To further explain what I mean:
You can follow these same recommendations for any server platform you choose to test.
Client-side attacks are the most common because the desktop (and other desktop level devices) are the most commonly used, easily accessed, least protected and least monitored of all infrastructure components. They are the easiest to infiltrate with malware or even through social engineering.
The most common recommendations:
General infrastructure includes storage platforms, mainframes, tape silos, and anything else that falls outside of the network and servers attached to them. You need to consider each separately and harden it accordingly.
Some examples (and suggestions) include but aren’t limited to all of these devices connect to the network that share network interfaces, ports, and protocols, use TCP/IP (or other protocol), and communicate and pass traffic back and forth. Because they do, every single one of them becomes a target to an unethical hacker or ethical hacker.
Storage systems might be considered the holy grail of data capture. Storage arrays normally host terabytes of data, the company’s databases, and other critical data that keeps many technology-driven companies alive and healthy. To launch an attack and successfully destroy, overwhelm, or subvert any of this infrastructure is an immediate win.
The recommendations are similar to what I cover for networks and systems:
Make sure you have a working copy of your data in a redundant and resilient setup. This is where disaster recovery (DR) and business continuity planning (BCP) become a pen tester’s main suggestion to a client.
If you have the important data backed up and available, any issues to it can be solved.
Mobile systems are increasingly hard to secure. Pen testing them is often more critical than pen testing an internal core network secured by firewalls. As I mention with client-side attack secure recommendations, earlier in this chapter, mobile fits directly into this model where all work and functions are performed on them are transported from place to place in an always-on configuration.
Mobile is normally secured by local biometric access or a password/passcode. Corporate devices face a current challenge with end users wanting to own and operate their own personal devices to access corporate resources.
Recommendations include:
Find out what is being used on employees’ devices and attempt to secure them with protective software and encryption.
Mobile pen testing can be as follows: You send an email to an end user who opens it on the Android phone (or jailbroken iPhone). This allows for an app to be installed, much like a Trojan horse. Access can be provided and from there you can launch attacks. If you know what apps are there, you secure them accordingly.
Assessing cloud and other forms of outsources services that connect to your corporate company can be a true challenge. The truth is, though, it’s not much different than other connectivity you may have, such as ISP connections and disaster recovery locations where you may host systems.
From ports and unused services to firewalls and encryption (and more), this section covers several recommendations that don’t fall specifically under networks and systems. Though general in nature, they’re still important, of course, and so I take them one by one.
One of the most common items to appear on pen test reports is ports. Closing unnecessary server ports helps if you can’t change them or readjust them. The IANA registry shows the list of commonly used and assigned ports:
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
It’s important to be aware of ports and how they’re used and configured. Ports are commonly how attackers and pen test access remote systems through socket connection established by a port and IP address set. The example in Figure 12-4 shows one of the ways you can secure a system by changing the default port. Another consideration is, if Server A wanted to access web services on Server B, it would have to do so by specifying the port by number and look like: 10.1.1.11:8080.
Remove unneeded services from systems and audit them periodically for use. What this means is, if you find that you have the FTP service running on most of your servers but FTP is only really needed on two of them, remove the unneeded ones.
A pen test and thus the pen test report can help guide you into removing these items. Often tools such as Nmap show you what ports are running and commonly map to which services are in use. This highlights what you can shut off.
Make sure that every single piece of technology in your organization is on a patch program where everything is reviewed, tested, and applied as required on a monthly basis.
Installing a firewall is one of the most common things that organizations do to protect their demarcation point and control access to hosts that the company may manage in their DMZ. Figure 12-5 shows how monitoring access in and out of the firewall can be helpful to an organization trying to protect their assets. You can then audit the firewall log to see what connections were attempting to gain access to a specific server. Use that information to look for possible attacks or breaches.
Today, the only thing more important than using a firewall is to make sure all your devices use an active AV program such as the one shown in Figure 12-6. AV is one of the best ways to protect endpoints, client-side devices, and mobile from being flooded with problematic malware.
Another common recommendation is to disable services by blocking ports or disable sharing of resources that are not needed within the operating system you’re hardening. For example, with Windows (and some Linux distributions), you can use SMB or SAMBA and share resources such as folder, printers, and so on. One of the ways malware propagates through a network from system to system is by riding these kinds of protocols.
In Figure 12-7, Nessus found SMB in use on the network and is recommending that you either shut it down (if possible) or configure much needed patches that disallow remote code execution.
Using encryption allows you to not worry about many of the common attacks such as eavesdropping, hijacking, data theft, and packet sniffing and capture. By using protocols, such as SSH, IPsec, and SSL/TLS, you can prevent many attacks through encryption, as shown in Figure 12-8.
This section gives you a quick snapshot of other important recommendations that didn’t fit elsewhere in the chapter.
One really important one is a different view on segmentation. You should always put more critical systems into separate parts of the network whenever possible. This doesn’t just mean network components; it also means the systems that connect to your network such as servers. This can be more easily accomplished with virtualized servers (or virtual machines) within a virtualized host.
Also consider virtualization. With the use of VMware and other technologies you can also create virtual machines (VMs) that allows you to create separate logical networks instead of physical ones, much like VLANs.
Gaining access is one of the biggest targets for hackers (and pen testers), which makes access control where you can potentially thwart incoming attacks. Some of the recommendations you can make here is to
Creating and keeping backups is vital to the health of an organization. You can’t continue operations if you lose critical data or systems with no way to access them after a disaster.
Make no mistake, a breach by hackers is in fact a disaster and your recovery or continuity policy should follow your incident response plan.
As a pen tester, logs are your source of most of the information you collect and a giant source for information you want to populate in your report. One of the ways hackers conduct APTs is by deleting or updating logs. By swapping, changing, moving, deleting, or altering logs, you have false information or no information about breaches.
Figure 12-9 shows a simple log from Solarwinds called Kiwi that allows me to have a router or switch send their syslog information to a separate server that I can access and review. This way, if a router or other device is rebooted, or a log is deleted or changed, I can get a copy of the log saved off the device itself. Securing logs is a very good recommendation that allows organizations a fighting chance to review and monitor activity on devices that are possibly at risk.
I’ve said it before, but I have to say it again: The weakest link is the non-technology assets such as your line workers, desktop users, and mobile workforce. They’re human, and there’s really no way to make 100 percent certain everyone will work diligently to always consider security. This is why awareness training is a must and why it’s an ongoing effort.
Consistent auditing: This can help to provide feedback on programs and how end users feel about security and their ability to withstand an attack. By pen testing them with a phishing email, you can see whether they click it and give you access. If this happens, you want to see how many end users did this through an audit and use that metric as the basis for getting more training for your workforce.
People and skills are important to consider. The more your workforce knows about security, the more likely they will suspect an attack and do something about it if they recognize it.
Separation of duties and a need-to-know environment: Administrators only have access to what they need, not to the entire domain in Windows (as an example). Maybe every network engineer does not need access to the core. Maybe the storage administrator should request higher level access as needed and required.
By separating these, you can protect your assets with a higher security posture. It also helps to alleviate mistakes.
18.223.172.252