Upload
marcel-veldboer
View
12
Download
4
Embed Size (px)
Citation preview
2017 SECURITY BULLETIN
2016: THE YEAR IN REVIEW
Dan Weis – Security Specialist, Kiandra IT
2016: IN SUMMARY
Every year we work with a variety of organisations
as their trusted IT security provider, delivering a
full suite of security services, including penetration
testing and security awareness training. Security is
in our DNA. We love working with our clients to help
them manage and improve their security posture
allowing them to get back to what it is that they do
best and not have to worry about the ever-changing
threat landscape.
With the year at a close, we’d like to take the
opportunity to share some common themes and
findings that we have observed in our engagements
throughout 2016, and where organisations should
be focusing their efforts in order to have the best
possible defence against threats in the future.
END USER AWARENESS AND PHISHING ATTACKS
SECURITY BULLETIN - 2016 Year in Review2 www.kiandra.com.au
WIRELESS
In 2016 our security engagements
were varied – from small business
through to global organisations
spanning 22,000 plus staff. We
worked with organisations from
the following verticals:
• Education
• Engineering
• Environment and
manufacturing
• Finance and superannuation
• Government
• Insurance
• Medical
• Professional services
• Property and commercial real
estate
• Retail
• Software and technology
• Sporting and events
• Travel and tourism
• Not-for-profit and volunteer
SECURITY BULLETIN - 2016 Year in Review 3www.kiandra.com.au
We sent over 7500 emails into
varied organisations for end-
user awareness testing. These
campaigns tested how users
respond to phishing attacks, and
whether they would provide us
passwords or an entry point into a
corporate network.
Phishing continues to be the
weapon of choice for attackers,
and as illustrated by the statistics
to the right, it still provides a great
degree of success.
On average, our campaigns
yielded an 18% success rate in
click-throughs. Additionally, we
found that 24% of these would
provide passwords to us without
a moment’s thought; some users
would even give us credentials
multiple times.
As a lot of organisations are
using remote services such as
Citrix, VPNs or Outlook Web
Access without multi-factor
authentication, when passwords
are harvested it provides an
attacker direct access to an
organisation’s network.
We also found that on average, for
each campaign we would receive
3.72 clicks from users in under
five minutes — which is scary.
This shows that an attacker could
infiltrate an organisation in under
five minutes.
Awareness training is an absolute
must for all organisations, and this
should be performed regularly,
especially as part of on-boarding
for new starters.
Of the organisations we provided awareness training to, we saw a significant drop in success rates for phishing attacks in subsequent tests.
As always, email filtering plays
an important role in preventing
phishing attacks, especially if they
contain malicious attachments
(payloads), so organisations
should first ensure the appropriate
protection systems are in place
and tested, and combine this with
regular awareness training and
endpoint protection.
END USER AWARENESS AND PHISHING ATTACKS
Of the wireless environments
we assessed throughout 2016,
we found that the majority were
well secured, using technologies
like RADIUS and certificate-based
authentication and following best
practice security controls. We
did encounter a small number of
wireless environments that had
not been segmented properly,
allowing people on the ‘guest’
network to access the corporate
resources such as DNS, and
corporate IP ranges. Organisations
using wireless should ensure
that the guest network is fully
segmented, requires nothing from
corporate networks (such as DNS),
and allows internet access only.
Captive portals are also a good
idea.
WIRELESS
82%
18%
Spear phishing responded emails
Spear phishing no response
24%
Password provided
Password not provided
67%
23%
Criticalvulnerabilities
Highvulnerabilities
5%5%
Mediumvulnerabilities
Lowvulnerabilities
39%61%
Unrestricted access to files/directories
Well restricted
76%
82%
18%
Spear phishing responded emails
Spear phishing no response
24%
Password provided
Password not provided
67%
23%
Criticalvulnerabilities
Highvulnerabilities
5%5%
Mediumvulnerabilities
Lowvulnerabilities
39%61%
Unrestricted access to files/directories
Well restricted
76%
Over the course of 2016 we saw
a positive trend of organisations
placing an emphasis on securing
perimeter facing systems —
which we love — but we still
found a number of common
vulnerabilities.
Vulnerabilities are classified as
“critical vulnerabilities” when they
allow remote access to a system,
give rise to a Denial-of-Service
attack, or provides information
leakage that can be used to
breach a system. A large portion
of these vulnerabilities are due to
lapses in patch management and
configuration issues.
We successfully compromised
a number of VPN systems due
to misconfigurations and weak
credentials, as well as identified
a number of legacy systems in
use. Can you believe Windows
Server 2003 systems are still in
production? It’s a hackers dream
come true!
We also identified a large number
of out-of-date technologies in use,
such as PHP, WordPress, FTP, and
SSH versions.
SSL and certificate based
vulnerabilities were also very
common with most organisations
assessed still vulnerable to SSL2,
3 and TLS 1.0 vulnerabilities, as
well as the associated POODLE,
GHOST, DROWN and similar
vulnerabilities.
On average we found that all
organisations assessed had
at least 1.3 “critical” rated
vulnerabilities on services facing
the internet. Additionally, we
found that most organisations
had a large amount of
information leakage, and firewall
misconfigurations, allowing for
unauthorised access to internal
systems.
Remember folks, it’s best practice
to decommission all legacy
systems and ensure Operating
Systems, applications and all
services (especially internet
facing) are regularly updated and
maintained to remove them as an
avenue for attacks.
SECURITY BULLETIN - 2016 Year in Review4 www.kiandra.com.au
PASSWORDS — THE KEYS TO THE KINGDOMPERIMETER FACING NETWORKS
With organisations containing tens
of thousands of users, it’s very
hard for IT to become aware when
a user has clicked on a link or
given out a password. This is the
exact reason why we advocate a
layered approach to security.
The systems in use should alert
on at least one or several of the
layers, so that organisations
are not relying on reactive
information. Endpoint protection
should detect malware,
applications should be secured
and have whitelisting in place
to prevent untrusted apps from
running, web filtering should be
proxying and restricting access
direct to IP’s/C2 servers, and
behavioural analytics should alert
when somebody who generally
works 9am-5pm is logging in at
2am.
THE BIGGER THEY ARE, THE HARDER THEY FALL
82%
18%
Spear phishing responded emails
Spear phishing no response
24%
Password provided
Password not provided
67%
23%
Criticalvulnerabilities
Highvulnerabilities
5%5%
Mediumvulnerabilities
Lowvulnerabilities
39%61%
Unrestricted access to files/directories
Well restricted
76%
SECURITY BULLETIN - 2016 Year in Review 5www.kiandra.com.au
We completed a number of
password audits for our clients
during 2016, and performed
countless password spray and
dictionary attacks against various
perimeter and internal systems.
What did all these compromised
systems have in common? Weak
passwords.
We deem “high risk passwords”
as passwords that use common
words (found in the dictionary),
are easy to guess and use
fewer than 9 characters. In
today’s world, anything below 9
characters is considered high risk.
Our engagement statistics
identified that 45% of passwords
used within organisations are
high risk, a staggering (and to be
honest, scary) statistic.
Common passwords we saw:
Days of the week: Monday,
Tuesday, Wednesday…. and
for good measure variations
including the current year, such as
Monday2016, Monday16, Tuesday
2016, Tuesday16.
Months of the year: January,
February, March, Jan, Feb, Mar and
don’t forget to add the current
year to these too.
Seasons: Summer, Autumn,
Winter, Spring, again with the year
to mix things up.
The name of the company or its functions/products: this one
topped the cake, with nearly every
engagement encompassing at
least one password related to the
company’s name.
Password and welcome: yes,
they are still around, but in
very small doses (thankfully). It
was great to see that users are
finally moving away from these
passwords and other common
choices such as “Qwerty”.
As always, organisations should
ensure they are using multi-
factor authentication across all
perimeter facing services. They
should also enforce passwords
of 9 or more characters and
encourage users to avoid any of
the common passwords flagged
and be different across systems.
PASSWORD
COMPLEXITY
It was amazing to find that a
number of organisations are
still not utilising appropriate
password complexity
requirements. Password
complexity has been around for
a long time, and although these
requirements are limited, it does
impose a minimum 8 character
password, the use of upper case
and special characters as well
as other requirements (such as
previous password history).
If you are not using this
configuration, it’s time you
adopt it.
We were surprised to identify
a number of organisations still
using six character passwords!
Unsurprisingly these passwords
were not overly complex and the
IT departments had not configured
correct lockout settings, allowing
attackers to attack user passwords
using dictionary attacks all day if
they wanted to.
It is imperative that users are
utilising complex passwords of
9 or more characters.
PASSWORDS — THE KEYS TO THE KINGDOM
High Risk 45%
Medium Risk 4%
Low Risk 41%
HOT TIP : spaces are a great way to
increase complexity!
We assessed a multitude of web
applications and it was great
to see that SQL injection (SQLi)
is finally disappearing off the
vulnerability map, with only one
application we assessed being
vulnerable to SQLi. Cross-Site
Scripting (XSS) is another critical
vulnerability that seemed to be
the flavour of the year. 50% of
our web application assessments
encountered this vulnerability,
which puts end-users at risk via
phishing attacks, leveraging the
website.
Chances are you heard about the
2016 Red Cross Blood Services
hack — Australia’s largest ever
leak of personal information. Do
you think that the Red Cross is in
the minority that have sensitive
data exposed on their website?
The answer is definitely no. Across
our engagements we identified
39% of all web applications as
having unrestricted access to files
and/or directories with directory
browsing enabled.
In some engagements, we have
found default files and directories,
database backups, logins to
systems and even payment
card data stored on websites/
webservers.
SSL/session based vulnerabilities
were also very common, mainly
due to SSL2, 3 and TLS 1,0 usage.
If you aware of the OWASP Top
10* the majority of issues we
identified this year fall into A2, A3,
A5, A6, A7 and A8.
As a rule, organisations need
to ensure that they are always
following secure coding practices
and undertaking regular
penetration testing and patch
management of their apps.
WHAT ABOUT MY HOST?
Another problem that we often
find is that the web application
will be secure, but the actual host
it is running on exposes a large
amount of risk. This is especially
prevalent with shared hosting
providers.
Web hosting providers were
frequently found to have out of
date services, such as Apache,
PHP, Joomla!, WordPress, as well
as a large number of unnecessary
open ports and services. This
exposes their clients to a large
number of vulnerabilities and
potential exploitation avenues.
We also identified insufficient
WAF/detection systems in place
protecting these sites.
Where possible, we advise
that clients run on a dedicated
web host with regular patch
management completed against
all web technologies, operating
systems and back end databases.
In addition, we advise that only
limited, essential services are
exposed to the internet, and a
web application firewall (WAF) or
upstream filtering is in place to
detect and block application layer
attacks.
CROSS-SITE SCRIPTING (XSS) – THE FLAVOUR OF 2016
SECURITY BULLETIN - 2016 Year in Review6 www.kiandra.com.au
DETECTION AND ALERTING
* OWASP is an open community dedicated to enabling organisations to conceive, develop, acquire, operate and maintain applications that can be trusted. The OWASP Top 10 represents a broad consensus about what the most critical web application security flaws are, visit: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project for more.
82%
18%
Spear phishing responded emails
Spear phishing no response
24%
Password provided
Password not provided
67%
23%
Criticalvulnerabilities
Highvulnerabilities
5%5%
Mediumvulnerabilities
Lowvulnerabilities
39%61%
Unrestricted access to files/directories
Well restricted
76%
SECURITY BULLETIN - 2016 Year in Review 7www.kiandra.com.au
Detection and alerting continues
to be a problem area for the
majority of organisations that we
assessed.
A large number of reconnaissance
based attacks as well as exploit
based, web and password attacks
were performed against these
organisations, with no detection
or any form of alerting advising
that an event was occurring.
Unfortunately in the case that
there was a level of alerting in
place, it was usually too little too
late. In some engagements, we
were able to get in and out in
under 24 hours, (minus 8-odd
hours for sleep) with the entire
network compromised and all
data obtained. As a result, it is
imperative that organisations can
detect and respond as quickly as
possible to cyber events.
Some organisations had logging
or collation systems in place,
however this was typically a
manual process and very ad-
hoc. Additionally, upon initial
entry point into a number of
organisations, we saw a lack of
internal alerting for attacks like
privilege escalation, port scans,
and lateral movement as we
moved through the network.
DETECTION AND ALERTING
Organisations need to place an
emphasis on event collation and
behavioural analysis, with
reputation checking against that
data. We also advocate the use
of services such as Threatconnect
(threatconnect.com) and the
implementation of a security
information and event management
(SIEM) product or similar solution,
to monitor both the internal
network and the perimeter.
Intrusion Prevention Systems (IPS)
are also a must for all organisations
as they mitigate attacks in real
time. We commonly encountered
organisations with no or insufficient
IPS protection. Organisations
need to ensure that the IPS they
have in place complements the
defence-in-depth strategy and is
configured correctly. Just configuring
an IPS to alert on critical events
and exploits is no longer enough.
For example, an organisation may
have invalid password attempts
flagged as low or even informational.
However, if your organisation is
not using MFA, and a malicious
hacker can run 1000 password
attacks (without you being alerted)
and successfully establish an entry
point into the network via a weak
password, this can be a big problem.
Organisations should know after the
first five attempts that something
malicious could be afoot —
not wait for 1000 plus attempts.
It’s not all doom and gloom! Again,
for the second year running,
we are seeing security slowly
make its way to the forefront of
budgets, and companies are now
accepting that when it comes to
cyber attacks, it’s not a matter
of “if”, it’s a matter of “when”.
Companies continue to invest in
security which is promising, but it
is of the utmost importance that
those funds are appropriately
distributed. Nothing minimises the
risk and maximises the security
results like having a trained
security professional undertake
a comprehensive assessment of
an organisation’s systems each
year, complemented by end-user
awarness training. This proactive,
diligent approach to security
ensures that the systems they
have in place are doing what
they are supposed to and
identifies any gaps.
If you would like to find out what
your security posture looks like,
please contact us, we’d love to
have a chat.
Dan Weis – Security Specialist, Kiandra IT
WRAPPING UP
We are often tasked with
assessing how IT or the security/
operations teams respond to
attacks. What we commonly find
is that although organisations
have incident response policies in
place and associated procedures,
these tend to be for PR, legal,
and environmental disasters
rather than for cyber attacks and
related issues. As a result, when
IT or operations become aware of
something “not right” the typical
response involves sending around
an email asking “does this look
right to you?”, “is such and such
making a change”, “this is probably
a false alarm, I’ll deal with it if it
comes up again”. As there is no
procedure in place they don’t
know how to detect and contain a
malicious threat actor, and when
they realise the threat is real, it’s
usually too late.
In a real breach, seconds and
minutes matter.
Organisations need to place
a focus on how to respond to
incidents, from both detection
and containment, and PR and
customer response standpoints,
and extend their policies and
procedures through to post-
breach prevention.
It’s great to see that a number of
organisations are now taking up
cyber insurance policies. In the
event of a breach, cyber insurance
can be the difference between a
company closing its doors, and a
company remaining operational.
It also provides organisations
with access to a whole network
of security professionals and
organisations to help respond to
and contain the situation (and
remediate) as quickly as possible.
We believe this is a must for every
business, but you need to do your
research and understand what
you’re covered for — and what
you’re not.
INCIDENT RESPONSE AND INSURANCE
For more information onour services, call Kiandratoday on 1300 800 [email protected]
MELBOURNE
HEAD OFFICE
Level 28,570 Bourke StMelbourne VIC 3000AUSTRALIAPh: 03 9691 0500Fax: 03 9691 0599