2017 Kiandra security bulletin

2017 SECURITY BULLETIN

2016: THE YEAR IN REVIEW

Dan Weis – Security Specialist, Kiandra IT

2016: IN SUMMARY

Every year we work with a variety of organisations

as their trusted IT security provider, delivering a

full suite of security services, including penetration

testing and security awareness training. Security is

in our DNA. We love working with our clients to help

them manage and improve their security posture

allowing them to get back to what it is that they do

best and not have to worry about the ever-changing

threat landscape.

With the year at a close, we’d like to take the

opportunity to share some common themes and

findings that we have observed in our engagements

throughout 2016, and where organisations should

be focusing their efforts in order to have the best

possible defence against threats in the future.

END USER AWARENESS AND PHISHING ATTACKS

SECURITY BULLETIN - 2016 Year in Review2 www.kiandra.com.au

WIRELESS

In 2016 our security engagements

were varied – from small business

through to global organisations

spanning 22,000 plus staff. We

worked with organisations from

the following verticals:

• Education

• Engineering

• Environment and

manufacturing

• Finance and superannuation

• Government

• Insurance

• Medical

• Professional services

• Property and commercial real

estate

• Retail

• Software and technology

• Sporting and events

• Travel and tourism

• Not-for-profit and volunteer

SECURITY BULLETIN - 2016 Year in Review 3www.kiandra.com.au

We sent over 7500 emails into

varied organisations for end-

user awareness testing. These

campaigns tested how users

respond to phishing attacks, and

whether they would provide us

passwords or an entry point into a

corporate network.

Phishing continues to be the

weapon of choice for attackers,

and as illustrated by the statistics

to the right, it still provides a great

degree of success.

On average, our campaigns

yielded an 18% success rate in

click-throughs. Additionally, we

found that 24% of these would

provide passwords to us without

a moment’s thought; some users

would even give us credentials

multiple times.

As a lot of organisations are

using remote services such as

Citrix, VPNs or Outlook Web

Access without multi-factor

authentication, when passwords

are harvested it provides an

attacker direct access to an

organisation’s network.

We also found that on average, for

each campaign we would receive

3.72 clicks from users in under

five minutes — which is scary.

This shows that an attacker could

infiltrate an organisation in under

five minutes.

Awareness training is an absolute

must for all organisations, and this

should be performed regularly,

especially as part of on-boarding

for new starters.

Of the organisations we provided awareness training to, we saw a significant drop in success rates for phishing attacks in subsequent tests.

As always, email filtering plays

an important role in preventing

phishing attacks, especially if they

contain malicious attachments

(payloads), so organisations

should first ensure the appropriate

protection systems are in place

and tested, and combine this with

regular awareness training and

endpoint protection.

END USER AWARENESS AND PHISHING ATTACKS

Of the wireless environments

we assessed throughout 2016,

we found that the majority were

well secured, using technologies

like RADIUS and certificate-based

authentication and following best

practice security controls. We

did encounter a small number of

wireless environments that had

not been segmented properly,

allowing people on the ‘guest’

network to access the corporate

resources such as DNS, and

corporate IP ranges. Organisations

using wireless should ensure

that the guest network is fully

segmented, requires nothing from

corporate networks (such as DNS),

and allows internet access only.

Captive portals are also a good

idea.

WIRELESS

82%

18%

Spear phishing responded emails

Spear phishing no response

24%

Password provided

Password not provided

67%

23%

Criticalvulnerabilities

Highvulnerabilities

5%5%

Mediumvulnerabilities

Lowvulnerabilities

39%61%

Unrestricted access to files/directories

Well restricted

76%

82%

18%



24%

Password provided


67%

23%


Highvulnerabilities

5%5%


Lowvulnerabilities

39%61%


Well restricted

76%

Over the course of 2016 we saw

a positive trend of organisations

placing an emphasis on securing

perimeter facing systems —

which we love — but we still

found a number of common

vulnerabilities.

Vulnerabilities are classified as

“critical vulnerabilities” when they

allow remote access to a system,

give rise to a Denial-of-Service

attack, or provides information

leakage that can be used to

breach a system. A large portion

of these vulnerabilities are due to

lapses in patch management and

configuration issues.

We successfully compromised

a number of VPN systems due

to misconfigurations and weak

credentials, as well as identified

a number of legacy systems in

use. Can you believe Windows

Server 2003 systems are still in

production? It’s a hackers dream

come true!

We also identified a large number

of out-of-date technologies in use,

such as PHP, WordPress, FTP, and

SSH versions.

SSL and certificate based

vulnerabilities were also very

common with most organisations

assessed still vulnerable to SSL2,

3 and TLS 1.0 vulnerabilities, as

well as the associated POODLE,

GHOST, DROWN and similar

vulnerabilities.

On average we found that all

organisations assessed had

at least 1.3 “critical” rated

vulnerabilities on services facing

the internet. Additionally, we

found that most organisations

had a large amount of

information leakage, and firewall

misconfigurations, allowing for

unauthorised access to internal

systems.

Remember folks, it’s best practice

to decommission all legacy

systems and ensure Operating

Systems, applications and all

services (especially internet

facing) are regularly updated and

maintained to remove them as an

avenue for attacks.


PASSWORDS — THE KEYS TO THE KINGDOMPERIMETER FACING NETWORKS

With organisations containing tens

of thousands of users, it’s very

hard for IT to become aware when

a user has clicked on a link or

given out a password. This is the

exact reason why we advocate a

layered approach to security.

The systems in use should alert

on at least one or several of the

layers, so that organisations

are not relying on reactive

information. Endpoint protection

should detect malware,

applications should be secured

and have whitelisting in place

to prevent untrusted apps from

running, web filtering should be

proxying and restricting access

direct to IP’s/C2 servers, and

behavioural analytics should alert

when somebody who generally

works 9am-5pm is logging in at

2am.

THE BIGGER THEY ARE, THE HARDER THEY FALL

82%

18%



24%

Password provided


67%

23%


Highvulnerabilities

5%5%


Lowvulnerabilities

39%61%


Well restricted

76%


We completed a number of

password audits for our clients

during 2016, and performed

countless password spray and

dictionary attacks against various

perimeter and internal systems.

What did all these compromised

systems have in common? Weak

passwords.

We deem “high risk passwords”

as passwords that use common

words (found in the dictionary),

are easy to guess and use

fewer than 9 characters. In

today’s world, anything below 9

characters is considered high risk.

Our engagement statistics

identified that 45% of passwords

used within organisations are

high risk, a staggering (and to be

honest, scary) statistic.

Common passwords we saw:

Days of the week: Monday,

Tuesday, Wednesday…. and

for good measure variations

including the current year, such as

Monday2016, Monday16, Tuesday

2016, Tuesday16.

Months of the year: January,

February, March, Jan, Feb, Mar and

don’t forget to add the current

year to these too.

Seasons: Summer, Autumn,

Winter, Spring, again with the year

to mix things up.

The name of the company or its functions/products: this one

topped the cake, with nearly every

engagement encompassing at

least one password related to the

company’s name.

Password and welcome: yes,

they are still around, but in

very small doses (thankfully). It

was great to see that users are

finally moving away from these

passwords and other common

choices such as “Qwerty”.

As always, organisations should

ensure they are using multi-

factor authentication across all

perimeter facing services. They

should also enforce passwords

of 9 or more characters and

encourage users to avoid any of

the common passwords flagged

and be different across systems.

PASSWORD

COMPLEXITY

It was amazing to find that a

number of organisations are

still not utilising appropriate

password complexity

requirements. Password

complexity has been around for

a long time, and although these

requirements are limited, it does

impose a minimum 8 character

password, the use of upper case

and special characters as well

as other requirements (such as

previous password history).

If you are not using this

configuration, it’s time you

adopt it.

We were surprised to identify

a number of organisations still

using six character passwords!

Unsurprisingly these passwords

were not overly complex and the

IT departments had not configured

correct lockout settings, allowing

attackers to attack user passwords

using dictionary attacks all day if

they wanted to.

It is imperative that users are

utilising complex passwords of

9 or more characters.

PASSWORDS — THE KEYS TO THE KINGDOM

High Risk 45%

Medium Risk 4%

Low Risk 41%

HOT TIP : spaces are a great way to

increase complexity!

We assessed a multitude of web

applications and it was great

to see that SQL injection (SQLi)

is finally disappearing off the

vulnerability map, with only one

application we assessed being

vulnerable to SQLi. Cross-Site

Scripting (XSS) is another critical

vulnerability that seemed to be

the flavour of the year. 50% of

our web application assessments

encountered this vulnerability,

which puts end-users at risk via

phishing attacks, leveraging the

website.

Chances are you heard about the

2016 Red Cross Blood Services

hack — Australia’s largest ever

leak of personal information. Do

you think that the Red Cross is in

the minority that have sensitive

data exposed on their website?

The answer is definitely no. Across

our engagements we identified

39% of all web applications as

having unrestricted access to files

and/or directories with directory

browsing enabled.

In some engagements, we have

found default files and directories,

database backups, logins to

systems and even payment

card data stored on websites/

webservers.

SSL/session based vulnerabilities

were also very common, mainly

due to SSL2, 3 and TLS 1,0 usage.

If you aware of the OWASP Top

10* the majority of issues we

identified this year fall into A2, A3,

A5, A6, A7 and A8.

As a rule, organisations need

to ensure that they are always

following secure coding practices

and undertaking regular

penetration testing and patch

management of their apps.

WHAT ABOUT MY HOST?

Another problem that we often

find is that the web application

will be secure, but the actual host

it is running on exposes a large

amount of risk. This is especially

prevalent with shared hosting

providers.

Web hosting providers were

frequently found to have out of

date services, such as Apache,

PHP, Joomla!, WordPress, as well

as a large number of unnecessary

open ports and services. This

exposes their clients to a large

number of vulnerabilities and

potential exploitation avenues.

We also identified insufficient

WAF/detection systems in place

protecting these sites.

Where possible, we advise

that clients run on a dedicated

web host with regular patch

management completed against

all web technologies, operating

systems and back end databases.

In addition, we advise that only

limited, essential services are

exposed to the internet, and a

web application firewall (WAF) or

upstream filtering is in place to

detect and block application layer

attacks.

CROSS-SITE SCRIPTING (XSS) – THE FLAVOUR OF 2016


DETECTION AND ALERTING

* OWASP is an open community dedicated to enabling organisations to conceive, develop, acquire, operate and maintain applications that can be trusted. The OWASP Top 10 represents a broad consensus about what the most critical web application security flaws are, visit: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project for more.

82%

18%



24%

Password provided


67%

23%


Highvulnerabilities

5%5%


Lowvulnerabilities

39%61%


Well restricted

76%


Detection and alerting continues

to be a problem area for the

majority of organisations that we

assessed.

A large number of reconnaissance

based attacks as well as exploit

based, web and password attacks

were performed against these

organisations, with no detection

or any form of alerting advising

that an event was occurring.

Unfortunately in the case that

there was a level of alerting in

place, it was usually too little too

late. In some engagements, we

were able to get in and out in

under 24 hours, (minus 8-odd

hours for sleep) with the entire

network compromised and all

data obtained. As a result, it is

imperative that organisations can

detect and respond as quickly as

possible to cyber events.

Some organisations had logging

or collation systems in place,

however this was typically a

manual process and very ad-

hoc. Additionally, upon initial

entry point into a number of

organisations, we saw a lack of

internal alerting for attacks like

privilege escalation, port scans,

and lateral movement as we

moved through the network.

DETECTION AND ALERTING

Organisations need to place an

emphasis on event collation and

behavioural analysis, with

reputation checking against that

data. We also advocate the use

of services such as Threatconnect

(threatconnect.com) and the

implementation of a security

information and event management

(SIEM) product or similar solution,

to monitor both the internal

network and the perimeter.

Intrusion Prevention Systems (IPS)

are also a must for all organisations

as they mitigate attacks in real

time. We commonly encountered

organisations with no or insufficient

IPS protection. Organisations

need to ensure that the IPS they

have in place complements the

defence-in-depth strategy and is

configured correctly. Just configuring

an IPS to alert on critical events

and exploits is no longer enough.

For example, an organisation may

have invalid password attempts

flagged as low or even informational.

However, if your organisation is

not using MFA, and a malicious

hacker can run 1000 password

attacks (without you being alerted)

and successfully establish an entry

point into the network via a weak

password, this can be a big problem.

Organisations should know after the

first five attempts that something

malicious could be afoot —

not wait for 1000 plus attempts.

It’s not all doom and gloom! Again,

for the second year running,

we are seeing security slowly

make its way to the forefront of

budgets, and companies are now

accepting that when it comes to

cyber attacks, it’s not a matter

of “if”, it’s a matter of “when”.

Companies continue to invest in

security which is promising, but it

is of the utmost importance that

those funds are appropriately

distributed. Nothing minimises the

risk and maximises the security

results like having a trained

security professional undertake

a comprehensive assessment of

an organisation’s systems each

year, complemented by end-user

awarness training. This proactive,

diligent approach to security

ensures that the systems they

have in place are doing what

they are supposed to and

identifies any gaps.

If you would like to find out what

your security posture looks like,

please contact us, we’d love to

have a chat.

Dan Weis – Security Specialist, Kiandra IT

WRAPPING UP

We are often tasked with

assessing how IT or the security/

operations teams respond to

attacks. What we commonly find

is that although organisations

have incident response policies in

place and associated procedures,

these tend to be for PR, legal,

and environmental disasters

rather than for cyber attacks and

related issues. As a result, when

IT or operations become aware of

something “not right” the typical

response involves sending around

an email asking “does this look

right to you?”, “is such and such

making a change”, “this is probably

a false alarm, I’ll deal with it if it

comes up again”. As there is no

procedure in place they don’t

know how to detect and contain a

malicious threat actor, and when

they realise the threat is real, it’s

usually too late.

In a real breach, seconds and

minutes matter.

Organisations need to place

a focus on how to respond to

incidents, from both detection

and containment, and PR and

customer response standpoints,

and extend their policies and

procedures through to post-

breach prevention.

It’s great to see that a number of

organisations are now taking up

cyber insurance policies. In the

event of a breach, cyber insurance

can be the difference between a

company closing its doors, and a

company remaining operational.

It also provides organisations

with access to a whole network

of security professionals and

organisations to help respond to

and contain the situation (and

remediate) as quickly as possible.

We believe this is a must for every

business, but you need to do your

research and understand what

you’re covered for — and what

you’re not.

INCIDENT RESPONSE AND INSURANCE

For more information onour services, call Kiandratoday on 1300 800 [email protected]

MELBOURNE

HEAD OFFICE

Level 28,570 Bourke StMelbourne VIC 3000AUSTRALIAPh: 03 9691 0500Fax: 03 9691 0599

Documents

2017 Kiandra security bulletin