Common Weak Links in Your Security Posture

cyber security internet and networking concept.Businessman hand working with VR screen padlock icon on laptop computer and digital tablet
An internet security expert explains the loopholes that are often overlooked by IT staff.

Devastating exploits like EternalBlue or Heartbleed get a great deal of media coverage, making people think the most important layer of security revolves around timely software patches.

This is somewhat of a misconception distracting IT staff from things like critical configuration flaws, which are just as common and cannot be remedied by simply applying updates.

Some of these security loopholes stand out from the crowd as they are encountered by literally every other company and remain unattended for years.

Email from the Boss

Social engineering is the biggest scourge undermining enterprise security because it slips under the radar of conventional defenses. You can enhance your employees’ security awareness by instructing them to treat emails with extreme caution, but things get more complicated in the case of staff receiving dozens of emails a day.

Have a look at your SMTP server. It is quite likely to process email without sender authentication. We are not talking about a mail relay harnessed to spew out tons of spam—this is a rare scenario these days.

The issue is different here: an external threat actor can connect to your email server and send a message to any local user without having to go through authentication. The sender’s email address can be arbitrary, that is, either external or internal.

Want to send a message on behalf of an organization’s IT support? It’s a piece of cake. Even if the local sender’s address is unknown, you can try and pick one.

The mail server is typically configured to verify whether the local user who sent a message exists.

The attack workflow is fairly prosaic. The threat actor takes advantage of the recipient’s trust toward the email author to manipulate the victim into opening suspicious attachments or follow an embedded link.

It is a mere technicality to get around antivirus software these days. Most security suites easily detect files containing code that exploits cataloged vulnerabilities.

Very few are capable of identifying customized malicious code, though.

It is possible to obscure harmful code by means of specially crafted tools, such as obfuscators and “crypters” like Pyherion that prevent antivirus engines from detecting suspicious commands being executed.

Cybercrooks can equip their code with timers to circumvent sandboxing and other advanced behavioral analysis features. This way, the malware will remain dormant inside the target host for a predefined amount of time.

Attackers are often one step ahead of antimalware vendors because they can prep and test their perpetrating code extensively without facing any risks.

Consequently, a well-motivated hacker succeeds in getting a backdoor on a victim’s machine in 8 cases out of 10.

The Frail Network

Safety concept: Blue Closed Padlock on digital background, 3d render
Devastating exploits like EternalBlue or Heartbleed get a great deal of media coverage, making people think the most important layer of security revolves around timely software patches.

Penetration testers often deal with properly segmented networks featuring strict access control lists (ACLs).

Complementary layers of administrative account security, such as LAPS (Local Administrator Password Solution), considerably reduce the surface of attacks aimed at obtaining account credentials from the memory of contaminated Windows hosts.

The hosts are sometimes so reliably protected that the adversary has to resort to attacking vectors targeting the application layer or network infrastructure.

The latter, by the way, is a disconcertingly common scenario. Here’s an example of a heavily exploited security flaw in Cisco-based networks.

The problem is that the Cisco Smart Install (SMI) service, which is used by the majority of modern Cisco Catalyst switches, allows for modifying device configuration without authentication.

SMI is intended to streamline the initial setup of network devices, which explains why a lot of switch models go equipped with it by default.

Furthermore, in some cases, it cannot be disabled (for instance, on Cisco Catalyst 6500 Series), so the only protection method boils down to using ACL.

Go ahead and check the TCP port 4786 on your Cisco network equipment—you are quite likely to spot a running service on it.

It is wrong to treat SMI as an obsolete service. It has acquired new features over the years. From Cisco Internetwork Operating System (IOS) version 15.2 onward, it accommodates a feature that allows launching post-installation scripts in the “Enable” mode.

As before, no authentication is required to do it. The configuration upload/download procedure is available for all builds of Internetwork Operating System.

The ability to retrieve and alter the configuration of a network device provides threat actors with vast network attack opportunities, ranging from disclosure of admin-level credentials and network traffic interception, all the way to editing access control lists and infiltrating any VLAN on a remote switch.

In case a network device adjoins a protected network segment, compromising the former means the adversary can penetrate the latter.

The Inalienable Prerogative of Control

Group Policy is one of the kernel components of the Active Directory (AD) catalog service that allows administrators to implement a number of configuration scenarios requiring account credentials.

The configuration of these policies is stored in XML files under the domain controller’s SYSVOL directory and can be accessed by all group members.

The caveat here is that the passwords to accounts listed in the policy are stored in the CPassword attribute in an encrypted format, where the encryption key is known to the group and cannot be modified.

Therefore, any group member can obtain and decrypt the values of account passwords stored in the following files: groups.xml, datasources.xml, scheduledtasks.xml and services.xml.

Obviously, the accounts stored this way are most likely to have administrative privileges.

Microsoft released security patches KB2928120 in 2014 that disallowed storing usernames and passwords in Group Policy configuration.

However, the company did not disable or change the existing policies forcibly. It is no longer possible to create new Group Policy parameters containing user access credentials, but the previously defined settings continue to be valid, with the system displaying appropriate security alerts to the domain administrator every so often.

Microsoft has offered administrators some workarounds applicable to domain configuration scenarios but has had hardly any success with that.

Bottom Line

There are lots of critical security issues that cannot be addressed via software patches alone.

When it comes to the components of information systems, maintaining configuration standards is an effective and affordable security approach that shouldn’t be underestimated or ignored.

The only viable alternative is to leverage costly detection mechanisms, such as integrity controls and Network Behavior Anomaly Detection (NBAD).

David Balaban

David Balaban

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.