Rapid Vulnerability Assessment Report

Transcription

1 White Paper Rapid Vulnerability Assessment Report Table of Contents Executive Summary... Page 1 Characteristics of the Associated Business Corporation Network... Page 2 Recommendations for Improving Security... Page 2 Characteristics of a Secure Network... Page 3 Internet Security Assessment... Page 4 Overview... Page 4 Methodology... Page 4 Internet Probing... Page 4-5 Dial Access Security Assessment... Page 6 Overview... Page 6 Methodology... Page 6 Internal Security Assessment... Page 6 Overview... Page 6 Methodology... Page 6 Recommendations... Page 7-12 CDWG.com

2 Executive Summary Advanced Technology Services performed a Rapid Vulnerability Assessment for Associated Business Corporation (ABC) on February 15, The assessment was performed over the Internet through the public switched telephone network, and during an onsite visit to ABC. This document is a summary of the findings, and is intended to: Give an overview of the security of ABC s security posture relative to that of other networks Summarize some of the technical issues raised during the audit Highlight the major findings of the assessment Recommend corrective action for remediation of the vulnerabilities found This section provides a summary of the assessment results. First, the characteristics of ABC s network are examined and compared to industry standards for secure networks. Next, a summary of our findings is presented in three categories, detailing the specific traits by which the Network Security Engineers (NSEs) made their evaluations. Finally, general recommendations are made for improving the security of the Associated Business Corporation network. Characteristics of the Associated Business Corporation Network Table 1: Security Rating for the Associated Business Corporation Network Location Security Rating From the Internet Insecure From the PSTN Moderately secure From the internal LAN Insecure Strong Security Points During the course of the audit, the NSEs were impressed with (a) certain aspect(s) of the Associated Business Corporation network: Account lockout after failed login attempts was set at a highly secure setting. NSEs had difficulties with accounts that locked out and remained locked out. Account lockout prevented the NSEs from using brute force login techniques for fear of causing a Denial of Service (DoS) to Associated Business Corporation. However, intruders to the Associated Business Corporation network would not be as polite as NSEs. Recommendations for Improving Security The security of the Associated Business Corporation network will be further improved by implementing the following recommendations: Improve firewall packet filter restrictions to restrict access to services. Patch Microsoft IIS Servers to the proper level or disable external access. Follow Microsoft s published IIS configuration checklists to reduce the threat of typical web exploit techniques and closely monitor IIS web logs for typical signs of compromise. Disable remote access to pcanywhere unless it is absolutely required, and even then consider allowing it only over a VPN. pcanywhere is a dangerous service to run exposed to the Internet. 2

3 Characteristics of a Secure Network Advanced Technology Services has analyzed, designed, implemented and performed troubleshooting on secure networks for a wide variety of clients, including national and international corporations and government agencies. Drawing on their assessment and engineering experience, the NSEs have developed a classification scheme for rating the security of corporate networks. These ratings are based on compiled observations from the many audits the NSEs have done, not on any one network or class of networks. Fundamentally, it is fruitless to appraise the security of one network in comparison to that of another: no two corporations have the same needs, goals, operational constraints or policies. Moreover, the goal of an assessment is not to pass judgment on the state of a customer s network, but rather to identify ways in which security can be improved. Nonetheless, in the course of their assessment work, the NSEs have developed a list of what they consider to be the key aspects of a network security program. As part of every audit, the NSEs evaluate the degree to which the customer s network is aligned with what they consider to be best practices in each of these areas. The NSEs evaluate the security characteristics of the audited network and compare them to the baseline characteristics in Table 2, below. The network is assigned a rating in each category: highly secure, moderately secure or insecure. Taken together, these factors summarize the overall security of the assessed network. The ratings are subjective, to a certain degree, because there is no universally accepted standard for network security. At the same time, the ratings are based on real-life experience: the NSEs have found that those networks which exhibit the traits marked as highly secure are indeed less susceptible to intrusion. Table 2 on page 3 lists these characteristics and explains the criteria for determining the security level of each. Table 2: Network Security Characteristics of Associated Business Corporation* Network Security Characteristic Password Protection Intrusion Detection Security Staff Firewall Dial-in Access for Users Highly secure networks have Token-based authentication Network and host intrusion detection Dedicated security staff Strong firewall configuration, regular log reviews Single point of access with one-time token authentication Moderately secure networks have Strong password enforcement Periodic review of logs Trained administrators Firewall on perimeter One or more points of access with single authentication method *Gold shading and bolding indicates characteristics exhibited by Associated Business Corporation Insecure networks have No password policy or unenforced password policy No intrusion detection No security staff No firewall Multiple points of access with differing authentication methods 3

4 Internet Security Assessment Overview The first step in assessing the security of a network is to identify the various points of access to it. Before mounting a concerted attack, a hostile entity needs to know the following: The number of target hosts exposed to potential exploits The logical location of these hosts, and how to reach them The services they offer Information about the various platforms involved, the operating systems they are running, and when possible, the versions of the various applications they run These are the essential ingredients in beginning an invasion. Usually, some of this information is publicly available, and necessarily so. In the course of searching public resources, however, a prospective attacker often uncovers other, more subtle facts, such as: Information about trust relationships between these hosts and other entities; i.e., customers, administrators and service providers The identities of at least some system administrators The sorts of data that might be available on a given system Some initial clues as to how security policy is implemented The goal of the Internet Security Assessment is to produce a rough diagram of the public ABC networks. Once publicly visible networks and nodes are identified, the NSEs proceed to use the vulnerability scanner Nessus 1 to make a more detailed diagnosis. The output of this exercise provides an intruder with a clear idea of what exploits and vulnerabilities are likely to be successful. Methodology The NSEs were given three TCP/IP addresses to perform the audit: , , and Starting with those three addresses the NSEs scanned ABC s Internet presence. Internet Probing ABC External Network and Host Discovery Summary The NSEs started with an ICMP ECHO_REQUEST (ping) sweep just to see if they could quickly identify running hosts. This is often blocked by a firewall to prevent rapid reconnaissance of a network. On /29 it appeared that inbound ICMP ECHO_REQUESTs were allowed. The NSEs were able to rapidly map hosts for possible further investigation. Table 3: Suspected External Network Targets at abc.net Domain Name IP Address Status Unknown Up customer Up Unknown Up Unknown Up client Up client Up Unknown Up Unknown Up Unknown Up wireless Up ns Up mail Up ftp Up www Up client Up Unknown Up 1 4

5 Table 4 shows the services that are looked for in a rapid assessment scan. Table 4: Rapid Assessment Service Results Port Protocol Service Name 21 tcp File Transfer Protocol (ftp) 22 tcp Secure Shell Protocol (ssh) 23 tcp Telnet 25 tcp Simple Mail Transport Protocol (smtp) 111 tcp Remote Procedure Call port UNIX (portmapper) 110 tcp PostOffice Protocol (POP) 143 tcp IMAP 80 tcp Http 443 tcp Https 389 tcp LDAP 139 tcp Microsoft Session Services 445 tcp Active Directory Services 8000 tcp Sometimes used for web servers 8888 tcp Sometimes used for web servers 8080 tcp Proxy Web Server 5631 tcp pcanywhere 5900 tcp VNC remote control Port scans for the most common open services were then launched for the entire /29 range. Individual Host Vulnerability Probes The NSEs used Nessus, a security vulnerability scanner, to enumerate the vulnerabilities on each host found during the ping sweep. 5

6 Dial Access Security Assessment Overview One of the most commonly overlooked network vulnerabilities is that of systems which allow dial-up access. Typical devices might include networking infrastructure devices, remote access servers, individual hosts, and other machines (e.g., private telephone exchange systems, call managers, elevators and alarm systems) that require remote administration. This segment of the audit was very limited in scope, and only consisted of identifying vulnerabilities in ABC s dial access pool. The NSEs were provided with the number for this modem pool. Methodology The NSEs used an automated modem scanning tool, PhoneSweep2, to assess ABC s dial-access network. This tool was unable to identify the exact make of RAS server being employed at ABC. A number of common username/password combinations were tested against this account, but the NSEs were unable to gain any access. The NSEs also attempted to log in with accounts found during other portions of the audit, but again unauthorized access was not allowed. It is important to note that this was a dial access audit with a very limited scope. It is possible that there may be other machines on the ABC network with dial access. The NSEs suggest that ABC perform a complete dial sweep of all owned phone number ranges to locate any vulnerable machines. Internal Security Assessment Overview Regardless of whether dial access restrictions and perimeter defenses are effective in keeping intruders out, prudent security strategy dictates that one should assume a breach will occur, and be prepared to deal with it when it does. It is also important to remember that data security on the internal network is a real concern: exact statistics may vary, but a significant portion of security violations originate from within the organizations that are compromised. In addition, internal network security is more than just another layer of protection from hackers it should assist administrators in maintaining control of internal data, prevent accidents, and ensure that stated policies and business practices are followed. Methodology On February 19, 2002, the NSEs were in Anyplace, conducting an assessment of ABC s internal network security posture. In the course of this assessment, the NSEs scanned a range of network addresses, attempting to identify running systems. Once this process was complete, the NSEs probed the available services for known security weaknesses. 6

7 Recommendations This section presents detailed recommendations for improving ABC s network security posture, based on information gathered during the assessment. Each entry includes a description of what the NSEs found, the risk posed to ABC if the current configuration is not remedied, and a specific suggestion for improving security. The NSEs have assigned a risk factor and an estimated cost to each recommendation. The recommendations are sorted by risk (high to low) and cost (low to high). This allows ABC to make well-informed and financially wise decisions about the security of its network. This is considered to be the core value provided by the security assessment. High Exposure pcanywhere Service Running on Critical Systems and Accessible to Internet Internet Priority: High Cost to Fix: Low pcanywhere is a remote control desktop access program that allows complete shared control of a Windows desktop. Its authentication methods are of moderate complexity when enabled. Leaving an unprotected pcanywhere session exposed to the Internet is roughly equivalent to leaving a PC outside the company logged in as Administrator with access occurring from anywhere in the world. Recommendation Disable pcanywhere connections from Internet. Allow connection only from internal networks. of compromise is too great and security controls in pcanywhere are not sufficient for Internet exposure. Default Install of IIS (and NT Option Pack) Leads to Vulnerabilities Internal Priority: High Cost to Fix: Low The default install of IIS includes several sample websites and applications that are intended to be a teaching tool for web development. Many of these samples contain well-known vulnerabilities that either allow unauthorized access to information on the machine or result in Denial of Service conditions on the server. Several web servers in the ABC environment (WIRELESS, FTP, AND WIND) contain the msadcs.dll and the Unicode exploit that allows anonymous users to remotely execute commands as the system process. Recommendation Review Microsoft s Best Practices for securing IIS. 7

8 Cisco Devices Allow HTTP Administrative Access Internal Priority: High Cost to Fix: Moderate It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further penetration of the network or result in a denial of service. Recommendation Cisco advises disabling the HTTP service on the device or using the Terminal Access Controller Access Control System (TACACS+) or RADIUS for authentication a. a. BugTraq Advisory: Microsoft IIS Servers Running Without Current Patch Level and with Insecure Default Configurations Internet Priority: High Cost to Fix: Moderate Several systems not intended to be web servers are running IIS with insecure configurations. Bulk compromise software targets IIS systems on the Internet. Given the ease of compromising these unpatched servers, it is highly dangerous to leave them exposed to the Internet in this state. Recommendation Either disable IIS services or install up-to-date patches and follow Microsoft s checklist for IIS deployment. In particular, the disk separation of the WINNT operating system directory from the web directories is vital. Having sample scripts and insecure permissions on the webroot areas is also vital for Internetexposed IIS servers. 8

9 Moderate Exposure Cisco Network Devices Allow Login from the Internet Internet Priority: Moderate Cost to Fix: Low The CISCO routers used at ABC allow vty access from the Internet. While the passwords were not trivially guessed, this represents unnecessary risk and the vty login ability should be restricted to internal IS networks. Brute force login efforts could compromise these critical pieces of network gear and cause massive disruption of service and aid in the further penetration of internal resources. Recommendation Disable vty access, except from internal network addresses known to be used by network administrators. Additionally, require serial console access only to these devices. Anonymous Connections Allowed to NT Servers Internal Priority: Moderate Cost to Fix: Low User, share and configuration information can be remotely accessed without authentication. All Windows NT servers allowed anonymous sessions to be established to the IPC$ administrative share. This allows the enumeration of users, groups, shares, and important configuration information without the need to provide a user name and password. A list of known users, including the default administrator account, on a platform makes guessing passwords possible. This account does not, by default, lock out after a series of bad password guesses. Knowing the name of this account, coupled with the no lockout condition creates a situation where a potential attacker can guess passwords forever. Recommendation Make a change to the registry. If the key does not exist, create it with REGEDT32.EXE: Hive: HKEY_LOCAL_MACHINE Key: System\ CurrentControlSet\Control\LSA Name: RestrictAnonymous Type: REG_ DWORD Value: 1. Default Administrator Account Does Not Lockout (Windows NT) Internal Priority: Moderate Cost to Fix: Low By default the Administrator account password does not lockout after unsuccessful login attempts. If the default Administrator account name is known (through a nullsession enumeration), an unlimited number of password guesses can be made against the account. Recommendation Using the Windows NT Resource Kit passprop.exe, it is possible to make this account conform to the same account lockout policies as the rest of the user accounts. It is strongly advised that this account be set for lockout, and that some administrator accounts be created that can only log into the console of the machine for the purpose of managing the console and unlocking accounts in the event that all other administrator accounts get locked out by an attacker. 9

10 Weak SNMP Community Strings Internal Priority: Moderate Cost to Fix: Low If an attacker knows the SNMP community strings, he can gather extensive information about a particular device. If the Write community string is known, a user could even change the configuration of a device. This vulnerability can lead to compromised passwords, denial of service attacks, and reconfiguration of devices to send traffic to an attacker s computer. The SNMP community strings were default (public and private) or were gathered via MIBwalk. Recommendation Choose hard-to-guess community strings and, where possible, use access control lists to limit the hosts that can connect to the SNMP services. Current Versions, Patches, Hotfixes, or Service Packs Not Installed on Several Machines Internal Priority: Moderate Cost to Fix: Moderate Several platforms were running software that was not up-to-date. Servers with out-of-date applications and OS revisions are vulnerable to known exploits. Recommendation Update to the latest software revision, patch level or service pack. Also, apply any applicable hotfixes and security and stability fixes. An excellent resource is the vendor s website. For example, the Solaris patches and updates can be found at 10

11 Low Exposure Firewall Allows ICMP ECHO REQUEST/REPLY Internet Priority: Low Cost to Fix: Low By allowing the ICMP (ping) protocol to work through the firewall, the discovery of external resources is greatly increased in speed. Without ICMP echo request responses, external reconnaissance must spend extra time to locate open services and ports by needing to scan any nonresponding IP address. More rapid reconnaissance of network might find vulnerable systems quickly before being noticed. Recommendation Disable inbound ICMP echo request and reply. Default Service Banners Allow Easy Identification of OS, Service Type and Revision Level Internal Priority: Low Cost to Fix: Low When accessed from the network, most services respond with a Hello banner. The default banners very often include operating system and software versions and other configuration information. This information quickly allows a potential attacker to determine the best methods to employ when attacking a platform. The banners returned by the SMTP, HTTP, and FTP services on nearly all servers identify the current version of the software running. Recommendation Alter the default banners that services offer to obscure OS and software version information. Telnet Running on Servers Instead of SSH Internal Priority: Low Cost to Fix: Moderate The systems in the ABC environment use telnet exclusively and a telnet session is not encrypted. An attacker sitting on the same wire, or in the same collision domain, can eavesdrop on an active telnet session. The telnet service also has many well-known vulnerabilities that can lead to root-level compromises. SSH (Secure Shell) offers remote console sessions, just as telnet does, but it encrypts all traffic. Recommendation Replace the telnet service with SSH, where possible. OpenSSH (www. openssh.com) is one of the most popular SSH servers. 11

12 CDWG.com