W h it e pa p e r « I T r u s t »
ITrust experts
found out that,
security
breaches
represent
10
99%
of security breaches in
the companies
Written by ITrust
November 2013, according to audit conducted in the
last 5 years by the ITrust penetration tests team.
Introduction
That is not a surprise; many cybercrime facts were reported in the news last year. This crime has now
become a major challenge for governments as they are potentially at risk. We remember how the Elysée
hacking was highly-publicized [1].
75% of companies hacked within the last two years according to a Cenzic study [2]. That number rose
to 90% on ITrust’s statistics. This was based on what we observed during pentest missions through our
customers.
Over the past five years, ITrust’s consultants for penetration tests intervened a hundred times to achieve
penetration testing to our customers.
number
of audits
These tests are realized both in internal and external environment (to
test DMZ customers services or even on websites) Find below the tests
distribution.
web 12 %
internal 50 %
external 38 %
The year 2013 is only based on
the first 4 months
AUDITS DISTRIBUTION PER YEAR :
Total : 104 audits
Kind of audits conducted distribution
2
W h i t e pa p e r
Top 10 of vulnerabilities by ITrust
We have generated statistics from a data sample we are dealing with to provide an objective view about the
relevance of these data.
Thus, we provide information concerning the business structure :
over 500 (38%)
And the field of activity of our customers :
Service (19%)
less 500 (12%)
less 100 (15%)
less 20 (35 %)
Distribution of our customers by number of employees
Industry (15%)
Public (4%)
Bank (19%)
Host (6%)
health/agro
(25 %)
Hotel (4%)
Distribution of our customers by field of activity
This article gives an overview of the 10 most commonly encountered vulnerabilities during our audits
with case studies. It is therefore relatively accurate feedback of the ITrust’s technical teams over the last 5
years. We observed during our audits or incident interventions that 99% of information systems have been
compromised by at least one of these 10 breaches. Correcting these 10 main vulnerabilities would heighten
the security level of an organisation.
3
W h i t e pa p e r
Aerospace (8%)
Top 10 of vulnerabilities by ITrust
Feedback:
Top 10 vulnerabilities encountered
10
Fixed these
vulnerabilities would
raise the level of security
of an organization
Too verbose logging :
« the network tea room »
This vulnerability is not a real one, but is often the first step during penetration
Wordy domain controllers
tests. Even though this flaw cannot directly compromise a system, it allows useful
information to be collected – especially finding out relevant targets.
Too wordy domains give attackers critical information to organise their attacks.
Through LDAP or Samba connections, they often get relevant information such as
In the talkative group, we find the 2 main servers :
the domain name, the operating system version (fingerprint) and even more useful
for them, the domain users list.
DNS Servers
DNS is an essential useful service, which insures the good working of application
Case study : enumerating users account on a domain.
services such as browsing and messaging ones. Most of the time, doors are opened
Using rpcclient command under windows :
# > rpcclient 192.168.1.1 -p 139 -U% -c enumdomusers
session request to 192.168.0.4 failed (Called name not present)
user:[Admin] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[Accounting] rid:[0x476]
user:[Commercial] rid:[0x4c3]
Using rpcclient to enumerate domain administrator
# > rpcclient 192.168.0.4 -p 139 -U% -c ‘querygroupmem 0x200’
session request to 192.168.0.4 failed (Called name not present)
rid:[0x1f4] attr:[0x7]
on the whole network.
Then, hackers use the DNS zone transfer to list all the assets within the domain.
Thus, they can quickly find out the interesting targets – by responsibility or
department (R&D, Accounts).
In the same way, it is possible to obtain at each machine, the user connected.
4
W h i t e pa p e r
Top 10 of vulnerabilities by ITrust
Access rights management :
need to know
8
Need-to-know is one of the most important security concepts used to ensure the
protection of confidential data. The management of access rights and permissions
often has weaknesses: access restrictions to weak or non-existent permit to obtain a
lot of strategic and confidential information.
9
Trust-based relationship :
the compromise spread
Within an UNIX environment, remote login programs (rlogin et rsh) use a poor
authentication system which also allows them to set up a trust based relationship
between the machines (via .rhosts or hosts.equiv file). In this way, if a machine is
compromised, the hacker has easy access to the whole system of trusted machines.
Case study: trusted insider test - trainee example.
In the most Active Directory architectures, users are
assigned to several groups and shared contents are opened
to some groups.
A trainee is added to the group of his supervisor(s).
The test consists to find which information can be obtained.
At the end of the test, the experience highlights that the
person at least have obtained confidential data. Moreover,
in most cases, information about user accounts that can be
used to become a server administrator are found.
In most cases, these applications are forbidden with the security policy requirements
in favour of more secured tools as SSH. But the experience reveals that bounces are
possible because of the lack of private keys protection. The public key related can
Employees are the weakest link for the IT security. They
often be used on a wide range of servers. That allows the attacker to connect to
represent 50% of security risks. « Insiders are the biggest
them.
threat »
Within a Windows environment, it is possible to define trust relationships between
Active Directory domains. In that situation, the user directory is replicated between
the trusted domains. If an attacker can obtain an account on a « weaker » domain,
then he will have the entire access to all the domains within the account.
5
W h i t e pa p e r
Top 10 of vulnerabilities by ITrust
Administration protocols :
7
devil is in details
6
Database
Even in companies where security is considered on users’ posts and servers, some
Databases are chosen targets because of the important information they detained.
kinds of equipment are regularly forgotten. Whether active network elements
When default passwords are changed, database webmasters (who manage lots of
such as switches, routers or printers, security is often overlooked. Thus, default
servers) often use weak passwords depending on the name of the server. More than
administration passwords are rarely changed and if they are, default enabled
confidential information they contained, these databases include users lists on which
administration protocols remain on that kind of device.
you can easily crack the password. Then, these accounts can be used to carry on the
network attack.
The presence of insecure protocols used to pass unencrypted passwords is a very
important source of attacks. For instance: FTP, Telnet…
Case study: ERP : a perfect target.
Case study : SNMP on a router agency
This happened during one of our audit. A VPN router of one of the client agency has a
SNMP service activated listening on the Internet. The setup by default allows us to read
and write MIB’s information. The setup scenario consisted in redirecting DNS requests to
one of our servers and to review the statistics of them. After this convincing first step, the
relevant traffic is redirected to our server, as well as the access to the messaging account.
Then, we can collect all the forwarded messages.
Although the production equipment and printer
represent only 1% of security threat, they often
are too neglected.
25 %
21%
20 %
20%
13%
15 %
12%
10 %
10%
4%
5 %
3%
1%
1%
6
W h i t e pa p e r
eq
n
rs
pr
in
te
ui
p
m
en
ts
lin
es
rs
gu
id
of
ds
SNMP is not the only one open administration protocol. Let’s take the
example of an inverter on a client’s
production lines. This inverter is on
a « factory » configuration. Thus, we
just have to log on to the admin web
server with the default accounts in
order to turn off all the production
services.
Nowadays, database hacking is 14% of security
threats.
http://buff.ly/11umuYS
Gamigo’s database was pirated in 2012.
pr
od
u
ct
io
s
nt
e
ce
ta
da
st
a
nd
ar
ta
pu
te
r
da
,co
m
ts
ns
or
k
ne
tw
tio
ta
m
ob
ile
ta
bl
e
w
or
ks
la
pt
op
s
0 %
Case study:
Production stopped
For this case, the company used to let salespersons to have a ERP instance on their
computer in order to use it when they are on-site contact with customers. As the database
service was linked to the network, it was easy to find out obvious passwords. Then, we
could get the company clients list and its associated offers. That was a real treasure and
that is very profitable for attackers to resell it.
Top 10 of vulnerabilities by ITrust
5
Files sharing
Many systems may have files sharing. Shares may be managed via various
communication protocols (FTP, NFS, SMB…). Generally, restrictions about these
shares are weak or non-existent. Whether it is an anonymous FTP access allowed or
an access restriction to the company network for the network shares (SMB or NFS),
an attacker has the possibility to obtain a lot of confidential information. When an
attacker chose to use the scorched earth tactic and to delete all the files (backup,
financial data…) the damage that can be cause is extremely high.
4
4
Abandoned servers
We found during our audits that a hardware or software inventory is almost never
done within the information systems. During an audit, when we discover not
maintained and highly vulnerable test servers or abandoned servers, administrators
Case study : management’s printer
are surprised as they were not even aware of these items on the network. These
By default, the latest printers have some shares activated to receipt scans or fax received.
In our case, the printers were storing all the documents – so, it was possible to find all the
management’s photocopies, scans and fax.
servers are easy to exploit and can still detain valid and usable information. Moreover,
they are used as relay to attack more relevant targets.
http://buff.ly/ZWQ2Mv
Some researchers from the Univertsity of Columbia claim
that they discovered a new computing security flaw class
that could impact millions of companies, consumers and
governmental organisms.
Printers can be remotely controlled online by computer
criminals.
7
W h i t e pa p e r
Top 10 of vulnerabilities by ITrust
3
Web vulnerability
This category could be a whole article as it is a very wide subject. In our case and
Phase 2: Operation
according to our sample, Web vulnerabilities does not represent the vulnerabilities’
This vulnerabilities category allows on the second hand to operate the information
majority encountered. However, very often, especially during websites’ audits, it is
collected in phase 1. In this category we find:
possible to monitor some vulnerability’s applications.
• Sensitive data exposure
• Lack of secure configuration
If we confront the 10 top web vulnerabilities given by OWASP, this is what we can
• Lack of restricted privileges.
conclude after our field experience:
As soon as an operating vulnerability is identified on the website, if privileges are not
We can class vulnerabilities that we face in two categories:
rightly managed it can be possible to access the server and obtain all rights. According
to the hacker’s nuisance potential, the operation can go to a website break down, to
Phase 1: Entry points
some data loss (potentially sensible like banking data), to the creation of a zombie and
These vulnerabilities allow a first system assess and give information.
in the worst case scenario to a data deletion.
By frequency order we find:
• Not updated systems
This vulnerability category is a whole 10 top paragraph
• SQL injections
• XSS attacks
• Sessions management
Case study : Unprotected PHP functions
Websites offer the possibility to update some
contents (like images for instance) and use PHP
upload functionalities. If there are not some strict
controls of these functionalities, it is possible to
upload a web shell and to obtain some information
like condensed passwords. This allows to access the
server in a back office mode.
Case study: working session Hijacked / Video surveillance systems
A security company offers to its clients a video surveillance system of their offices with
an online access. Session cookies are not protected and allow replays. Thus, all users can
guess the cookies format and access another company’s video surveillance system. The
issue could be limited to a clients’ disclosure issue if passwords were not that weak. But
then, the security system becomes with small resources an efficient tool to set up an office
robbery.
8
W h i t e pa p e r
Top 10 of vulnerabilities by ITrust
2
1
Passwords
Common security risks
A default or common password gives an access to confidential resources, observed in
That should be the most occasional problem and is paradoxically the easier and the
96% of our customers’ audits. A trainee would be able to reach it. That is an issue for
most automated to exploit. Common security vulnerabilities are known and once
users in a company whose awareness is the most high – and it is still one of the attack
issued the editors give patches. Systems to be protected against risks just need to be
vectors the most used and the easier to do so.
updated. However, these vulnerabilities are the biggest attacks vector for information
systems. The last news concerning the businesses compromise involved systems not
FEEDBACK:
updated for many years.
Top 3 of the most weaknesses passwords encountered
- Account without password
We remember the hacking of Sony’s PlayStation network. This hacking has been
- Same login and password
possible through a known vulnerability with an available update.
- Generic password from created accounts
And let us not forget the user name password, name of his kids or a word from
dictionary…
Case study : Blackberry server
To illustrate this issue, we return on the case
of a Windows server with the administrator’s
password of the database left by default. With
that access we can create a new user within
the system and we can see that the BlackBerry
server does not delete temporary files. In
this way, highly confidential information are
obtained.
3 others vulnerabilities
In addition
to the
10
vulnerabilities
can be added to the top
10, increasing the total
to 13 vulnerabilities.
For instance: An employee gives his
password to a fake system administrator via phone or mail.
That top 13 shows
> Application flaws
for us all exploited
vulnerabilities of an
information system.
9
W h i t e pa p e r
> Human Vulnerabilities
Top 10 of vulnerabilities by ITrust
> Unknown vulnerabilities
Conclusion
During an audit, we penetrate in an information system more than 9 out of ten
We are currently at a turning point in our activity. Attacking technologies prevail
times.We do so from a commun security breaches (coming from the top 10), through
over defencing ones. The gap between the hackers and engineers is widening. The
a simple internet connection. If we can make it, so do the hackers, malicious persons
systems are extraordinarily vulnerable and the efficient technologies are rare.
or malwares.
Similarly to medicine, the current antibiotics are not that efficient. Then, waiting
for filling the gap between the sword and the shield (with a behavioural analysis
Then, what do we do?
technology for instance), we wanted to explain our clients and our CISO, through
Itrust, that there is another complementary way to the classical medicine. An
We often meet customers who pile on security tools while they could delete these
alternative but complementary one based on better practices and a good hygiene. A
10 main breaches that would increase exponentially the security level. That is the
kind of “Chinese medicine” that prevents rather than cures.
reason why it is necessary to set up permanents controls to check these points.
This year, a Verizon report showed that 97% of the data violations could have been
Even though all problems could be avoided with very simple controls, each year
avoided by easy controls. [4].
more companies are suffering serious incidents related to cyber security.
I am a security expert for 15 years.
I have been the BNP’s trading room security director.
For example, do you know that 98% of the companies we checked use password by
I am an ISS cloud expert in the National Assembly.
default?
I am the CEO of Itrust founded 7 years ago.
Our activity is complex. You can find a lot of standards and methods. You can find an
You are not facing security problems? Of course : 8 companies out of 10 suffering
incalculable number of tools, viruses, methods, schools which use their own process
attacks or intrusions and they do not know it.
or protocols.
10
It is a young activity, (practised for) only 20 years.
You have firewalls and protection systems but you are still suffering from malicious
With the new threats, specially the APT and the cloud, our clients remain
attacks. We have been told for years that we must protect ourselves, but the
expectants. Few of them understand why, still after 20 years, we shall keep
analysis remains terrible. Despite all the tools and significant security budgets, basic
improving the systems with new methods and new tools. They find with surprise
security principles are not respected. We remain as vulnerable as before and it is
and incredulity that firewalls and antivirus are no longer efficient enough to protect
even easier for an intern to get confidential information on the networks. Or even for
them. They realise that many of us lied to them promising the end of their troubles
a Korean student to get your ERP rate base or to launch a significant DDOS attack on
with new tools.
your infrastructure.
W h i t e pa p e r
Top 10 of vulnerabilities by ITrust
To convince you:
Most security incidents could have been easily avoided.
A story that deserves a conference:
Did you know that the largest cyber attack (Stuxnet) could be avoided by changing
the default password of Siemens devices?
Simple solutions and controlled procedures have mostly avoided major disasters :
• BP oilrig:
Respecting what is known as healthy security: simple and smart controls.
Valve security system was disabled due to the generation of a large amount
of false positives.
Leading experts and studies confirm what we say.
• Société Générale - Kerviel case:
The trader was also the designer of the trading tool.
B est P ractices
« The anti-virus is no more effective in responding to new threats .
Maintain a good security policy in real time by avoiding default
passwords and overseeing the flaws of security remains the current
best practice for SMEs»
• Fukushima:
Engineers were convinced that the cooling pump was open.
• Stuxnet virus:
Using the default password of Siemens devices.
• Hesel disaster:
Hervé Schauer, security consultant expert
Due to a lack of controls, too many spectators without tickets, attend the
match.
Security is something simple.
To avoid being sick, you wash your hands, you have good hygiene and eat healthily...
You are grateful not to be stuffed with drugs every morning.
That is similar for the information system security; but that speech is hard to take
as for 20 years we kept on hearing that drugs were the only solution to solve our
problems.
11
W h i t e pa p e r
Top 10 of vulnerabilities by ITrust
Over the last years, other experts go along with us : 10 security vulnerabilities are
What does the police do?
99% of encountered vulnerabilities in any kind of company.
Often, salvation comes from regulation. That is when these controls will be
mandatory that they will be systematically implemented.
Top 1 0 f l aw s i n a l l e n t r e p r i s e s
So ?
Too verbose systems
This is a strong trend, more and more recommendations or compliance standards take
Weak passwords
this step. These include:
Rights to know
Trust between domains
• The Health safety guide from ANSSI (link...)
database default password
• New constraints related to health data, more and more recommendations
DNS servers too wordy for internal domains
• The top 20 SANS
Bad shares
Protocols in clear or misconfigured
Development servers, abandoned servers
Historical and common vulnerabilities
Let’s fix these vulnerabilities first and company’s security level increases
exponentially, better than any expensive technology.
ITrust has developed its solution, IKare, based on these ideas. IKare continuously
checks security vulnerabilities of the information system and suggest the
appropriate corrections.
w r i t e pa p e r
Le Top 10 des vulnérabilités par ITrust
Propriété exclusive © ITrust
Bibliography
[1] http://lexpansion.lexpress.fr/high-tech/
cyberguerre-comment-les-americains-ontpirate-l-elysee_361225.html
[2] http://www.cenzic.com/resources/reg-required/whitePapers/Ponemon2011/
[3] https://www.owasp.org/index.php/
Top_10_2013-T10
[4] http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf
Writers
Julien Lavesque is ITrust’s CTO. He is a security
consultant, acting as an auditor, expert and
trainer for sixty clients. Telecom and security
engineer.
Jean-Nicolas Piotrowski, Itrust’s CEO. Security
expert since fifteen years, former CISO at BNP
Arbitrage trading room. He is general secretary
and co-founder of Digital Place cluster.
Based on a case study by Denis Ducamp, security
consultant.
ITrust (www.itrust.fr) is a security company since
2007, providing its expertise and product to
more than 100 customers in Europe. It develops
IKare, a vulneralibity management solution.
ITrust is prizewinner of Future investment,
«SVC» project, and developed a breakthrough
technology for behavioural analysis. ITrust was
awarded in 2013 for the price of international
digital, given by IEClub and Ubifrance.
55 avenue l’Occitane
BP 67303
31 670 Labège Cedex, France
Tél : +33 (0)567.346.781
Email : [email protected]
www.itrust.fr
www.ikare-monitoring.com