Skip to main content

No-Tech Hacking - Identifying Unprotected Assets

When you think of hacking or start looking at ethical hacking and counter measures, the focus is on the highly technical.  Encryption hacking.  Packet sniffing and session hijacking.  Web site hacking.  SQL  injection and so on.  All require a fair bit of basic infrastructure, networking and coding experience.

Whilst there are many off-the-shelf tools, utils and scripts that makes the hacker (and ethnical hackers) job easier, being non-technical is a huge hindrance.

However as a security manager or engineer, protecting information and IT assets shouldn't just be about the cool tech.  It should also on the "no-tech" as well.  By "no-tech", I'm simply referring to areas of information protection that require basic process, training and awareness.

For example, servers should only run the services they are designed for and each server should have a modular cohesive function associated with it.  This is pretty standard config management by removing the complexity and support issues of having a device perform several functions.  If a server does one and one thing only, it is simple to remove, lock down or disable any ports, services or functions that are not needed.

An obvious one (and often ignored) is the basic requirement of PCI-DSS 2.1 which is to remove default passwords on any servers, services or devices that are installed.  For servers and services this can be quite well managed at times, but this also needs applying for every device on the network.  I'm thinking mainly routers and switches.  Often the least well managed of the networking infrastructure.  If accessed maliciously can be a fountain of knowledge and an area for a basic DoS attack.  In addition check, remove and edit any default SNMP community strings used to manage servers or network devices (especially the read/write strings).

Another area that is often overlooked is the management of service accounts.  Accounts used for things like printer management, backups, application installation and so on, often have admin or near admin capabilities.  Often as they're used by scripts, services and apps, the passwords are often simple (thinking the same as the account here) and not set to expire.  It's a lazy and often overlooked part of account management as the accounts are being used by the sys admins themselves.  A simple well documented policy here would close a lot of back door access.

Many organisations now have well developed policies for at least laptops, if maybe not quite the Bring Your Own Device / smartphone style devices.  Laptops often have group policies for things that prevent social networking or instant messenger products or the installation of additional software in general.  Local account passwords are often linked to a directory where a complex password policy is in place.

All good stuff, but what happens if the physical device is lost or stolen?  Takes probably 5 minutes to unscrew the back panel of the laptop, take out the disk, add it into an external USB caddie and mount it as a new slave drive.  No CTL-ALT-DEL password to by pass or network to attach to, just straight into the raw file system.  Unless of cause it was encrypted!  Basic (and good) encryption software is readily available for at least partitioning and full disk encryption (including the MBR) is now becoming standard too with on board crypto-processors.

Security in depth is key and basic disk encryption easily circumvents portable storage issues.

Other basic "no-tech" protection areas should be focused on social-engineering.  ID badge checking by the reception.  Zero-tolerance of tail gating and doors left open.  Passwords never written down or shared.

If something or someone looks suspicious ask, check and prevent the incident from occurring before it becomes damaging.  It may seem like extra effort in the short term, but it will beat any effort involved in a recovery exercise.

(Simon Moffatt)


Post a Comment

Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…