//////////////////////////////////////////////////////////////////////////
layers upon layers of protection to combat
attempts to gain access, like a brute force
attack. Services like Remote Desktop Protocol,
or RDP, a proprietary protocol developed by
Microsoft, can provide administrators with
an interface to control computers remotely.
Increasingly, cybercriminals have taken to
leveraging this exposed protocol when it’s
not configured properly.
Tim Bandos, Vice President of Cybersecurity
at Digital Guardian
Administrators should leverage a combination
of strong or complex passwords, firewalls
and access control lists in order to reduce the
likelihood of a compromise.
Delayed software patching
A few months ago, researchers uncovered a
Python-based web scanner, Xwo, that can
easily scan the web for exposed web services
and default passwords. After collecting default
MySQL, MongoDB, Postgre SQL and Tomcat
credentials, the scanner forwards the results
back to a command and control server.
Leaving default credentials on any device is
akin to leaving your keys in a locked door.
Even a 12-year-old with some Internet
access at home could majorly breach a
corporation just by using one of these freely
available tools on the Internet to check for
default credentials.
Password reuse
Having strong and complex passwords
isn’t the only action that needs to be taken
when securing your environment. Often, I
see environments that’ll leverage the same
user account and password across every
device in a fleet of endpoints. Sure, to an IT
administrator this may be convenient but
it’s not necessary and can grant an attacker
the ability to pivot across every machine,
even if only one of those computers has
been breached.
This, like leaving default credentials on a
server or system, may seem like another
potential no-brainer.
It’s worth pointing out that keeping
operating systems up to date and patched
appropriately can prove significantly
effective at preventing a breach, however.
While there are numerous exploits and
vulnerabilities found daily – and yes it can be
difficult to keep up – if administrators aren’t
properly maintaining their patch levels, then
it’s game over.
Ironically, of the breaches I’ve worked
on where the attacker’s gotten in via a
vulnerability, a majority of them have been
a vulnerability that was ridiculously old. It
shouldn’t come as a surprise – attackers
will continue exploiting old bugs as long as
they’re effective.
There’s hype around detecting and
preventing zero days but the most common
vulnerabilities that are exploited can be
classified as a fossil.
Logging turned off
From there, attackers can leverage credential
dumping programs to get their hands on the
passwords or even the hashes themselves
and then it’s open season. Avoid password
reuse at all costs and disable any accounts
that are not required.
Exposed remote desktop
services and default ports
Any externally facing device that’s
connected to the Internet should have
www.intelligentcio.com
Disabled logging doesn’t necessarily allow
an attacker to get into a system, but it does
allow them to act like a ghost while they’re
in there. Once in, hackers can move laterally
through a network in search of data or assets
to exfiltrate. Without logging, they can do all
this while leaving zero tracks behind.
This creates a true ‘needle in a haystack’
scenario for incident responders and forensic
analysts and makes their job that much harder
FEATURE: CYBERSECURITY
when trying to reconstruct what may have
happened during an incident or intrusion.
Enabling logging and having it sent to
a centralised location, like a security
information and event management (SIEM)
platform is highly recommended.
That data will provide the breadcrumbs
needed by forensic analysts during an
incident response investigation to reconstruct
the attack and scope the intrusion.
Additionally, it can prove highly useful when
it comes to responding to threats that may
have triggered an alert from an event in the
collection of said logs.
Having appropriate security configurations
requires your applications, servers and
databases to be hardened in accordance
with best practices. Leaving these devices or
platforms in a default state only makes the
job of an attacker that much easier.
It may not happen right away, but they’ll
discover these misconfigurations at some
point, gain unauthorised access – and
depending on their intent – steal sensitive
data or cause damage.
Avoid becoming an easy target and follow
these precautionary steps to protect yourself
and your data. n
HAVING
APPROPRIATE
SECURITY
CONFIGURATIONS
REQUIRES YOUR
APPLICATIONS,
SERVERS AND
DATABASES TO
BE HARDENED
IN ACCORDANCE
WITH BEST
PRACTICES.
INTELLIGENTCIO
53