No matter how much you think you’ve done to protect your data and systems, common vulnerabilities continue to wreak havoc on enterprises. Cyberattacks are already increasing due to global events, meaning it’s more important than ever to identify and secure vulnerabilities.
The following are some vulnerability trends the TEAMARES team is seeing – and what you can do to protect your organization.
Problems with Patch manager and Secure Coding Practices
Externally facing assets, which should be considered one of the highest risk assets, tend to have a problem with Patch manager and secure coding. Custom applications are being developed without sanitization, which leads to some of the more severe vulnerabilities that allow us to access systems and your internal network. From an external perspective, Patch management following secure coding is important as most vulnerabilities stem from those.
Weak passwords
Weak passwords continue to be an issue. We often find that the fastest way to domain admin isn’t some novel zero-day exploit that leads to some very critical finding across the world. It’s literally guessing a password, logging as that domain admin, and then us gaining a foothold and control over the entire infrastructure. A few recent examples include our team finding passwords that were four characters long belonging to domain admins. We’ve also found eight-character passwords that are service accounts that haven’t been changed in over five years, which can lead to some severe consequences to a corporation.
The best way to tackle weak passwords is to rotate passwords, make them complex and leverage multifactor authentication. Make it difficult for the average script kiddy or novice hackers to gain access to your network or gain control of your network. You can easily accomplish this by ensuring password complexity. In addition, placing critical accounts such as domain admins in Active Directory groups that are protected could prevent those passwords from being stored in Windows memory, elevating the skills needed to capture those credentials.
Orphaned machines
Orphaned machines are causing organizations numerous headaches. These are machines that have fallen out of date and/or out of asset management systems, that are still on the network and may contain sensitive passwords or source code. We often find that these machines are still vulnerable to EternalBlue or even older vulnerabilities. TEAMARES has found that they can exploit these and gain domain admin since the password was left behind as an artifact on the machine, which poses a severe risk for an enterprise.
We strongly encourage companies to scan their networks, not just for the machines in your asset inventory, but also for machines that could potentially be within that subdomain or that netblock.
Lack of security monitoring or detection
We’re also finding a lack of security monitoring or detection as companies aren’t installing or utilizing their security tools appropriately, making them easy to bypass.
If you have defensive technologies in place, it’s imperative that your security team is trained to use those tools. Our team frequently finds tools in place but they’re not being monitored. The result is that alerts are going undetected. Employees need to be empowered to follow up on these alerts to stop attackers and dwell time.
When we conduct pen testing for clients, we want to highlight in our reports the positives, what we were being detected doing. However, we often find that we’re not detected doing some of the most common and basic exploits or techniques that are known to the field, like using Responder to poison requests or password spreading across whole subnets. Techniques like these should be caught quickly, alerted on and followed up on by your security defensive teams.
Given some of the low-hanging fruit or common issues, our goal is to educate the market about common issues. We can work together to patch, fix and close issues, making it more complex for attackers to hack your network, own your subdomain and impact your users and customers.
Check back each month for the latest vulnerabilities being seen by our team as a guide to help protect your systems.
by Quentin Rhoads-Herrera | Director of Professional Services, CyberOne
January 15, 2020