An industry mainly filled with good people but too many sharks
It’s becoming more and more common, I see content posted online, I hear people in meetings (hell I’ve been invited into some ‘opportunities’) and the basic theme seems to be:
- Fill your profile with as many buzzwords as possible
- Try and make your organisation seems legit and have links to the police and security services
- Call out crazy stuff like the lack of HTTPS as “TOTALLY COMPROMISED”
- Ignore science
- Post sales adverts under Security Services and Police posts to leach ‘authority’
- Constantly use statistics to back up their position
- Use social swarming (multiple people from the same company will rally around to defend/attack someone who questions the narrative)
If you see things like this, tread very carefully. I personally consider all of these themes as red flags. So this here is me saying: please take care out there, conduct a level of supplier due diligence, don’t just believe everything you see/read and if it sounds too good to be true or is promising to solve all your cybers in a simple way… be very careful. Cyber security requires a blend of human and technical controls, it’s hard work and most people get owned by missing something foundational.
Weak Ciphers, Protocols and SSL/TLS Vulnerabilities
Transport security is important, I’m not saying it isn’t. However, we need to understand the context and the potential risks and mitigations. Just screaming that you have a site without TLS or a non-A+ grade on the Qualys SSL Scanner doesn’t mean your security is totally compromised. To start with let’s look at some of the worst transport layer security vulnerabilities (for those that don’t know the CVE-XXXX part is the year of release, so some of these are quite old)
- POODLE (CVE-2014-3566)
- Affects SSLv3 and allows an attacker to eavesdrop, however they need to be able to perform a successful man in the middle attack. This isn’t so easy to do in practise and even when we do these in simulated environments there are challenges. Modern web browsers have SSL disabled by default (they use TLS now) so to exploit this you need adjacent network access and a range of other weaknesses to exist.
- Dan’s verdict – not very likely to be attempted or be successful from a general pov
- HEARTBLEED (CVE-2014-0160)
- Heartbleed is a weakness that means an unauthenticated remote criminal can leak data from the target server’s memory (such as passwords, session tokens, data). This vulnerability is likely the most exploited out of all of these. To fix this the server needs to be patched.
- Dan’s view – patch this one. It requires a targeted attack to be meaningful and most components no longer are vulnerable, however if this is found patch it.
- BEAST (CVE-2011-3389)
- Beast requires an attacker to have client-side browser control (so they need an implant of browser hook) to exploit. So, if this is the case you already have something bigger to worry about. The mitigation for this is to use TLS 1.1 or above (which you should be doing anyway).
- Dan’s view is that you should be using TLS 1.2+ anyway I wouldn’t cry if I found this on a site, but I would remove this vuln
- BREACH (CVE-2013-3587)
- Breach is probably the most complex scenario to exploit, it requires a range of variables to be in place
- CRIME (CVE-2012-492)
- This is an exploit that requires information disclosure to occur via a client-side attack. Modern browsers aren’t vulnerable to this.
- Dan’s view:
The other areas you will generally see are:
- Lack of Strict Transport Security (HSTS )
- Lack of Certificate Pinning (HPKP)
- Weak Ciphers
We need to consider the following:
- The complexity of the attack
- The existing conditions required
- The likelihood of the vector being exploited
- The sensitivity of what we are protecting
I’m not saying you should run sites with weaknesses but I’m also not going to start shouting TOTALLY COMPROMISED if I find weaknesses on a site. Someone may argue that it shows you have a weak security posture f you can’t harden your transport security config, and in some cases I’ve found correlation with this, but to be honest there’s a ton of other things I would focus on before crying about using SHA1 on a protocol.
Practical Attack Vectors and Realistic Threats
Who here knows how a lot of major breaches occur? I’m talking ransomware here (if you look the medical sector there’s a lot of sensitive information breaches from human error like sending results to the wrong people, so as always it depends what you are protecting).
Most major incidents I see come down to:
- Exposing high privileged assets to the internet (e.g. via RDP, VNC etc.)
- Not patching Internet facing systems (look at all the security appliance RCE vulns!)
- Not having foundational controls such as account lockouts, password audits, monitoring
- Leaving backups on domain joined networks
- Having weak credentials
- Giving out high privileges all over the place
- Weak services accounts
- Poor endpoint detection and response
- A lack of incident response planning
- A lack of MFA
- Wireless pwnage using bettercap and aircrack-ng becaause you use WPA2 with a weak AF passphrase rather than WPA2ENT
What I don’t see at all or often:
- Pineapples being used to successfully conduct cyber attacks (There have been a few cases, but this is at time of writing an edge case)
- TLS vulnerabilities being exploited to a point that a foothold is established on a target network
- Totaly compromise of companies because they had a marketing site (hosted in AWS) pwn3d (it happens but shells on websites are mainly dreams when we test them)
I’m not saying you shouldn’t have great transport security, but I’m also not going to tell you that just because you haven’t got grade A+ from a Qualys SSL scan that you are totally pwn3d or likely to be. It would be far better for me to talk to you about major ransomware incidents and the Tools Techniques and Practises used by cybercrime gangs to wreak havoc on organisations so you can protect against the areas that will really cause your day/week/month to be bad! Remember Cyber Security can’t be solved with a flashy box or a tool generated scan, but if we understanding our systems, the business and our risk profile we can move to a more secure brighter future where even if you do have an incident, your team is trained and ready to respond!