A Basic Security Question.

[thatch]

Supposing I know a someone who has the following setup, what would the threats to his network be?

A W2K3 network, with WinXP and W2K clients (using IE6). The software update service has been disabled because the manager believes the patches are to difficult to manage, but all servers and clients have the latest service packs and up to date AV software with regular signatures installed. The PC’s are semi tied down by group policies but there is no policy regarding USB mass storage devices. External email is filtered through an external company for spam and viruses, and all web traffic is directed through a proxy server and then a firewall. Internally there are IIS servers, SQL Servers, Exchange Servers

All switches, routers and firewalls have no additional patches and there is a secure gateway serving applications via citrix secure gateway.

As I’ve said, I would appreciate it if anyone could post any suggestions of the threats to this network both internally and externally, I have a few idea’s but I know the guys that use this site will know a whole lot more.

Many Thanks

T.

[ChronoSec]

The most insecure part of any network tends to be the users. It's hard to say what vulnerabilities are there without a more specific listing of policies used. Depending on the need of flexibility on the user's machines, you may want to disable their ability to load any kind of executable.

Are you saying the manager does not want patches applied? That will be an issue as future vulnerabilities are revealed both for software and hardware.

The IIS and SQL servers need to be evaluated very carefully to avoid potential "common" holes. I assume there is a web app running on this server? If there is, the application is a potential security risk through SQL injection and the like. You may also want to consider isolating them from the rest of the network by placing them in a DMZ. If there is no web app, I'd suggest shutting the services down. No sense in opening any doors that aren't being used.

It looks like you want to strongly consider an anti-virus that runs on all client machines. Viruses don't always come from emails so there needs to be a more comprehensive anti-virus solution installed.

These are just basic ideas. Hard to get more specific without more specific on actual installed hardware and software. Hope this helps!

[576869746568617]

Well, just off the top of my head, the most glaring security flaw I can see is the admin's decision to allow users to attach USB mass storage devices. One could easily use a USB pen drive to steal sensitive information, or to install an exploit or trojan. There is at least one instance where a security auditor used these devices to sucessfully compromise an otherwise well protected network.

The other one that really stands out to me is that the admin has chosen to disable SUS. If the admin has opted to allow each client to access updates from the vendor directly and autonomously, then it may not be that big of a concern. But if they are patching manually, then this could leave the network especially vulnerable to zero day exploits, and newly released ones that they haven't patched yet. Depending on how vigilant the admins are, this could be an issue worth noting.

It was unclear to me about what you were saying about the firewalls and routers. Do you mean that they have only the firmware/OS that came installed from the factory with no patches or updates? If so, there is another potential vulnerability/avenue of entry for a malicious user to exploit.

Cheers

[brokencrow]

...there is no policy regarding USB mass storage devices.

Anything can walk out of that office via USB. If it can be copied, it's gone.

As for software updates, there is none of the morass you had five or six years ago from MS. I still see some problems on proprietary software updates, but they're usually dealt with rather quickly. Your manager's livin' in the past, he's not saving a dime by foregoing updates.

[thatch]

Thanks for the replies guys. to clarify the issue somewhat:

security has never been a big issue and i want that to change. all PC'S and Servers get a SP and thats it. no patches for anything. Hardware (Routers Switches Firewalls etc...) get the IOS and thats it - no patches.

Now, the manager is living in a world where all employees are good and only the bad people are on the outside so he's got himself a firewall, and a few generic group policies. however, he gives away admin rights like they are going out of fasion because it makes his life easy. nothings monitored, no ones given any responsibilties to make sucurity an issue and theres no funding. i want this to change, i have a real interest in security, i am hoping to get funding for training, and i would like to build an awareness policy and set some policies. i'm funding my own CEH course later this year and if i can make them see sense before then i may get some assistance with that funding.

i have suggested using VMWare to replicate a few key Server builds and and PC builds and applying patches there before the live environment but he said that as long as we keep upto date on SP's then thats enough, however, anyone using this site is well aware that its not.

i appreciate all comments and suggestions.

[tiolpxe]

First of all with regards to updates. SUS (software update services) is becoming obselete and has been replaced with WSUS (Windows Server Update Services) you can create various groups e.g. Clients, Servers, Laptops, Test. Then you can approve updates automatically to deploy to machines in the test group. After x ammount of time providing all goes well you can say okay them updates are fine so i no longer want them installed on just the test group instead put them on everyones machine. This aids in illiminating the problem of updates screwing systems up. This capability was not present in SUS.

I wouldn't recommend testing updates etc via vmware as this is a simulated environment and not a real life test. For example if you have 50client machines that are identical in terms of software etc but 3 of them in a test group and try the updates for a couple of days see if any problems are reported etc.

Also There are tons of tools you can get for free that are great for monitoring servers such as tcpview, processexplorer from sysinternals and many many more. So money isn't always an excuse for a businesses.

You can get a vulnerability scanner called nessus which is great. The free version is limited to not being able to download the latest scans until they have been released for five days, however its better than nothing.

A typical problem with SQL is administrator keep the "sa" login password to the default. Make sure this is changed if this is the case.

The main part of securing a network is defining the line between making it avialable and useable than having something that makes necessary day to day functions a nightmare. Ensure you have strict password policies containing at least a length of seven containing letters, numbers, capitals and punctuation.

If you have remote users e.g. laptop users most companies will have have remote access e.g. vnc. Make sure either this is restricted via the firewall to specific ip addresses. Or consider setting up a vpn again this can be done cheaply by using tools such as OpenVPN. Just to clarify
incase you are unsure what a vpn is, it creates an encrypted tunnel between two destinations typically via the ethernet. As apposed to sending passwords and information across the internet in plaintext which anyone could sniff along the way.

Also ensure all confidential data is encrypted. Windows offers encryption or there are open source tools such as truecrypt which is great. Also you can configure auditing to see who is viewing what etc. Set security permissions on folders to ensure no users can access files that they need not have access too. Do not give users local administration on a particular machine, even tho most users may not do anything in most organisations there is normally a couple who are computer savvy. They will try to snoop about, install tools, portscanners and not to mention filesharing apps.

I would also reocmmend not expecting to learn too much from your I.T manager as he seems to be living in the stone ages and has a very lazy approach to administration. Most I.T employees only truly earn there money when the crap hits the fan. And not implemening good security you are inviting that crap to go flying sooner than he thinks.

Depending on your companies finances i strongly recommend learning the skills or paying someone to perform a thorough penetration test as you will be suprised as to some of the techniques to gain access to a system. ESPECIALLY social engineering. Most employees can be fooled into giving out information. Remember to log onto a system there is generally three pieces of information you require.

A) Username
B) Password
C) Domain

A & C can be guessed easily and without good passwords so can B)

There are so many things you can implement its getting the right balance. If you think of security as a house. You can close windows, lock doors, enable alarms, add lasers, cameras. It's getting the balance that suits your type of organisation.

Remember if a user has local administration all they need to do is install a keylogger, log a support call, get you to logon as a network administrator to try and fix a pretend problem and bingo they have your password.

Anyways thats enough waffling from me. If you have anymore specific questions i'll be glad to help.

[brokencrow]

...I worked a few Dell rollouts last year, one of which was for a major financial house. We'd typically go into their offices and reimage 80-100 computers in a night (sometimes less in the smaller offices). Techs were expressly forbidden to bring USB devices (thumbdrives, ipods, etc.) onsite, and would be terminated on the spot for doing so.

[ChronoSec]

It's a bit of an extreme measure, but you may want to "crack" into the network, get some sensitive data and report it back to the IT manager's boss. It seems the IT manager is being irresponsible which can cost the company. The boss's boss might be more interested in funding and applying security if he understood the risk.

[576869746568617]

Only problem that I see with that is it has 3 possible outcomes:

1.) Manager is appauled at lack of security and starts implementing safeguards with thatch's help.

2.) Thatch gets fired

3.) Thatch gets fired and arrested (hacking without permission is not penetration testing...it's a crime.)

As thatch is currently persuing CEH certification, doing this would be against the code of ethics that he's agreeing to abide by.

I would say that this is a bad idea, but if you can persuade some senior management to let you perform an audit, then that would be sweet.

Cheers

[ric-o]

Originally posted here by thatch
[B]security has never been a big issue and i want that to change.

Tie the security issues to the business in some way or speak to regulations that your company may be required to adhere to. These two ways are usually the most effective at getting the business' attention which translates into $$ for your security projects. And dont speak techie to the business folks - talk business.

Now, the manager is living in a world where all employees are good and only the bad people are on the outside so he's got himself a firewall, and a few generic group policies. however, he gives away admin rights like they are going out of fasion because it makes his life easy. nothings monitored, no ones given any responsibilties to make sucurity an issue and theres no funding.

Speak about accountability to management. Also what about availability and confidentiality? If someone with admin rights who really doesnt need them screws up an important server and it is unavailable...wont he care? Think up scenarios and brief him on these.

Use analogies such as they wouldnt talk about sales prospects to the company secretary would they? than why would she need access to certain data on the network.

i have suggested using VMWare to replicate a few key Server builds and and PC builds and applying patches there before the live environment but he said that as long as we keep upto date on SP's then thats enough, however, anyone using this site is well aware that its not.

Get approval to show that manager how vulnerable your company and download Metasploit Project software and aim it at a server. Show him what insiders AND outsiders can do. Show him stats about insider threats and such. Do tons of research and then brief him on it.

It sounds like he'll be a tough sell so try to figure out what his 'hot buttons' are and try to tie those to security risks. Know what he might see as a problem and speak to that.

You may have already done some of what I suggest but if not try it out. Hope this helps ya.