[BreachExchange] Top 5 Configuration Mistakes That Create Field Days for Hackers

Destry Winant destry at riskbasedsecurity.com
Wed May 15 10:05:56 EDT 2019


https://threatpost.com/top-5-configuration-mistakes-hackers/144457/

Having appropriate security configurations requires your applications,
servers and databases to be hardened in accordance with best
practices.

Sometimes it’s the little things that lead to big consequences. When
it comes to cybersecurity, hacks more often than not stem from minor
missteps – or even completely preventable, obvious mistakes.

Common security mistakes and overlooked misconfigurations can open the
door for attackers to drop malware or exfiltrate data – or even
sabotage operations. Avoid the following top five configuration gaffes
to reduce the threat exposure to your organization.

Default Credentials

It almost seems too obvious to include here, but leaving default
usernames and passwords unconfigured for databases, installations and
devices is, by far, one of the most common and easy mistakes to make.
It’s also easy for a hacker to exploit: Leaving default credentials on
network devices such as firewalls and routers, or even on operating
systems, allows adversaries to simply use password-checking scanners
to walk right into the network.

In more skilled setups, hackers can simply stage a series of scripted
attacks geared at brute-forcing devices by automatically trying
various combinations of usernames and passwords again and again until
one works; these usually focus on either default usernames and
passwords, or basic passwords like “QWERTY” or “12345.”

Attackers are getting savvier too. Researchers early last month
uncovered a Python-based web scanner, Xwo, that can easily scan the
web for exposed web services and default passwords. After collecting
default MySQL, MongoDB, Postgre SQL and Tomcat credentials, the
scanner forwards the results back to a command-and-control server.

Bottom line: Even a 12-year-old with some internet access at home
could carry out a major breach, just by using one of these freely
available tools on the internet to check for default credentials.

Password Reuse

Having strong and complex passwords isn’t the only action that needs
to be taken when securing your environment. Oftentimes, I see
environments that leverage the same user account and password across
every device in a fleet of endpoints. Sure, to an IT administrator
this may be convenient, but it’s not necessary, and can grant an
attacker the ability to pivot across every machine from just a single
compromise of one of those computers.

>From there, attackers can leverage credential dumping programs to get
their hands on the passwords, or even the hashes themselves, and then
– it’s open season. Avoid password reuse at all costs and disable any
accounts that are not required.

Exposed Remote Desktop Services and Default Ports

Any external-facing device that’s connected to the internet should
have layers upon layers of protection to combat attempts to gain
access from simple methods like a brute-force attack. Services like
Remote Desktop Protocol (RDP), a proprietary protocol developed by
Microsoft, can provide administrators an interface to control
computers remotely. Increasingly though, cybercriminals have taken to
leveraging this exposed protocol when it’s not configured properly.

While this attack vector has been popular for years, the FBI and the
Department of Homeland Security issued a public-service announcement
last fall encouraging businesses and private citizens to review and
understand what type of access their networks allow, in order to
minimize chances of a compromise. In particular, the FBI warned that
ransomware like CrySiS and SamSam were increasingly targeting U.S.
businesses through open RDP ports. This is happening both by
brute-force and dictionary-style attacks, according to the alert; the
latter is a technique for defeating an authentication mechanism by
trying to determine a passphrase by trying hundreds or sometimes
millions of likely possibilities, such as all the words in a
dictionary.

Administrators should leverage a combination of strong/complex
passwords, firewalls and access control lists to reduce the likelihood
of a compromise.

Delayed Software Patching

This, like leaving default credentials on a server or system, may seem
like another potential no-brainer: Keeping operating systems up to
date and patched appropriately can prove significantly effective at
preventing a breach.

There are numerous exploits and vulnerabilities found daily, and while
it can be difficult to keep up, it can be game over if administrators
aren’t properly maintaining their patch levels.

Ironically, in the breaches I’ve worked on where the attacker’s gotten
in via a vulnerability, a majority of them have been bugs that are
ridiculously old. There’s hype around detecting and preventing zero
days, but the most common vulnerabilities that are exploited can be
classified as digital fossils. It shouldn’t come as a surprise:
attackers will continue exploiting old bugs as long as they’re
effective.

Logging Turned Off

Disabled logging doesn’t necessarily allow an attacker to get into a
system, but it does allow them to act like a ghost while they’re in
there. Once in, hackers can move laterally through a network in search
of data or assets to exfiltrate. Without logging, they can do all this
while leaving zero tracks behind.

This creates a true needle-in-a-haystack scenario for incident
responders and forensic analysts, and makes their job that much harder
when trying to reconstruct what may have happened during an incident
or intrusion.

Enabling logging and having it sent to a centralized location, like a
security information and event management (SIEM) platform, is highly
recommended. That data will provide the breadcrumbs needed by forensic
analysts during an incident response investigation to reconstruct the
attack and scope the intrusion. Additionally, it can prove highly
useful when it comes to responding to threats that may have triggered
an alert from an event in the collection of said logs.

Having appropriate security configurations requires your applications,
servers and databases to be hardened in accordance with best
practices. Leaving these devices or platforms in a default or
vulnerable state only makes the job of an attacker that much easier.

Hackers look for low-hanging fruit. It may not happen right away, but
they’ll discover these misconfigurations at some point, gain
unauthorized access – and depending on their intent – steal sensitive
data or cause damage. Avoid becoming an easy target and follow these
precautionary steps to protect yourself and your data.


More information about the BreachExchange mailing list