Make sure you secure your whole infrastructure
May 17th, 2008 by Micheal
I was recently hired to do a penetration test on a company’s website. While I can’t really give specifics on the penetration test or the company for obvious reasons, there is something I’ve noticed time and time again.
Any good auditor knows that it is human nature to think that if it isn’t important to you, it isn’t important to an attacker. Dead wrong.
One man’s trash is another man’s treasure.
While in this particular case it wasn’t the company’s fault, but rather a company they outsourced to, the fact remains that neglecting components of your network that you may think are less important means that it will be more likely that your enemy will find them. The bad guys go for the low hanging fruit, the easiest targets. A misconfiguration or lack of updates to a “non-critical” component of your network is all it will take a pen tester such as myself to get in to that device and get to the rest of your network. You hope that I find them before the bad guys do. And just because it is something that is seemingly insignificant that doesn’t mean an attacker won’t use it to attack you. Your own network attacking itself. Has a nice ring to it, doesn’t it? Let’s hope for your sake it doesn’t.
Another problem is that unfortunately many people are under the false assumption that an attacker won’t want to compromise their servers and their networks. “There’s nothing here for them” is something I hear time and time again. Just because you don’t think you have any critical information doesn’t mean you don’t, nor does it mean that an attacker won’t want to compromise your network. People need to get out of the mindset of thinking that there’s nothing there for an attacker. There is always something there for an attacker. Whether it is recording VoIP phone calls or using your network to leapfrog to another networks and make you look like the attacker, there is always a reason for an attacker to want to compromise your network.
I mentioned misconfigurations above. Something we all see is “patch patch patch” which is exactly what you need to be doing. Software will always have bugs. Software will always have security holes. But one thing I do not see as often is making sure you have configured things correctly. You can have the best software in the world but if you don’t configure it correctly, it will be just as bad, if not worse, as poorly written software.
Moral of the story? Double-check all pieces of your network, not just the most important parts, because when you least expect it, the wrong person will find that lowly hanging fruit.