Joshua Platz is a senior consultant in Optiv’s advisory services practice on the attack and penetration team. Joshua’s role is to provide internal and external network penetration testing to determine vulnerabilities and weaknesses in client networks and environments. He specializes in PCI DSS, wireless, social engineering, password cracking, as well as post-exploitation of customer networks.
Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 2
In this blog series I am covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read the previous post covering CSC 1.
CSC 2: Inventory of Authorized and Unauthorized Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
This is another control to prevent a scenario that may not be malicious in nature. While it is true that identifying potentially unwanted malicious software can be detected through implementation of this control, those types of programs are often covered through a good endpoint protection solution. I want to focus on employee installed software that IT may not be aware of and therefore is not readily patching.
For this control, I decided to demo a common attack vector that I have seen in organizations. Often, a company will support a specific browser because it may work better with a specific organizational tool or site in use. However, with humans being creatures of habit, some users prefer to use alternative browsers. When these browsers are not supported by IT, they may not be getting the appropriate updates required to keep the user’s system secure.
Below I have demonstrated how a would-be attacker can use open-source software to setup a drive-by attack targeting users of unpatched software.
Using Metasploit to create a malicious website
Once an attacker has the malicious web site running, all they have to do is encourage people to visit the site. This could be accomplished by hosting something people want to view, such as online movies, or by using other tactics such as cross-site scripting to redirect users to the malicious site. Once a user has landed on the site, a popup will ask them to install an add-on. These add-ons are typically named something like “Video Codec” or “Flash Update” in an attempt to influence users into clicking allow.
Popup requesting to install a browser add-on
Once a user has allowed the add-on, another popup will warn them to only install it from trusted authors. People have become jaded to these popups since they are common place and normally don’t mean something bad is happening.
An additional security popup warns users to not install untrusted software
If the user grants the permission and the version of software is vulnerable to the attack selected, it is possible to execute code and establish a remote presence on the targeted system. The attacker now has all the same permissions as the user who visited the site. This issue is compounded if the user is a local administrator or has access to potentially sensitive information. Additionally, this gives the attacker a route to attack other internal network resources.
Command shell access obtained
First, the organization needs to make policy-based decisions on what software will and won’t be allowed on endpoints. Many different strategies come up on this subject. Some organizations may be more lenient and allow software like iTunes, Spotify, or chat programs. Other organizations that have a strict policy on acceptable use will have an easier time implementing this control because they will be able to define that acceptable software and enforce a set application schema. Once the organization has determined its acceptable software, it needs to find a way to enforce it.
Application whitelisting is one of those things that is very hard to implement. However, if implemented correctly, it can greatly increase the security of a system and, by proxy, the network. Application whitelisting can be configured to only allow specific applications to run on company-based hardware, ensuring that even if a user is able to download and install unapproved software, they will not be able to execute it.
Once the organization has implemented the acceptable applications policy and has configured application whitelists to enforce it, they must perform a cleanup of all outdated software and monitor for new software that may have been installed. There are several tools which can perform software inventory that can be built into endpoint security applications or even queried from vulnerability scanning tools. An organization may decide to refresh all of the systems in lieu of hunting down each unauthorized application.