Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 4

In this blog series I am covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

CSC 4: Continuous Vulnerability Assessment and Remediation

The Control

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

The Attack

It is not uncommon to go into an organization and have complete access to all systems with a small set of commands within the first 30 minutes. Having been performing this testing for many years, it quickly becomes apparent that several organizations have what we call “low hanging fruit.” Low hanging fruit are common attack vectors that usually provide access to systems with significant privileges with very little effort. 

In my next attack, I will show how a critically vulnerability could have been easily detected if the organization had been performing regular vulnerability scanning. Then leveraging the information provided in the vulnerability scan, I will demonstrate how simple it is to gain access to the target system.

In the screenshot below, we see that a vulnerability scanner was used to identify default credentials in use the Apache Tomcat Manager. Apache Tomcat Manager is a web console which allows for the deployment of web applications on the web server. This is an extremely common finding, because some applications will deploy Tomcat using the default credentials. Vulnerability scanners often tell if the actual vulnerability contains any public exploits or if it is an abuse of normal operations of the application. Organizations should focus on high-risk vulnerabilities with public exploitation details in order to improve network security.

Vulnerability Scanner identified default credentials

An attacker can use the Tomcat Manager Console in order to upload a malicious web application archive (WAR) file or simply use an open-source tool like Metasploit to automate the process. Using this method, it only takes eight commands for an attacker to leverage the credentials into an administrative command shell. This simplicity in identifying and exploiting the vulnerability is why we call this low hanging fruit.

Exploiting the default username and password in Tomcat

The Solution

Vulnerability management is a time intensive process. Organizations will hire people just to perform this process. It goes far beyond simply scheduling a vulnerability scanner to run each week or month, but includes entire processes around remediation and risk ranking to be performed.

It’s important to first make sure that your organization is scanning often and using the data when it is as fresh as possible. Running scans daily or weekly is not unheard of. When running vulnerability scans, it is important to ensure that the systems being scanned are authenticated to by the vulnerability scanner. Without authentication, you are only seeing a fraction of the attack surface of the machine. Authentication will allow the vulnerability scanner to log into the machine and determine much more detailed information such as patch levels, malicious software, or audit configurations.

It is important that organizations are performing risk ranking on the vulnerabilities that are identified to ensure that the most important vulnerabilities are being remediated first. This process is time sensitive and takes knowledge of both the vulnerabilities as well as the system infrastructure. Some of the things that should be included in the risk ranking are: 

• What is the Common Vulnerability Scoring System (CVSS)?
• Is there public exploitation details?
• Is this an externally accessible system?
• Does this system hold sensitive data?
• Is this system part of the critical infrastructure?
• What is the impact of the vulnerability?

Once you have scans running on a regular basis with authentication and have developed a risk ranking process, it is important to develop a method that incorporates all parts of IT responsible for the security of systems within the organization. In most organizations, the vulnerability assessor will not be the person in charge of making the change to secure the system, but will be coordinating with IT in order to remediate. Without first making IT part of this process, they might get the wrong idea that the vulnerability assessor is trying to tell them that they are doing something wrong, instead of striving for security together through the process.

The next post will cover CSC 5: Controlled Use of Administrative Privileges.