Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 4
In this blog series I am covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:
CSC 4: Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
It is not uncommon to go into an organization and have complete access to all systems with a small set of commands within the first 30 minutes. Having been performing this testing for many years, it quickly becomes apparent that several organizations have what we call “low hanging fruit.” Low hanging fruit are common attack vectors that usually provide access to systems with significant privileges with very little effort.
In my next attack, I will show how a critically vulnerability could have been easily detected if the organization had been performing regular vulnerability scanning. Then leveraging the information provided in the vulnerability scan, I will demonstrate how simple it is to gain access to the target system.
In the screenshot below, we see that a vulnerability scanner was used to identify default credentials in use the Apache Tomcat Manager. Apache Tomcat Manager is a web console which allows for the deployment of web applications on the web server. This is an extremely common finding, because some applications will deploy Tomcat using the default credentials. Vulnerability scanners often tell if the actual vulnerability contains any public exploits or if it is an abuse of normal operations of the application. Organizations should focus on high-risk vulnerabilities with public exploitation details in order to improve network security.
Vulnerability Scanner identified default credentials
An attacker can use the Tomcat Manager Console in order to upload a malicious web application archive (WAR) file or simply use an open-source tool like Metasploit to automate the process. Using this method, it only takes eight commands for an attacker to leverage the credentials into an administrative command shell. This simplicity in identifying and exploiting the vulnerability is why we call this low hanging fruit.
Exploiting the default username and password in Tomcat
Vulnerability management is a time intensive process. Organizations will hire people just to perform this process. It goes far beyond simply scheduling a vulnerability scanner to run each week or month, but includes entire processes around remediation and risk ranking to be performed.
It’s important to first make sure that your organization is scanning often and using the data when it is as fresh as possible. Running scans daily or weekly is not unheard of. When running vulnerability scans, it is important to ensure that the systems being scanned are authenticated to by the vulnerability scanner. Without authentication, you are only seeing a fraction of the attack surface of the machine. Authentication will allow the vulnerability scanner to log into the machine and determine much more detailed information such as patch levels, malicious software, or audit configurations.
It is important that organizations are performing risk ranking on the vulnerabilities that are identified to ensure that the most important vulnerabilities are being remediated first. This process is time sensitive and takes knowledge of both the vulnerabilities as well as the system infrastructure. Some of the things that should be included in the risk ranking are:
Once you have scans running on a regular basis with authentication and have developed a risk ranking process, it is important to develop a method that incorporates all parts of IT responsible for the security of systems within the organization. In most organizations, the vulnerability assessor will not be the person in charge of making the change to secure the system, but will be coordinating with IT in order to remediate. Without first making IT part of this process, they might get the wrong idea that the vulnerability assessor is trying to tell them that they are doing something wrong, instead of striving for security together through the process.
The next post will cover CSC 5: Controlled Use of Administrative Privileges.
Let us know what you need, and we will have an Optiv professional contact you shortly.