If you want to make a hacker happy, go ahead and take those shortcuts. Paula Januszkiewicz, CEO of IT infrastructure security service provider CQURE, held a talk at RSA earlier this week where she outlined the best ways to excite hackers. Along the way, she gave examples of what not to do, along with how to fix the problems. Januszkiewicz, summed up her presentation with some simple advice: focus on configuration review, internal testing, and continuous monitoring, and don’t forget the human element.
According to Januszkiewicz, here are the top ten ways to excite a hacker, along with the fixes to put a damper on their fun:
Hacker Excitement Method #1: Disable Your Firewall or Misconfigure Network Access
While firewalls are great segmentation tools, Windows firewalls are often misconfigured. And when you lack any type of exploitation prevention solution, hackers can take advantage of vulnerabilities. This is a shortcut not worth taking. Even if your firewalls aren’t disabled, it’s possible to be out of sync, she said. “The question is, are we allowing different types of custom processes to be going out of the network? If the answer is yes, maybe you should think twice, because it’s pretty much the modern way to download different types of malicious files,” she added.
Hacker Excitement Method #2: Use Overly Simple Passwords and Security Questions
It’s more common than you might think to reuse passwords, Januszkiewicz said. Check for obvious passwords, especially at these locations: NTDS.dit, SAM configuration files, registry Memory dumps and hiberfil.sys databases. “There are more than 20 places in Windows where you can extract the password to the readable form, and we’re not talking about the hash,” she said. “The question is, do we know about all of those places?” It’s also important to continuously maintain security awareness campaigns, she said.
Hacker Excitement Method #3: Don’t Segment Your Network
Network segmentation can be a blessing or a curse, she said, but in general, it provides greater control over who has access to which assets, allows you to set rules to limit traffic between each distinct subnet, enables you to reduce exposure to security incidents, and reduces broadcast domains so broadcasts don’t spread to the entire network. Januszkiewicz explained the dangers of using the example of ARP spoofing.
Hacker Excitement Method #4: Don’t Use SMB Signing or an Alternative
Januszkiewicz showed the problems that could occur if SMB (server message block) signing is turned off. She called it “the easiest attack ever”, but explained that it’s also easy to avoid, by, among other things, turning on SMB signing, setting SPNs for services to avoid NTLM, reconsidering port filtering and code execution prevention, and requiring SPN target name validation for Microsoft network server.
Hacker Excitement Method #5: Allow Unusual Code Execution
According to Januszkiewicz, common file formats containing malware are:
- .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc.),\
- .dll (Dynamic Link Libraries)
- .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc.)
- .docm, .xlsm etc. (Office Macro files)
- Others, including LNK, PDF and PIF, etc.
Hacker Excitement Method #6: No Whitelisting on Board
It’s simply a fact that users share things. They can create shares, and when that happens, the risk of infection increases. Januszkiewicz gave an example that uses a tool called the network infector, which identifies any network shares on the network that can be infected. The tool can create a local copy of the shares, infects them, and then uploads the changed copy. To prevent something like this from happening, she said that code execution prevention is a must. PowerShell is an ultimate hacking tool, she said, and the best way to prevent hackers from using it is to block it for users. In addition, she said that while AppLocker is great, it’s not a good idea to use it in the default configuration.
Hacker Excitement Method #7: Continue to Use Old Protocols or Their Default Settings
Just don’t do it, she said. She used Tabular Data Stream (TDS), a protocol used between applications and the SQL server, as an example. “That traffic could be encrypted, but if you have implemented SQL server out of the box and you didn’t explicitly create encryption settings, your whole traffic for the SQL server is actually running in the clear text. That’s a big problem.” She went on to explain how it leaves the door open to inject the traffic into TDS and eventually affect the database content.
Hacker Excitement Method #8: Trust Solutions Without Knowing How to Break Them
Almost every solution has some “backdoor” weakness, Januszkiewicz said. “The question is, do we know how our security solutions work?” she asked. One good solution, she said, is to prevent or manage privileged access.
Hacker Excitement Method #9: Misuse Service Accounts and Privileged Accounts
Privileged users sometimes have more access than you think, Januszkiewicz said, and that can cause problems. For examples, they can read SYSTEM and SECURITY hives from the registry. When that happens, privileged users can access passwords they shouldn’t be able to access.
Hacker Excitement Method #10: Fall for Hipster Tools
“Sometimes we've got different types of tools we're supposed to trust, but most end up getting hacked," she said. "You need to follow the news about security. We spend so much on different tools that might not be the greatest."
Januszkiewicz summarized her approach this way: In the short term, isolate infrastructure components so that in case of attack, they won’t spread. In the medium term, put on the hacker’s shoes and do your external, internal and web penetration testing. And in the long term, focus on prevention and vulnerability management.