Back to Basics

I tend to lurk on a bunch of email based discussion groups where I watch threads that talk about "what should we used instead of the broken MD5 hash" or "what the alternatives to broken SSL". I see lots of focus on the new 0-day sploit and techniques involving intercepting communications, cracking something or other, then using that to compromise something else. There is no question that when it comes to "cyber security", it is an extremely dangerous world and getting more so. Unfortunately, I think the industry of computer security has lost its way.

A article about recent Booz Allen Hamilton compromise, Anonymous was quoted as saying "We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!). We also added the complete sqldump, compressed 50MB, for a good measure." Yesterday, a colleague of mine stated that he found a basic authentication bypass SQL injection bypass vulnerability in a clients payroll server and found that the username/password combination of GUEST/GUEST worked on that same client's VPN. From what I saw or could infer from news about many of the Lulzsec compromises, they seemed to be using SQL injection or similar attacks.

I know 0-day compromises are possible and a threat. I know there are ways to break different types of encryption. I also know that people, generally, can tend to be a little lazy. I don't mean lazy in a bad way but if given the choice between cracking passwords and typing 'or 1=1 into a password field, which would you do? Would you rather research and use an new 0-day exploit or leverage the fact that the target hasn't patched Adobe Reader in 3 years.

As a penetration tester, there are some basic techniques that make my life a lot harder:

• Good patching practice, not only for Microsoft but for all technologies
• Basic hardening, particularly something as simple as changing default passwords
• Security focused web and email filtering.
• Strong firewall rules for both ingress and egress
• Network segmentation and access controls between segments
• A decent web application firewall
• Updated endpoint protection

How many recent (publicized or otherwise) attacks could have been prevented by these fairly basis measures? Am I saying that this is all that is necessary for security? Absolutely not, but I do think that as security professionals, we tend to miss the obvious and focus on the complicated leaving the bad guys with big holes to walk right through. Perhaps we should spend a little time getting back to basics and make sure that the foundation of our security program, the policies and the security infrastructure, are in place because all too often when doing risk assessments for my customers, I find that is not even close to being the case.