For some time now I [and most Security Professionals] have been very much aware that the State of Cyber Security is parked in a very dangerous layby. With far too regular reports hitting the press of data breaches and successful hacks against both the private and public sectors. These ranging across a set of targets from the Financial Services, to Oil and Gas, Industrials, and Government assets alike – and this is on a global scale generating trillions in illicit revenue, increasing year-on-year!
In November 2016 I was very much encouraged to see a refreshing Cyber Security event being hosted by a company based in the East Midlands, to spread the word of the real Cyber Threat to business and to educate the great unwashed. This I felt at that time to be significant progress, reaching out to the untrounced masses outside the London catchment. The event enjoyed support by a well-known anti-virus provider, and a couple of other niche security providers residing within the cyber-space. The other encouraging indication was that the event was well supported, and so I was hopeful we were seeing the green shoots of a regional push in my local community to recognise, and to work towards mitigating the cyber-threat at the SME level – however, disappointment was not far away.
The company hosting the event are a respected local brand, so the expectations of accuracy and their own security profile were naturally extant. However, my expectations were soon to be dashed by the discovery of several low-hanging security and cyber exposures – linked to the lack of governance, compliance, and an absence of applying, what would be an expected level of good-practice security to protect their own assets – observations which were arrived at as an on-looker, with no a need to hack anything whatsoever. The following shortfalls were discovered from a simple connection to their guest access point, and a little investigation on the Internet utilising OSINT:
- Access to the company Gust WiFi AP was made available, with no need to agree an AUP [Acceptable Use Policy]
- 250 Guest WiFi connections were in place at a company with a SME profile of operations
- The WiFi footprint went well beyond the company accommodation and was visible from and extended distance
- It appeared that some critical servers were also associated cross-guest-to-operationalnetwork – some of which included communications, and security systems
- Servers were named as-was– so for an attacker to identify, say the Skype Service was easy
- Some O/S were identifiable – [E.g. Apple]
- Servers supporting Anti-Ransomware services were identifiable on the Guest Network
- IP information and other such useful snippets were published and available to all guests
- Open Ports were interesting – some of which can support malicious connection to the end-point device. With others inferring supporting security services – For example:
80/http World Wide Web HTTP
135/msrpc Microsoft RPC services
139/netbios-ssn NETBIOS Session Service
445/microsoft-ds SMB directly over IP
3389/ms-term-serv Microsoft Remote Display Protocol
3389/ms-term-serv Microsoft Remote Display Protocol
8080/http-proxy Common HTTP proxy/second web server port
8081/blackice-icecap ICECap user console
- Domain Management was poor with critical assets not owned – e.g. .eu [this was a company working with interest in that trading zone]
- Over 100 email addresses exposed to Pharming – supporting the potential for a Phishing Campaigns, or easy communications with the end users
- External Out-of-Office communications were excessive in contend, and again extended the potential of external attacker abuse – For example giving up the mobile telephone number
- Based on the verbose information provided, OSINT Methodologies were easy to employ to associate and gather more target intelligence, supporting identification of real-people end user profiles
- The company domain is associated with over 30 threat actors, and malicious entities including malware
The disappointment for me here was – the day very much focused on the threat from Phishing, Social Engineering, and the misuse of information of the very type I had discovered. Even more disappointing, and to some extent frustrating was I dropped a friendly email to the organisation outlining there were several areas which should be considered from the cyber-perspective – which received zero response.
My concerns here are twofold:
- That there would seem to be a disjoint on the topic of cyber for those who look to understand the exposures and vulnerabilities it can bring to the table
- That the Cyber-Threat may be utilised by some organisations as a marketing ploy to extended their own IT support services
At the end of the day, it is not a case that the company in questions IT assets were not being well supported and maintained. In fact, far from it as my expectation aligned to their profile would suggest they run very robust operations. It is where we get into the world of understanding the wider implications of Cyber-Security and the associated risks where this company fall. Not appreciating their own organisational digital footprint, and the implication of the extended opportunities of compromise it may bring to the table of the Boardroom.