No-Tech Hacking - Identifying Unprotected Assets

When you think of hacking or start looking at ethical hacking and counter measures, the focus is on the highly technical.  Encryption hacking.  Packet sniffing and session hijacking.  Web site hacking.  SQL  injection and so on.  All require a fair bit of basic infrastructure, networking and coding experience.

Whilst there are many off-the-shelf tools, utils and scripts that makes the hacker (and ethnical hackers) job easier, being non-technical is a huge hindrance.

However as a security manager or engineer, protecting information and IT assets shouldn't just be about the cool tech.  It should also on the "no-tech" as well.  By "no-tech", I'm simply referring to areas of information protection that require basic process, training and awareness.

For example, servers should only run the services they are designed for and each server should have a modular cohesive function associated with it.  This is pretty standard config management by removing the complexity and support issues of having a device perform several functions.  If a server does one and one thing only, it is simple to remove, lock down or disable any ports, services or functions that are not needed.

An obvious one (and often ignored) is the basic requirement of PCI-DSS 2.1 which is to remove default passwords on any servers, services or devices that are installed.  For servers and services this can be quite well managed at times, but this also needs applying for every device on the network.  I'm thinking mainly routers and switches.  Often the least well managed of the networking infrastructure.  If accessed maliciously can be a fountain of knowledge and an area for a basic DoS attack.  In addition check, remove and edit any default SNMP community strings used to manage servers or network devices (especially the read/write strings).

Another area that is often overlooked is the management of service accounts.  Accounts used for things like printer management, backups, application installation and so on, often have admin or near admin capabilities.  Often as they're used by scripts, services and apps, the passwords are often simple (thinking the same as the account here) and not set to expire.  It's a lazy and often overlooked part of account management as the accounts are being used by the sys admins themselves.  A simple well documented policy here would close a lot of back door access.

Many organisations now have well developed policies for at least laptops, if maybe not quite the Bring Your Own Device / smartphone style devices.  Laptops often have group policies for things that prevent social networking or instant messenger products or the installation of additional software in general.  Local account passwords are often linked to a directory where a complex password policy is in place.

All good stuff, but what happens if the physical device is lost or stolen?  Takes probably 5 minutes to unscrew the back panel of the laptop, take out the disk, add it into an external USB caddie and mount it as a new slave drive.  No CTL-ALT-DEL password to by pass or network to attach to, just straight into the raw file system.  Unless of cause it was encrypted!  Basic (and good) encryption software is readily available for at least partitioning and full disk encryption (including the MBR) is now becoming standard too with on board crypto-processors.

Security in depth is key and basic disk encryption easily circumvents portable storage issues.

Other basic "no-tech" protection areas should be focused on social-engineering.  ID badge checking by the reception.  Zero-tolerance of tail gating and doors left open.  Passwords never written down or shared.

If something or someone looks suspicious ask, check and prevent the incident from occurring before it becomes damaging.  It may seem like extra effort in the short term, but it will beat any effort involved in a recovery exercise.

(Simon Moffatt)