Skip to main content

No-Tech Hacking - Identifying Unprotected Assets

When you think of hacking or start looking at ethical hacking and counter measures, the focus is on the highly technical.  Encryption hacking.  Packet sniffing and session hijacking.  Web site hacking.  SQL  injection and so on.  All require a fair bit of basic infrastructure, networking and coding experience.

Whilst there are many off-the-shelf tools, utils and scripts that makes the hacker (and ethnical hackers) job easier, being non-technical is a huge hindrance.

However as a security manager or engineer, protecting information and IT assets shouldn't just be about the cool tech.  It should also on the "no-tech" as well.  By "no-tech", I'm simply referring to areas of information protection that require basic process, training and awareness.

For example, servers should only run the services they are designed for and each server should have a modular cohesive function associated with it.  This is pretty standard config management by removing the complexity and support issues of having a device perform several functions.  If a server does one and one thing only, it is simple to remove, lock down or disable any ports, services or functions that are not needed.

An obvious one (and often ignored) is the basic requirement of PCI-DSS 2.1 which is to remove default passwords on any servers, services or devices that are installed.  For servers and services this can be quite well managed at times, but this also needs applying for every device on the network.  I'm thinking mainly routers and switches.  Often the least well managed of the networking infrastructure.  If accessed maliciously can be a fountain of knowledge and an area for a basic DoS attack.  In addition check, remove and edit any default SNMP community strings used to manage servers or network devices (especially the read/write strings).

Another area that is often overlooked is the management of service accounts.  Accounts used for things like printer management, backups, application installation and so on, often have admin or near admin capabilities.  Often as they're used by scripts, services and apps, the passwords are often simple (thinking the same as the account here) and not set to expire.  It's a lazy and often overlooked part of account management as the accounts are being used by the sys admins themselves.  A simple well documented policy here would close a lot of back door access.

Many organisations now have well developed policies for at least laptops, if maybe not quite the Bring Your Own Device / smartphone style devices.  Laptops often have group policies for things that prevent social networking or instant messenger products or the installation of additional software in general.  Local account passwords are often linked to a directory where a complex password policy is in place.

All good stuff, but what happens if the physical device is lost or stolen?  Takes probably 5 minutes to unscrew the back panel of the laptop, take out the disk, add it into an external USB caddie and mount it as a new slave drive.  No CTL-ALT-DEL password to by pass or network to attach to, just straight into the raw file system.  Unless of cause it was encrypted!  Basic (and good) encryption software is readily available for at least partitioning and full disk encryption (including the MBR) is now becoming standard too with on board crypto-processors.

Security in depth is key and basic disk encryption easily circumvents portable storage issues.

Other basic "no-tech" protection areas should be focused on social-engineering.  ID badge checking by the reception.  Zero-tolerance of tail gating and doors left open.  Passwords never written down or shared.

If something or someone looks suspicious ask, check and prevent the incident from occurring before it becomes damaging.  It may seem like extra effort in the short term, but it will beat any effort involved in a recovery exercise.

(Simon Moffatt)

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…