How to set up smartphones and PCs. Informational portal

IB. NPA

28.04.2019 news

IDENTIFICATION OF INFORMATION SYSTEMS VULNERABILITIES

Sergei Konovalenko

postgraduate of Krasnodar higher military school,

Russia, Krasnodar

Igor Korolev

doctor of Engineering, Professor, Professor of the department of protected information technologies, Krasnodar higher military school,

Russia, Krasnodar

ANNOTATION

Evaluated existing funds security analysis information systems, on the basis of which the models for revealing, identifying and assessing the images of information systems' vulnerabilities are built. The main characteristics (elements) inherent in the images of existing vulnerabilities of information systems have been determined.

ABSTRACT

An assessment of existing tools for analyzing information systems security was performed. On the basis of the achieved results the models of detection, identification and evaluation of information systems vulnerabilities images were built. The main characteristics (elements) inherent to the images of the existing information systems vulnerabilities were defined.

Keywords: identification; Information system; identification; grade; description of the image; vulnerability.

Keywords: detection; information system; identification; evaluation; description of the image; vulnerability.

Any information system (hereinafter referred to as IS) has certain vulnerabilities, the list of which is quite extensive and is constantly subject to updating (expansion). Vulnerabilities of IS are caused by shortcomings (errors) arising in the process of the "life cycle" of this system. In this view, the possibility of implementing threats to the security of IS directly depends on the actions of an attacker to detect and use its inherent vulnerabilities. On the other hand, the process of identifying IP vulnerabilities carried out by a specialist is fundamental in countering an attacker at the early stages of attacks.

The purpose of this article is to build generalized models for identifying, identifying and assessing the images of IS vulnerabilities, as well as determining the characteristics (elements) inherent in the images of existing vulnerabilities, which will allow a specialist to better systematize his work in the field of ensuring the security of controlled IS.

According to GOST R 56545-2015, "vulnerability" is a deficiency (weakness) of software (software and hardware) means or IS as a whole, which (which) can be used to implement threats to information security. "Information system" is a set of information contained in databases (hereinafter referred to as - DB) and information technologies and technical means ensuring its processing.

Any IS vulnerability can be represented as an image that includes a set of certain characteristics (elements describing a given vulnerability), formed according to certain rules.

The description of the IP vulnerability is information about the identified (discovered) vulnerability. IP vulnerability description rules are a set of provisions governing the structure and content of the vulnerability description.

According to the images of vulnerabilities, they are divided into images of known vulnerabilities, images of zero-day vulnerabilities and images of newly discovered vulnerabilities. A known vulnerability is a publicly disclosed vulnerability that describes appropriate information security measures, flaw fixes, and related updates. A zero-day vulnerability is a vulnerability that becomes known before the IC component developer releases appropriate information security measures, flaw fixes, or appropriate updates. A newly identified vulnerability is a vulnerability that has not been published in the public domain.

Each type of IP vulnerability images has both general and specific characteristics (elements) that can be summarized in a table. An example of a table is shown below.

Table 1.

Elements of different types of IP vulnerability images

Characteristics of the vulnerability image

Element inherent in the image of a known vulnerability

Element inherent in a zero-day vulnerability image

Element inherent in the image of a newly identified vulnerability

Place of detection (identification) of vulnerabilities in IP.

Method of detecting (revealing) vulnerability.

The name of the vulnerability.

Before moving on to the models for identifying, identifying and assessing the images of vulnerabilities, it is necessary to clarify that the IS consists of levels:

  • the level of application software (hereinafter referred to as software), which is responsible for interaction with the user;
  • the level of the database management system (hereinafter referred to as the DBMS), which is responsible for storing and processing IS data;
  • the operating system level (hereinafter referred to as the OS), which is responsible for maintaining the DBMS and application software;
  • network layer responsible for the interaction of IS nodes.

Different types (classes) of vulnerabilities are associated with each of the IS levels. To identify vulnerabilities, it is necessary to develop models for identifying, identifying and assessing the vulnerability.

The main sources of IP vulnerabilities are:

  • errors in the development (design) of IS (for example, errors in software);
  • errors in the implementation of the IS (errors of the IS administrator) (for example, incorrect setting or configuration of the software, not an effective concept of the security policy, etc.);
  • errors when using the IS (user errors) (for example, weak passwords, violation of the security policy, etc.).

To identify, identify and assess IS vulnerabilities, as well as generate reports and eliminate (neutralize) vulnerabilities, network security analysis tools (hereinafter referred to as SAS) (security scanners (hereinafter referred to as SAT)) are used, which can be divided into two types :

  • network BACS (SB) (carry out remote analysis of the states of monitored hosts at the network level);
  • SAS (SB) of the OS level (carry out a local analysis of the states of monitored hosts, sometimes it is required to install a special agent on monitored hosts).

The relevance of the BAS (SB) application is due to the fact that the specialist is able to determine in advance a sufficiently large list of types (classes) of vulnerabilities inherent in the controlled IS, and to take the necessary measures (in some cases, try to take) to eliminate them or eliminate (minimize) the possibility of using the detected vulnerabilities by an attacker.

To systematize the work of a specialist in the field of security controlled by IS, and on the basis of the analysis, a generalized model for identifying images of IS vulnerabilities is built (Figure 1).

Figure 1. Generalized model for identifying images of IP vulnerabilities

The process of identifying IS vulnerabilities is built by performing passive checks (scanning - scan) and active checks (probing - probe) for the presence of vulnerabilities in the controlled IS.

During the scanning process, the BAC, sending appropriate requests to the controlled IS (to the ports of the controlled host), analyzes the returned banners (headers of data packets) and draws appropriate conclusions about the type of IS and the presence of potential (possible) its vulnerabilities. The scan result does not always indicate the presence of possible (typical) IS vulnerabilities, since the text content of the banner could have been specially modified, or the known vulnerabilities inherent in this IS were eliminated by a specialist in the process of its implementation (use). Another way of performing scanning actions is active probing checks, which provide an opportunity to analyze the returned digital impression (fingerprint) of the software fragment of the controlled IC (i.e., to perform the process of comparing the obtained result with a digital impression of a known vulnerability of this type IS). This method provides a more reliable and accurate procedure for identifying possible (typical) controlled IS vulnerabilities.

In the process of probing, the BAC simulates the execution of an attack on a controlled IS, using an image of a possible (typical) vulnerability obtained during scanning. The result of the sounding process is the most accurate and reliable information on the presence of vulnerabilities in controlled IP. This method is not always used, since there is a possibility of malfunctioning (disabling) the controlled IC. The decision to apply the above method is taken by the network administrator in cases of ineffective execution or the need to confirm the results of scanning and active probing checks.

The results of scanning and probing are sent to the vulnerability database, which stores images of the vulnerabilities of the controlled IS. Based on the procedure for comparing the image of the detected vulnerability with the images of the vulnerabilities of the controlled IS, the CAZ generates a report on the absence or presence of matches in the images of vulnerabilities (detection of vulnerabilities), which is stored in the database of vulnerabilities.

The generalized model for identifying images of vulnerabilities details the generalized model for identifying and assessing images of IS vulnerabilities (Figure 2).

Figure 2. Generalized model of identification and assessment of images of IP vulnerabilities

The process of identifying an image of a detected IS vulnerability, which has specific characteristics (elements), is carried out by means of a procedure for comparing it with images of known vulnerabilities and zero-day vulnerabilities stored in the vulnerability database. A formalized description of known vulnerabilities and zero-day vulnerabilities is drawn up in the form of passports, which contain information about the specific characteristics (elements) of a particular vulnerability. To accurately identify an image of a detected vulnerability, it must contain information about the name and version of the IS software in which the vulnerability was found, about the identifier, name and class of the detected vulnerability. Based on the above information, the BAC correlates the image of the detected vulnerability to one of the types of vulnerability images. For a high-quality assessment, the identified image of the vulnerability, in turn, must contain information about the identifier and the type of IS flaw in which the vulnerability was detected, about the place where the vulnerability was discovered in the IS, and about the way to identify the vulnerability. The process of assessing the vulnerability image ends with the development of recommendations for eliminating the vulnerability or excluding the possibility of its exploitation. In cases where an image of a newly identified vulnerability was detected, the SAZ places information about it in the vulnerability database with the formation of a new zero-day vulnerability passport. When an IS developer issues information protection measures, necessary updates and upon fixing the flaws, the zero-day vulnerability becomes a known vulnerability.

Summarizing the results of this article, we note that an IS security specialist is obliged to constantly work to identify vulnerabilities in the system, clearly understand and understand the processes taking place in the BAS, monitor the update (expansion) of the vulnerability database, timely eliminate flaws in the system, install the appropriate protection measures and updates for controlled IP.

Bibliography:

  1. Astakhov A.S. Security analysis of corporate automated networks // Jet Info Bulletin. - 2002. - No. 7 (110). / - [ Electronic resource]. - Access mode: URL: http://www.jetinfo.ru
  2. Gorbatov V.S., Meshcheryakov A.A. Comparative analysis security controls computer network// Security of information technologies. - 2013. - No. 1. / - [Electronic resource]. - Access mode: URL: http://www.bit.mephi.ru
  3. GOST R 56545-2015 “Information Security. Information systems vulnerabilities. Vulnerability Description Rules ”. - M .: Standartinform, 2015.
  4. GOST R 56546-2015 “Information security. Information systems vulnerabilities. Classification of information systems vulnerabilities ". - M .: Standartinform, 2015.
  5. Lukatskiy A.V. How does a security scanner work? / - [Electronic resource]. - Access mode: http://www.citforum.ru/security/internet/scaner.shtml (Date of access: 09/14/2016).
  6. Lukatskiy A.V. Detection of attacks. - SPb. : Publishing house "BVH", 2001. - 624 p.
  7. User guide software package"Scanner-VS security analysis tool." NPESH.00606-01. CJSC NPO Echelon, 2011.
  8. XSPider security scanner. Administrator's Guide / - [Electronic resource]. - Access mode: http://www.ptsecurity.ru (Date of access: 15.09.2016).
  9. MaxPatrol Security Scanner. Security control system / - [Electronic resource]. - Access mode: http://www.ptsecurity.ru (Date of access: 16.09.2016).
  10. Stephen Northcutt, Judy Novak. Detection of security breaches in networks. 3rd ed .: Per. from English - M .: Publishing House "Williams", 2003. - P. 265–280.

We continue to consider the recent changes to the order of the FSTEC of Russia No. 17. This time - an analysis of GIS vulnerabilities.

Now the analysis of GIS vulnerabilities is required to be carried out at 3 of 6 stages of the life cycle of a GIS security system: the formation of requirements, implementation and certification.

1. At the stage of analyzing threats to the security of GIS information, it is necessary to conduct an analysis possible IS vulnerabilities, while using the FSTEC of Russia BDU, as well as other sources of vulnerability data as input data. Threat model needs to include a description possible IP vulnerabilities.

The main difference from other stages lies in the word “possible”. Not actual, but possible. And with a good imagination, everything will be possible for us. As far as I understand, there needs to be some kind of classification of all possible vulnerabilities and the exclusion of unsuitable types of vulnerabilities by certain reasons(absence of an object of influence, certain structural characteristics, unused IT).

The problem is that there is no such classification of vulnerabilities in the FSTEC DBU in the Vulnerabilities section. In addition, the Vulnerabilities section lists only the actual software vulnerabilities. But what about GIS vulnerabilities in general? Disadvantages of org. measures?

In fact, the list of such possible vulnerabilities is hidden in an unstructured form in the text of threats to the FSTEC NDU: “ This threat due to vulnerabilities of some system (motherboard) boards - the presence of mechanisms hard reset passwords set in BIOS / UEFI "or" This threat is caused by weaknesses in network traffic filtering and anti-virus control at the organization level. "

2. At the stage of implementation of the information security system, an actual analysis of vulnerabilities is required.

“When analyzing the vulnerabilities of the information system, the absence of known vulnerabilities means of protecting information, hardware and software, including taking into account the information available to developers and obtained from other publicly available sources, correct installation and configuration information security means, hardware and software, as well as correctness of work information protection means when interacting with hardware and software.

Based on the results of the analysis of vulnerabilities, there should be confirmed what is in the information system no vulnerabilities contained in the threat databank information security FSTEC of Russia, as well as in other sources, or their use (operation) by the violator is impossible. "


But it's good that vulnerabilities have such fields as Manufacturer, Software name, Software version. Having compiled a complete list of software in advance, you can make a selection of the required vulnerabilities. But what about the results? For example, for Windows 8.1 - 247 vulnerabilities in the NOS. Next, you need to follow the link in each external sources and check what was proposed there to eliminate vulnerabilities, check for installed updates for these vulnerabilities.

Manually - difficult. I would like the vulnerability scanners to be able to work with the NOS and do everything for us. Let's see…

RedCheck from Altex-Soft: “RedCheck searches for vulnerabilities in our ovaldb database, which is synchronized with the FSTEC of Russia information security threat database! The list of vulnerabilities can be found on the database site https: // ovaldb .altx -soft .ru / Definitions .aspx? Refsource = FSTEC. "

It seems ok. It's a pity only the last vulnerability on the link - from 2016. And in the BDU there are already a lot of them for 2017.

Network Auditor 3.0 from the CBI: “The Network Auditor initially searches for vulnerabilities included in the FSTEC of Russia (http://bdu.fstec.ru) operating systems Windows and the applications and information security tools operating in them, including Russian design. In addition to searching for vulnerabilities from the FSTEC of Russia vulnerability database, Network Auditor Network Scanner version 3.0 searches for vulnerabilities contained in such sources as cve.mitre.org, ovaldb.altx-soft.ru, microsoft.com and other sources. "

XSpider from Positive Technologies “There will definitely be such an opportunity. In June within the framework of XSpider recertification, an assembly with such functionality will be transferred to the FSTEC testing laboratory ”.

Scanner-VS from Echelon “Scanner-VS supports the search for vulnerabilities in the FSTEK Russia’s NDU”. True, experience has shown that the current, certified version does not support.

In total, in the future, it is possible that scanners will do everything for us, but in this moment I did not find a ready-made report confirming the absence of vulnerabilities from the FSTEC BDU. And questions about the relevance of the databases - it will be necessary to carefully check the results and, possibly, view the latest vulnerabilities manually.

In addition, do not forget that the analysis of vulnerabilities also includes an analysis of the settings of the information security system, software and hardware and the analysis of the correctness of the functioning of the information security system.

3. At the qualification stage, the following tests are required “Analysis of information system vulnerabilities, including those caused wrong setting(configuring) software and information security " in this case, as initial data are used "Results of analysis of information system vulnerabilities"... How is it in general?

Are we just repeating what we did at the implementation stage? Taking into account latest requirements to the separation of appraisers and implementers, apparently there is a reliance on selective independent duplicate analysis.

INTRODUCTION

Corporate IT infrastructure is a complex multicomponent mechanism designed to automate a company's business processes. Domain infrastructure, mail services, web applications, business systems - all this is the basis of any corporate information system. Depending on the size of the company and the number of its employees, the size of the IT infrastructure will also differ. But, despite this, most of the companies have common problems related to securing information security information systems. For example, during the spread of the WannaCry ransomware virus, more than 500 thousand computers belonging to, among other things, government agencies were affected. large companies and small commercial organizations. This incident confirms that absolutely any organization can suffer from malicious attacks.

This study identifies the main trends in the analysis of the security of corporate information systems and allows you to determine:

  • what are the most likely attack vectors that an intruder can use to gain access to resources corporate network;
  • what vulnerabilities are most common on the network perimeter;
  • how dangerous are the actions of an intruder who has access to LAN resources;
  • what security flaws allow an attacker to gain maximum privileges in corporate infrastructure;
  • whether social engineering attacks are still relevant;
  • How to gain access to internal network resources using attacks on wireless networks.

As a basis for preparation this study we used statistical data for 2017 obtained from the analysis of the security of corporate information systems carried out by Positive Technologies specialists. The conclusions drawn may not reflect the current state of security of information systems in other companies. The purpose of the study is to draw the attention of information security specialists to the most pressing problems and help them to identify and eliminate vulnerabilities in a timely manner.

1. SUMMARY

Security analysis of the network perimeter:

  • it was possible to successfully overcome the network perimeter and gain access to LAN resources in 68% of projects to analyze the security of corporate information systems;
  • selection of dictionary accounts for resources on the network perimeter and exploitation of vulnerabilities in web applications are the main vectors of attacks for penetrating internal network;
  • Based on the results of instrumental scanning of network perimeter resources, it was found that 31% of companies were at risk of infection with the WannaCry ransomware virus.

Analysis of the security of internal resources:

  • in penetration testing on behalf of an internal attacker full control over the entire infrastructure managed to get across all systems;
  • vulnerability MS17-010 was found in 60% of corporate systems tested between April 14 and December 31, 2017, which indicates the untimely installation of critical OS security updates;
  • insufficient protection against restoring accounts from the OS memory is the main vulnerability that allows one to gain full control over the corporate information system.

Employee Awareness Assessment:

  • 26% of employees follow a link to a phishing web resource, and almost half of them enter their credentials in a fake authentication form;
  • every sixth employee exposes corporate infrastructure to the risk of virus infection.

Analysis of the security of wireless networks:

  • In 75% of cases, an attacker can gain access to internal network resources through attacks on wireless networks, as well as obtain sensitive information (for example, domain user accounts).

2. INITIAL DATA

The statistics for 2017 are based on the results of an analysis of the security of 22 corporate systems belonging to both Russian and foreign companies from various sectors of the economy. When selecting projects for research, the information content of the results obtained was taken into account. Projects that, at the request of customers, were carried out at limited quantity nodes were not included in the study, since they do not reflect the real state of security of the corporate information system as a whole. As in 2016, the bulk of penetration testing was done for financial institutions and industrial companies. Successful attacks on corporate systems in the financial and industrial sectors tend to bring cybercriminals maximum benefit... A successful attack on a bank's infrastructure often leads directly to theft Money... An intruder's penetration into the internal network of an industrial company can not only lead to leakage of sensitive information, which can later be sold to competing companies, but also to disrupt the technological process.

Security analysis of corporate networks was carried out by means of external, internal and comprehensive testing penetration (the latter includes both external and internal). Penetration testing - effective method security analysis, which allows you to identify vulnerabilities in the corporate infrastructure and obtain an objective, independent assessment of its level of security. During testing, the actions of a potential intruder are simulated, carrying out attacks both from the Internet and from segments of the company's internal network. This approach allows you to recreate the conditions in which violators usually operate and to quickly eliminate security flaws.

For the second year in a row, we have seen interest in comprehensive services. Our customers strive not only to protect their network perimeter from attacks from an external attacker, but also to reduce the risks associated with a compromised LAN by an internal attacker.


In addition to penetration testing, for many customers, work was also carried out to analyze the security of wireless networks and assess the awareness of employees in information security issues.


This year, the results of the network perimeter security analysis obtained during external penetration testing are compared not only with the results of last year's research, but also with the statistics obtained during the instrumental research, which was carried out during the period of active spread of the WannaCry ransomware virus. In Q2 2017, Positive Technologies offered free external perimeter scanning to identify vulnerable services. Applications were submitted by 26 companies from different spheres economy. Statistics on external penetration testing in comparison with the results of instrumental research will be discussed in detail later in the corresponding section.

3. STATISTICS FOR 2017

3.1. General results of security analysis

As a rule, when analyzing the security in each system, our specialists discover certain vulnerabilities and shortcomings of protection mechanisms, which, among other things, allow the development of an attack vector up to a complete compromise of the company's infrastructure, gain access to sensitive information, conduct denial of service attacks, and etc. We divide all vulnerabilities into three categories: related to configuration flaws; related to the lack of security updates; related to errors in the code of web applications. For each identified vulnerability, the severity level is determined in accordance with the CVSS version 3.0 classification system.


18 years- age of the oldest vulnerability CVE-1999-0532, discovered during instrumental analysis of network perimeter resources




Compared to last year, the share of corporate systems in which critical severity vulnerabilities (CVSS ≥ 9.0) were discovered has almost doubled. This is mainly due to the publication of information about the critical vulnerability MS17-010 in the SMB service of nodes operating under Windows control... After the publication of publicly available exploits in many internal penetration testing projects, our specialists used this vulnerability to gain full control over LAN nodes and escalate the attack up to gaining maximum privileges in the domain.

For systems in which no errors in the code of web applications and shortcomings associated with the lack of security updates have been identified, it should be borne in mind that penetration testing is carried out by the black box method, and it is impossible to identify all existing vulnerabilities within the boundaries of the work. The main goal of penetration testing is to obtain an objective assessment of the security of a corporate system against attacks by intruders.

3.2. Results of the analysis of the security of the network perimeter

External Penetration Test Results

At the end of 2017, the security of the network perimeter of corporate information systems remained at the level of 2016. However, at the same time, there is a tendency to reduce the complexity of overcoming the network perimeter. If in 2016 only 27% of projects the difficulty of gaining access to LAN resources was assessed as trivial, then by the end of 2017 this figure had doubled, to 56%.


10 maximum number vectors of penetration into the internal network, identified during testing of one corporate information system in 2017

This distribution is explained by the fact that an attacker needs, on average, to complete two steps to gain access to LAN resources: for example, find dictionary credentials for authorization in a web application and use its vulnerabilities to be able to execute OS commands on the attacked host.

Based on the results of the analysis of the security of corporate information systems, on average, each company identifies two vectors of penetration into the internal network, the maximum number of detected vectors for one company is 10.

You can divide all successful vectors of penetration into the internal network into categories:

  • 44% of successful attack vectors are based on guessing dictionary credentials for accessing web applications, DBMS and other services available for connection on the network perimeter. Then the attacker can get the opportunity to execute OS commands on the attacked node;
  • 28% of attack vectors are based on exploiting web application vulnerabilities. Immediately during several external tests, vulnerabilities were identified that allow in one step, without the need for authorization, to remotely execute OS commands with the privileges of a web application;
  • In 16% of cases, an attacker can gain access to internal network resources when exploiting vulnerabilities in outdated software versions (for example, in CMS platforms);
  • in other cases, for an attack, an attacker can exploit configuration flaws associated with the identification of credentials to access systems on the network perimeter in the public domain, for example, on the pages of a web application. In addition, cases were identified when our specialists found a previously loaded web interpreter on the web resource of the company under test command line, which indicates successful attacks carried out by external attackers.

The top five most common vulnerabilities on the network perimeter include the same vulnerabilities as in 2016, but their percentage has changed. We can note a general downward trend in the average number of vulnerabilities detected during external penetration testing. For example, in 2016, vulnerabilities related to the use of dictionary credentials were identified in all tested systems; in 2017, this indicator halved. These results are due to the fact that many companies have previously carried out work on the analysis of the security of their corporate systems. As a result of such work, customers have successfully corrected most of the identified vulnerabilities and configuration flaws and began to more strictly monitor compliance with internal password policies. Accordingly, when external penetration testing was repeated after a year and a half, fewer vulnerabilities were discovered, which ultimately had a positive effect on overall results in 2017.


As in 2016, most often vulnerabilities on the network perimeter are detected in the applied software and in web servers.



Results of instrumental analysis of perimeter security

As mentioned earlier, in the second quarter of 2017, Positive Technologies held a campaign on free scanning external perimeter of a number of companies in order to identify vulnerable services. The main goal was to counter the spread of the WannaCry ransomware virus. Applications for instrumental scanning of network perimeter resources were submitted by 26 companies from various sectors of the economy: IT and telecom companies, large retailers, companies from the financial sector and the oil and gas industry.

All companies first had to define the boundaries of their corporate systems. Already at this stage, some of the participants had difficulties: 23% were unable to determine the boundaries of their network perimeter or determined them incorrectly. The inability to determine the boundaries of the network perimeter is already evidence of the low security of the corporate information system from attacks from an external intruder - even before the results of a manual or instrumental analysis of the corporate system are obtained.

Scanning of network perimeters was carried out using an automated security analysis and compliance control system MaxPatrol and additional software. The scan revealed many vulnerabilities: 15% of them have a high level of risk according to the CVSS version 2.0 scale, and there are publicly available exploits to exploit some of the vulnerabilities.


Separately, you can consider statistics on the most popular vulnerabilities identified during instrumental scanning of the network perimeter. Among these vulnerabilities, the most dangerous is CVE-2016-6515 in the OpenSSH service. When entering a password for authentication in the application, there is no limit on the number of characters entered. This disadvantage Allows a remote attacker to conduct denial of service attacks. There is also a publicly available exploit 1 to exploit this vulnerability. In addition, if an attacker can guess credentials for connecting via SSH and obtain user privileges on a UNIX system, then the presence of the CVE-2016-10010 vulnerability in OpenSSH will allow him to locally increase his privileges to maximum on the compromised host using another exploit 2, and then develop an attack on the LAN resources.


When analyzing the available services at the perimeter, the largest number of vulnerabilities were identified in web applications and remote access services (SSH). These results of instrumental analysis coincide with the statistics obtained during external penetration testing, where vulnerabilities and flaws in the configuration of web applications in most cases were the starting point for gaining access to LAN resources.


During the instrumental analysis of available web applications, statistics on the state of SSL certificates were collected separately. More than a quarter of certificates had expired at the time of scanning, 15% used unreliable cryptographic algorithms (for example, SHA-1), and every sixth certificate was issued for more than 5 years.




The use of expired SSL certificates carries reputational risks for companies, since the user, after receiving a warning in the browser window about the use of an invalid certificate in the application, may refuse to visit the web resource.

Using weak encryption algorithms nullifies the whole point of using SSL certificates, since an attacker can intercept network traffic and then successfully decrypt the received data. In addition, an attacker can spoof the SSL certificate and create his own phishing site, with which he can infect users with malware and steal their credentials. At the same time, users may think that their computers were infected after visiting a legitimate company website.

If an SSL certificate is issued for a period of more than 5 years, there are risks associated with the possibility of choosing an encryption key.

Let's return to the main goal of instrumental scanning of network perimeter resources. In 8 companies out of 26, external nodes with open port 445 / TCP running SMB service. Thus, the infrastructure of almost every third company was at risk of infection with the WannaCry ransomware virus.

31% of companies was at risk of being infected by the WannaCry ransomware virus

3.3. Internal resources analysis results

In the event of a successful attack on the resources of the network perimeter, an external attacker can gain access to the internal network and further develop the attack up to full control over the entire IT infrastructure of the company.

As in 2016, during penetration testing on behalf of an internal attacker (for example, an ordinary company employee with access to a user segment of the network), full control over the entire infrastructure was obtained in all tested systems. Only 7% of projects rated the difficulty of gaining access to critical resources by an internal attacker as “Medium”. In all other cases, an unskilled violator could compromise the entire corporate system.

A typical attack vector on an internal network was based on obtaining maximum privileges on one of the LAN nodes with the subsequent launch of specialized software to extract the credentials of other users who had previously connected to this node. By repeating these steps on different hosts, an attacker could ultimately find the host that stores the domain administrator account and retrieve its password in open form.

60% corporate systems tested between April 14 and December 31, 2017, vulnerability MS17-010 was discovered

In 2017, the task of obtaining maximum privileges on a host on the internal network for an attacker was greatly simplified after the publication of information on vulnerability MS17-010. On March 14, 2017, Microsoft published an update that fixes this vulnerability, and exactly one month later, on April 14, the Shadow Brokers hacker group published the EternalBlue 3 exploit to exploit it. During the period from mid-April to the end of the year, our specialists successfully used the exploit in 60% of internal penetration testing, which indicates the untimely installation of critical OS security updates in most corporate systems.

Towards the end of 2017, it became more common to see corporate systems that have installed updates that eliminate the critical vulnerability MS17-010. However, several projects on Windows hosts have successfully exploited another critical vulnerability described in MS17-018 for local privilege escalation. There is also an exploit for this vulnerability that is not publicly available.

The statistics of the most common vulnerabilities in the internal network have remained practically unchanged compared to 2016. The exception is new category"Insufficient protection against the recovery of accounts from the OS memory." On LAN nodes running Windows, it is possible to obtain passwords in clear text (or their hash sums) from the system memory using special software - if the intruder has privileges local administrator... Previously, we attributed this vulnerability to the flaws of antivirus software, which should block the launch of any malicious utilities to extract credentials. However, recently there have been modifications of such utilities written in the PowerShell language, which are designed specifically to bypass the launch blocking by any anti-virus software. Now, to protect against the extraction of credentials from the OS memory, it is necessary to use a comprehensive approach, including disabling the saving of cached data, accelerating the cleaning of memory of the lsass.exe process from logged-out user accounts, and disabling the wdigest mechanism. Alternatively, modern Windows versions 10, which implements the Remote Credential Guard system, which allows you to isolate and protect the lsass.exe system process from unauthorized access. Thus, in 2017, in order to objectively assess the state of the protection mechanisms of the corporate network, we introduced a separate metric for collecting statistics on the launch of utilities designed to extract credentials.

In 14% of corporate systems, where the vulnerability "Insufficient protection against recovery of accounts from OS memory" was not found, other attack vectors were used to gain full control over the corporate infrastructure.


Statistics on the flaws in the protection of service protocols was built on the basis of those projects where the analysis of the network LAN traffic(71% of companies). In some projects, customers were against such checks, since they could lead to a violation continuous work networks.



Based on the results of internal testing, it was established that the main problems of corporate information systems are the untimely installation of critical security updates and insufficient protection against restoring accounts from the OS memory using specialized utilities.

4. RESULTS OF ASSESSMENT OF EMPLOYEES AWARENESS IN ISSUES OF INFORMATION SECURITY

In addition to the work on penetration testing of corporate information systems, an assessment of employees' information security awareness was carried out for a number of companies. Such work is carried out according to scenarios previously agreed with the customer, in which real attacks by cybercriminals are simulated using social engineering methods and the response of employees to these attacks is monitored.

Testing of employees was carried out in two ways - using mailing emails and in telephone interactions. To obtain an objective assessment of the level of awareness of employees, the following controlled events were analyzed:

  • following a link to an attacker's web resource;
  • entering credentials into a knowingly false authentication form;
  • launching the file attached to the letter;
  • the fact of interaction with the attacker by phone or email.

Based on the results of the work, it was found that 26% of employees click on a link to a phishing web resource, and almost half of them subsequently enter their credentials in a fake authentication form. Every sixth employee exposes the corporate infrastructure to the risk of virus infection by launching a file attached to the letter. In addition, 12% of employees are ready to enter into a dialogue with an intruder and disclose information that can later be used in attacks on a corporate information system.


In total, when assessing employee awareness in 2017, more than 1,300 emails were sent, half of which contained a link to a phishing resource, and the other contained a file with a special script that sent our specialists information about the time the file was opened, as well as the employee's email address. A true attacker could add a set of exploits to the contents of the file to exploit various vulnerabilities, including CVE-2013-3906, CVE-2014-1761, and CVE-2017-0199. Such an attack can lead to an attacker gaining control over the workstation of the corresponding user, spreading malicious code, denial of service and other negative consequences.

Typical example of a social engineering attack:

  1. an attacker places a set of exploits for various software versions on a controlled resource;
  2. a link to this resource is sent in bulk in phishing emails;
  3. an employee of the organization follows the link from the letter, and after opening the page in the browser, vulnerabilities are exploited.

An attack like this could lead to infection. workstation the user with malware. Also, when using outdated version browser can implement remote code execution (e.g. CVE-2016-0189). Thus, an attacker can gain access to a host on the internal network and escalate the attack to maximum privileges in the corporate infrastructure. For more information on scenarios of attacks using social engineering methods, see our study "How social engineering opens the door for a hacker to enter your organization" 4.

5. RESULTS OF THE SECURITY ASSESSMENT OF CORPORATE WIRELESS NETWORKS

40% companies use dictionary key for wireless network

Attacks on wireless networks are an alternative way for an outside intruder to gain access to resources on the internal network. If the attempt to overcome the network perimeter fails, for example, through attacks on web applications, an attacker can take advantage of vulnerabilities in the company's wireless networks. For a successful attack, he will need to purchase inexpensive equipment in advance and get into the coverage area of ​​the wireless network. Moreover, an attacker does not have to enter the controlled area of ​​the company in order to carry out attacks: according to the results of our work, it has been established that 75% of wireless networks are available outside of it. That is, attacks on wireless networks can be carried out discreetly from a nearby area, for example, from a parking lot next to an office building.

In 2017, virtually all tested wireless networks used WPA2 with different methods authentication, the most common of which was PSK (pre-shared key).


Different scenarios can be used to attack wireless networks, depending on the authentication method used. In 2017, the following two scenarios were most commonly used to gain access to internal network resources:

  • interception of handshake between the access point and the legitimate client (only suitable for the PSK method);
  • attacks on wireless clients using a fake access point (suitable for all authentication methods).

In the first scenario, the password for the intercepted handshake value is brute-force. Success depends on the complexity of the password used. At the same time, it is important to take into account that an attacker can pick it up already outside the range of the investigated access point. If, within the boundaries of work, our specialists do not always manage to find a password based on the handshake value, then the attacker has more time, which significantly increases his chances.

After guessing the password and connecting to the access point, it was found that in 75% of wireless networks there is no isolation between users. Thus, an attacker can attack users' devices, for example, exploit the MS17-010 vulnerability on their personal and corporate laptops.


If it was not possible to find the password for the access point, you can use the second scenario with the installation of a fake access point.

First, an attacker, together with a fake access point, can use a phishing authentication page in order to obtain credentials and intercept sensitive information transmitted over open data transfer protocols (for example, HTTP, FTP).

In 2017, as part of one of the projects to analyze the security of a wireless network in Moscow, Positive Technologies specialists used a fake access point with an ESSID (Extended Service Set Identification) MT_FREE, which is popular among citizens, as it is used to access a Wi-Fi network. deployed on public transport. Next, a fake authentication form was prepared that used the logo and corporate identity of the company under test. After connecting to a fake access point, when trying to open any website, all users were redirected to a page with a fake authentication form on the corporate network. As a result of this attack, it was possible to obtain the domain credentials of the company's employees and use them to further develop the attack.


Only in 1 out of 8 of tested companies, employees did not enter their credentials in a fake authentication form

Second, an attacker can use a fake access point to intercept the user's credentials stored on the device. To do this, you need to create an access point with the same ESSID and the same parameters as the legitimate access point. If the user's device is configured automatic connection to the saved wireless network, it will try to connect to the fake access point automatically if it has a stronger signal at the location of this device. As a result of such attacks, an attacker can obtain hashes of passwords of company employees and use them to further develop an attack on corporate infrastructure.

It has been found that in 75% of cases, an attacker, through attacks on wireless networks, can gain access to internal network resources, as well as sensitive information (for example, domain user accounts). This method of penetrating the internal network is an effective alternative to classic attacks on the nodes of the network perimeter.

Each year, based on the results of penetration tests, we determine the services for access to which dictionary passwords were most often used. These statistics are primarily intended for system administrators to remind them to use strong passwords and replace standard accounts in a timely manner after installing and launching a new service.



At the end of 2017, it was found that ordinary users and administrators often use shortcuts on the keyboard as their passwords, believing that long, nothing meaningful password(like zaq12wsxcde3 or poiuytrewq) will be able to protect them from unauthorized access. However, this is an erroneous opinion: despite the seeming complexity of the password, all such keyboard shortcuts have long been included in special dictionaries, and a brute-force attack takes a few minutes for the attacker.

Qwerty, Zaq1xsw2 and other shortcuts of close keys on the keyboard - the most popular passwords, including among privileged users

CONCLUSION

Corporate information systems are still vulnerable to attacks from external and internal intruders. While when conducting external penetration testing, more and more companies are encountered that are concerned about the security of their network perimeter, then when testing the security of a corporate system on behalf of an internal attacker, the situation is much worse. In 2017, on behalf of an external attacker using, among other things, social engineering methods and attacks on wireless networks, it was possible to overcome the network perimeter in 68% of works. At the same time, on behalf of the insider, complete control over LAN resources was obtained in all projects without exception - despite the technical means and organizational measures used in the companies to protect information.

  • Refuse to use simple and dictionary passwords, develop strict rules for corporate password policy and monitor their implementation.
  • Provide additional protection for privileged accounts (for example, domain administrators). It is good practice to use two-factor authentication.
  • Protect the infrastructure from attacks aimed at restoring accounts from the OS memory. To do this, on all workstations of privileged users, as well as on all nodes to which CORPORATE INFORMATION SYSTEMS VULNERABILITY is connected using privileged accounts, install Windows versions higher than 8.1 and include privileged domain users in the Protected Users group. In addition, you can use modern versions of Windows 10, which implement the Remote Credential Guard system, which allows you to isolate and protect the lsass.exe system process from unauthorized access.
  • Make sure that sensitive information of interest to an attacker is not stored in clear text (for example, on the pages of a web application). Such information may include credentials for accessing various resources, a company's address book containing email addresses and domain identifiers of employees, etc.
  • Limit the number of services on the network perimeter, make sure that interfaces open for connection should really be available to all Internet users.
  • Timely install security updates for the OS and the latest versions of application software.
  • Analyze the security of wireless networks. Special attention it is worth paying attention to the reliability of the authentication methods used, as well as configuring the isolation of the access point users.
  • On a regular basis, conduct training for employees aimed at increasing their competence in information security issues, with monitoring the results.
  • Use a SIEM system to detect attacks in a timely manner. Only timely detection of an attack attempt will prevent it before an attacker causes significant damage to the company.
  • To protect web applications - install firewall the web application firewall.
  • Regularly conduct penetration testing in order to timely identify attack vectors on the corporate system and in practice to evaluate the effectiveness measures taken protection.

This list is not exhaustive, but failure to comply with even one point can lead to a complete compromise of the corporate system, and all the costs for various expensive means and protection systems will turn out to be unjustified. An integrated approach to information security is the best protection of a corporate information system from any intruder.

Once your OS is ready to go, it's time to figure out exactly what kind of research you're going to do. In general, four types of such studies can be distinguished:
  • System vulnerability assessment;
  • Assessment of systems for compliance with safety standards;
  • Traditional system penetration testing;
  • Application research.
A specific task for researching a system may include various elements of each kind. We think it is worthwhile to go into more detail about them and reveal their relationship to Kali Linux and the desktop.

Before proceeding to the description of specific types of measures to assess the security of systems, let's talk about how vulnerabilities differ from exploits.

Vulnerability can be defined as a defect in the information system that can be used to violate its confidentiality, integrity, or availability. There are different types of vulnerabilities that can be faced. Here is some of them:

11.2.2. Assessment of systems for compliance with safety standards

The next most difficult type of research is the assessment of systems for compliance with safety standards. System testing like this is the most common because it is based on testing the requirements of government and industry standards that apply to organizations.

There are many specialized security standards, however, the most common is the Payment Card Industry Data Security Standard (PCI DSS). This standard was developed by companies that issue payment cards. It must be matched by organizations that process card payments. If we talk about other common standards, we can mention such as Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG), Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act (FISMA), and others.

A corporate client can order a similar study or apply for the results of a previously conducted study on different reasons... In particular, the initiative may come from the client himself, or he may be forced to carry out mandatory verification. In any case, such studies are called "assessing systems against safety standards" or "studies against safety standards" or "checks against safety standards".

Assessing a system for compliance with standards usually begins with a vulnerability analysis. In the case of PCI compliance auditing, a vulnerability assessment, if properly performed, can satisfy several of the basic requirements of the standard. Among them - requirement 2: "Do not use passwords and other system parameters set by the manufacturer by default." You can analyze your system for compliance with this requirement using the tools in the Password Attack menu category. Further, this is requirement 11: "Regularly test security systems and processes." This can be verified using the tools in the Database Assessment category. Some requirements cannot be verified with conventional vulnerability scanning tools. Among them - requirement 9: “Limit physical access to cardholder data ”, and 12:“ Develop and maintain an information security policy for all personnel in the organization ”. Additional efforts are required to verify such requirements.

At first glance, it may seem confusing how to use Kali Linux to perform some checks. However, Kali is great for solving such problems, and not only because of the rich set standard tools, but also because it is based on Debian, which opens up the possibility of installing many additional applications... You can search for programs that implement the required functionality in the package manager using keywords taken from the used information security standard. A search like this will almost certainly end up with a few noteworthy results. Currently, many organizations use Kali Linux as a platform specifically for assessing systems for compliance with security standards.

11.2.3. Traditional system penetration testing

Recently, it has become difficult to find a suitable definition for the "traditional penetration test". The fact is that such tests are used in various fields of activity, as a result, everyone describes them in their own way. Adding to the confusion is the fact that "penetration testing" is increasingly called the assessment of systems described above for compliance with security standards, or even the usual assessment of vulnerabilities. In such cases, the research does not go beyond certain minimum requirements.

In this section, we will not touch upon the disputes about the features of various types of testing systems. Here we will talk about research that is not limited by some "minimum requirements". These are studies that are designed to be truly improved upon. general safety organizations.

Contrary to the types of research we discussed earlier, traditional penetration testing does not often start with a definition of the research area. Instead, specific goals are set for them. For example: "simulate the consequences of compromising an internal user", or: "find out what would happen if the organization was targeted by an attack by an external attacker." The key distinguishing feature of such studies is that in the course of their implementation, they not only find and assess vulnerabilities, but also use the found problems to reveal the worst case scenarios.

Penetration testing does not rely solely on vulnerability scanning tools. Work continues by researching findings, using exploits or testing to rule out false positives, and doing everything possible to uncover hidden vulnerabilities, or what we call false negatives.

Such research often includes exploiting discovered vulnerabilities, assessing the level of access that exploits provide, and exploiting this. increased level access as a starting point for additional attacks on the target system.

This requires a critical analysis of the target environment, manual search for vulnerabilities, creativity, the ability to think outside the box. These are all approaches to discovering additional vulnerabilities that require other tools that can find vulnerabilities where the capabilities of the most powerful automatic scanners... Often, after completing this step, the entire process is started over and over in order to ensure that the work is complete and well done.

Despite the complexity and versatility of traditional penetration testing, the progress of such research can be streamlined by breaking it down into several steps. It's worth noting that Kali makes it easy to select the software for each of these steps. So here step by step plan penetration testing with comments about the tools used:

  • Collection of information. In this phase, the pentester's efforts are aimed at learning as much as possible about the target environment. This activity is usually non-invasive and looks like normal user activity. These actions form the basis for the rest of the research steps and thus they should lead to the collection of as complete data about the system as possible. The Information Gathering section of the Kali Linux Applications menu contains dozens of tools designed to reveal as much information as possible about the system under investigation.
  • Vulnerability detection. This step is often referred to as “proactive information gathering”. The specialist, trying to identify potential vulnerabilities in the target environment, does not yet attack the system, but already behaves differently from regular user... This is where the above-described scanning of systems for vulnerabilities often takes place. In this step of the study, the programs from the Vulnerability Analysis, Web Application Analysis, Database Assessment, and Reverse Engineering sections will be useful.
  • Exploitation of vulnerabilities. Having a list of detected potential vulnerabilities, at this stage of the investigation, the specialist tries to use them in order to find a foothold in the target environment. Tools that can be found in the categories Web Application Analysis, Database Assessment, Password Attacks, and Exploitation Tools are helpful in this endeavor.
  • System infiltration and stealth data retrieval. After the researcher has managed to gain a foothold in the system, you need to move on. As a rule, at this stage, they are looking for a way to increase privileges to a level corresponding to that necessary to reach target systems that were previously inaccessible, and secretly extract secret information from them. At this step, you can access the Application Menu sections Password Attacks, Exploitation Tools, Sniffing & Spoofing, and Post Exploitation.
  • Preparation of reports. After the completion of the active phase of the study, you need to document the actions taken and prepare a report. Usually this step does not have the same technical complexity as the previous ones. However, with quality reports the client can get the full bang for the buck, so don't underestimate the importance of this phase of the research. The corresponding tools can be found in the Reporting Tools section of the Applications menu.
In most cases, penetration testing will be designed very differently, as each organization will be exposed to different threats and will have different resources to protect. Kali Linux gives universal base to solve such problems, this is where you can take advantage of the many options for configuring Kali. Many organizations that do this research support customized versions of Kali LInux for internal use... This allows them to speed up the deployment of systems before new research.

Among the frequently encountered additional settings Kali Linux can be noted for the following:

  • Pre-installation of licensed commercial packages. For example, there is a package like a paid vulnerability scanner that is planned to be used during many penetration testing sessions. In order to avoid the need to install this package on every deployed copy of Kali, you can integrate it into the system. As a result, this package will be installed every time Kali is deployed.
  • Preconfigured VPN with reverse connection. This is a very handy feature for devices that are deliberately left connected within the network under investigation. Such devices allow for "remote internal" research. A reverse connection device connects to the pentester's computer, creating a tunnel that can be used to connect to internal systems... The Kali Linux ISO of Doom distribution is an example of just such a special system setup.
  • Pre-installed tools and proprietary programs. Many organizations have in-house toolkits that are required during penetration testing sessions, so preinstalling them during custom imaging can save time.
  • Pre-configuring the OS configuration, including configuring the mapping of hostnames to IP addresses, desktop wallpapers, proxy server settings, and so on. Many Kali users prefer specific system settings. If you are going to be reinstalling your system on a regular basis, it might make sense to keep these settings.

11.2.4. Application Research

Most of the measures for assessing the security of systems are quite large in scale. A feature of application research is the fact that a specific program is being studied. This kind of research is becoming more common due to the complexity of vital applications used by companies. Many of these applications are created on their own these companies. If necessary, application research can accompany other types of research. Among the types of applications that can be investigated for security, the following can be noted:
  • Web applications. These applications are often targeted by cybercriminals, as they usually have a significant attack surface and are accessible from the Internet. Standard tests can often detect underlying problems in web applications. However, a more detailed study, although it can take a lot of time, allows you to find hidden defects in applications. To perform these tests, you can use the kali-linux-web metapackage, which contains many useful tools.
  • Desktop applications distributed as executable files. Server applications are not the only targets for attackers. Desktop applications are also susceptible to attacks. In the years gone by, many desktop programs, such as PDF readers or video applications that use the Internet, have been attacked by multiple attacks, leading to their improvement. However, there are still many desktop applications in which, when the right approach, you can find a lot of vulnerabilities.
  • Mobile applications. With increasing popularity mobile devices, mobile apps are becoming constant subjects of security research. These applications are developing and changing very quickly, so the research methodology in this area has not yet reached sufficient maturity, which leads to the regular, almost weekly, emergence of new methods. Tools related to learning mobile apps can be found in the Kali Linux Reverse Engineering app menu section.
Application research can be done by the most different ways... For example, you can use an automated tool designed to test a specific application to identify potential problems. Similar automatic means trying to find unknown weaknesses based on the way applications work, instead of relying on a set of predefined signatures. Tools for analyzing programs must take into account the peculiarities of their behavior. For example, the popular Burp Suite web application vulnerability scanner. As he investigates the application, he finds input fields, and then performs various SQL injection attacks, while observing the application in order to identify attacks that were successful.

There are also more complex application research scenarios. Such studies can be performed online. They use models of black and white boxes.

  • Research by the black box method. The tool (or researcher) interacts with the application without having special knowledge about it, or special access to it that exceeds the capabilities of the average user. For example, in the case of a web application, the researcher may only have access to functions and capabilities, open to the user that is not authorized in the system. Any account used will be the same that a regular user can register on their own. This will prevent the attacker from analyzing the functionality that is available only to privileged users, the accounts of which must be created by the administrator.
  • White box research. The tool (or researcher) often has full access to the source code of the application, administrative access to the platform on which it runs, and so on. This ensures that a complete and thorough analysis of all application capabilities is performed, regardless of where the functionality being studied is located. The disadvantage of such a study is that it is not an imitation of the real actions of an intruder.
Of course, there are also shades of gray between white and black. Usually, how the application will be operated is determined by the research objectives. If the goal is to find out what might happen to an application that is targeted by a targeted external attack, then black box testing is probably best. If the goal is to identify and eliminate as much as possible more security problems in a relatively short time, a white box study may be more effective.

In other cases, a hybrid approach can be applied when the researcher does not have full access to the source code of the application for the platform on which it is running, but the account issued to it has been prepared by the administrator and gives access to as many application features as possible.

Kali is the ideal platform for all approaches to application research. After installing the standard distribution, there are many application-specific scanners to be found here. There are also tools for more advanced research. These include source editors and scripting environments. In the case of application research, you may find useful materials from sections Add Tags

Top related articles

The best programs for creating basic and electronic music
The best programs for creating basic and electronic music
General structure of theme files
General structure of theme files
Basic principles of using color in web design
Basic principles of using color in web design
Categories:
© 2021 bumotors.ru. How to set up smartphones and PCs. Informational portal.