SAN FRANCISCO–There are dozens of new bugs discovered every week in popular applications, and many of them are painted as critical flaws that need to be patched immediately lest you risk the wrath of the attackers. However, in many cases, it’s not necessarily those highly publicized flaws that will end up leading to a major data theft, it’s the problems lurking underneath the top layer that are the real killers.
These less-noticed vulnerabilities are the ones that penetration testers–and more worryingly, attackers–use to dig deep into a target network once they’ve already gotten a foothold in the environment. And often, they’re not even proper vulnerabilities, but rather misconfigurations, services left exposed or inter-organizational trust relationships that can be used and abused by attackers to move from one machine to the next until they find the data that they’re after.
“These second-order vulnerabilities are the ones that lead to data loss. It’s not always the traditional threats that matter. It’s not always the server with a bug in it,” HD Moore, CSO at Rapid7, said in a talk at the United Security Summit here Monday. “They’re involved in the majority of breaches you see in the news and most of the ones I see in incident response.”
As an example, Moore pointed to things such as password reuse, but not in the manner you might expect. Many home users will run into trouble when their email password is compromised, because they likely use that password for other sites. While most IT staffs and security managers are more careful than that, Moore said he often will be able to find a database of hashed passwords for a certain set of applications or machines, dump the database, look for a hash that appears more than once and know that a given password is being reused by someone. So without even cracking the password itself, an attacker would have key information about how passwords are used in the organization.
In one penetration test, he came across a folder of BMP files that an employee was using for background images on his desktop. One of the images was a screenshot of his saved passwords in Firefox, conveniently allowing him to just glance at his desktop when he needed to log in to a given site.
This kind of problem, while not a typical software bug, can be just as deadly for an enterprise as any traditional vulnerability.
“These are the things that are often ignored by automated assessments,” Moore said.
But they’re not missed by attackers, and while defenses have improved somewhat over the last few years, attackers have continued to raise their game as well. The reality is that skilled attackers have time and human nature on their side. Every network has a weak spot, whether it’s a mail server, a Web server or a careless employee, and it’s just a matter of spending enough time to find it.
“People are willing to put a lot of work into owning things if they’re going after a big target,” Moore said. “They’re not dumb, for the most part. The dumb ones don’t last long.”