Friday, May 20, 2011

How to Get Properly Owned

 Here is some sage advice on how to be quickly and effectively compromised:
  • Expose unnecessary ports via NAT and firewall rules to your DMZ. I'm talking SSH, telnet, HTTP/S, SNMP, MS-SQL, MySQL, YourSQL, NetBIOS.... everything. If you're really serious about getting compromised, NAT public addresses to your internal Active Directory servers and database.If you don't have a firewall or a DMZ, all the better.
  • Make sure no effective firewall policies exist between networks of different types like Users > Servers or DMZ > databases. Such policies cause network connectivity issues and make troubleshooting take an extra second or two. Just put them all on one VLAN. Use VLAN 1 because it's easy to remember. For instance, you only have one brain, you probably only had one sandwich today, and it also exactly one half of two. VLAN 1 is not the default native VLAN for naught; use it.
  • Never patch any software. Pay particular attention to avoid checking for patches pertaining to commercial, off-the-shelf web applications or web application/server platforms. Flash and other Adobe products never need patching.
  • Do not perform network or web application security assessments. If you've had one performed before but your network/applications have changed significantly, rest assured that the last assessment covers your now completely different, current security posture.
  • Do not enforce password complexity or password change/age policies on users. If it is necessary to do so, ensure you exempt higher-ups like CEOs, CFOs, COOs, and the like when they complain about the policies. They can always be trusted to create a secure password on their own volition, plus no attacker would want access to their accounts anyway.
  • Conduct regular security awareness training for your users encouraging them to share passwords among the various applications they use like FaceBook, Amazon, eBay, PayPal, and Twitter. It makes it easier for them to stay logged in and avoids help desk calls for password resets.
  • Always leave default passwords the same. Some good username/password combinations are admin/admin, cisco/cisco, root/root, it's all secure enough.
  • If you use WEP for wireless encryption, make sure you keep using it. If you use WPA-PSK, make sure the key is simple and never changes. You might check the /pentest/passwords/wordlists/ dictionaries in BackTrack for some examples of PSKs to use. If you use 802.1x, make sure and uncheck "Validate Certificate Authority" and again, make sure no password complexity policies are enforced. Never concern yourself about rogue wireless access points that may be bleeding internal network access out into your parking-lot and surrounding streets. You want good coverage.
  • No matter the source, whether it be a website or an email from ch35pv!4gRa@spambot.cn, always click a link if it sounds interesting. If the description above the link seems seedy, invokes emotion, makes a pop culture reference, or expounds a deal that seems too good to be true, click it last year. Use that index finger.
  • Ignore all software and browser security warnings. They are simply a nuisance and you should click "run" when it says "warning" and "accept certificate" when it says "certificate cannot be verified."
  • Never run AntiVirus and if you do make sure you disable auto-update for virus definitions. Having a larger virus definitions file slows down your system. On the topic, always disable Auto-update features on all software.
  • Leave all switch ports that support dynamic trunking protocol in desirable mode if they are not being used as trunks. Ensure that VTP is used so that it's easy for a single switch to push VLAN database updates to all other switches in the VTP domain. While you're at it, enable CDP network-wide.
  • Disable SSL always; it's CPU intensive. If you must use SSL, use untrusted, self-signed certificates. It saves money and time.
  • Enable anonymous zone transfers on your external DNS servers. This makes it easier to find all of those pesky old hostnames like dev1.yourcompany.com and old_vulnerable_app.yourbusiness.org that might not otherwise be discoverable.

3 comments:

  1. Jake,

    Your wisdom is without limits and should be shared with a few I know :)

    ReplyDelete
  2. Funny, despite this, you're still really no more secure, and you're still get owned. <3 the security industry!

    Also, it's amusing 'get off of windows xp dummy' and 'die ie6 die' isn't in your list.

    ReplyDelete
  3. What? No more secure? Everything I said makes you less secure which was the point of the blog entry. As for XP and IE6, I mentioned never patching or updating your software. Still, there are plenty of known and zero-day vulns in other OSes and browsers.

    XP and IE6 is really end-user-focused, which is a big deal especially considering that drive-by attacks are occurring more and more, but it's definitely not the only thing an enterprise needs to consider.

    ReplyDelete