Today we hear of cybersecurity attacks in the news almost every day. As cyber threats continue to evolve in sophistication and scale, it’s imperative for organizations to stay ahead of the curve in defending against potential breaches. One powerful tool in the arsenal of cybersecurity is penetrating testing, a systematic examination of a network or application’s vulnerabilities, provided by ethical hackers to identify weaknesses before malicious actors do.
In this article we will delve into the top three penetration test findings and the associated risk they pose to businesses and individuals alike. By understanding these vulnerabilities and their potential consequences you can take proactive steps to fortify your defenses and protect what matters most.
Three key discoveries frequently found in various environment are:
1. Obsolete Operation System Version in Use
2. Weak Domain Passwords
3. Embedded Appliances with Default Credentials Enabled
1. Obsolete Operation System Version in Use
Obsolete Operating System versions pose a significant threat to an organization when not replaced with current patched solutions. The Operating System is no longer supported by the vendor, meaning that the vendor has moved all resources onto a new project and will not patch any security vulnerabilities. Therefore, an Operating System will no longer receive patches or updates.
Any security vulnerabilities discovered after an obsolete Operating System becomes unsupported will not be fixed. A malicious actor could exploit those vulnerabilities at any time.
Upgrade all obsolete Operating System versions to the current patched version.
If this is not possible, we recommend isolating unsupported systems and systems with known vulnerabilities from the rest of the network by disabling unnecessary services, restricting network traffic using firewalls and access control lists, and by ensuring that credentials are not reused with other systems on the network.
2. Weak Domain Passwords
A password’s strength is a measure of how easy it is to crack or guess. This means that a short password without a complex variety of characters is weak, and so is a password made up of the word ‘password’, the company name, or the season and year, as in ‘Spring2023’.
A malicious actor using a program like hashcat could crack a weak hash in seconds, or minutes. A stronger password can take days, weeks, or longer. If a malicious actor cracks the password hash for an account with administrative access on the network, they could leverage that account to gain unauthorized access to critical or sensitive systems, documents, or configurations.
We recommend several strategies to mitigate the risk of users creating and using weak passwords:
First, identify all privileged accounts, including users in the ‘Domain Admin’ group of Active Directory, and any local accounts configured with Local Administrator privileges on critical systems.
These accounts create the highest risk, if compromised. Create a separate password policy for these accounts and configure them with the strongest passwords possible.
Second, consider implementing an Active Directory password-auditing add-on to create a blacklist of words that users cannot include in their passwords. The blacklist should include commonly used words, such as the company name, seasons and months, and the word 'password'.
Third, consider increasing the password requirements within Active Directory to require longer and more complex passwords. A stronger password policy typically:
Does not allow significant portions of the user's account name, company name or full name.
Requires at least 12-character lengths. Administrator accounts should be at least 16 characters, and service accounts should be at least 20 characters long.
Contains characters from at least three of the following categories:
Uppercase characters (A through Z)
Lowercase characters (a through z)
Base-10 digits (0 through 9)
Special characters (for example, &, $, #, %)
Even with Windows password complexity and length requirements, users can set passwords in common, easily guessable formats.
When training users to create passwords, we recommend encouraging them to think in terms of ‘passphrases’ and not passwords. The user can create a strong password from an easy-to-remember sentence, and then substitute numbers and symbols for letters or words. For example, the sentence, ‘To be or not to be, that is the question' could be changed to ‘2bORnot2bth@sthe?’, resulting in a long, complex password.
When resetting passwords or creating passwords for new accounts, IT should also avoid using consistent or simple password formats, as users may leave accounts configured with those passwords, or follow that format as an example.
3. Embedded Appliances with Default Credential Enabled
Embedded appliances are devices on the network pre-configured by a vendor for a specific purpose. The purpose of each appliance varies but commonly includes:
VOIP Phone Systems
Networked Security Cameras
Switches/Routers/Wireless Access Points
These appliances are distributed by the vendor with a username and password for managing administrative level tasks on the device. With privileges at that level, a malicious actor may gain control of the appliance and further attacks against the network. Typically, appliances have been joined to a domain or are configured with an account that gives access to information about the network. This can lead to confidential information leakage, system compromise, or denial of services conditions.
We typically identify multiple appliances with default credentials on the networks. Using the default credentials found, we are typically able to use these appliances to gain a better foothold into the network. All default passwords on embedded appliances should be changed to maintain a strong security posture.
The best way to mitigate attacks against appliances is to make sure that all passwords have been changed once the system or device is connected to the network.
We recommend that set user account passwords for appliances to a minimum consistent with industry best practices.
We also recommend implementing a process for the deployment of future embedded appliances that includes changing or disabling default accounts and their passwords prior to deployment.
Substantial evidence from studies, including the 2023 IBM Cost of a Data Breach report, suggests that conducting a penetration test can significantly reduce the costs associated with a data breach or even prevent vulnerabilities altogether. Penetration tests can protect a company’s reputation and help you prioritize initiatives to cost-effectively reduce and avoid the risk of potentially costly breaches.
CyberForce|Q has a team of seasoned, certified penetration testers ready to assist you in crafting a customized penetration test tailored to your organizations’ specific requirements.