Since part of my work at #comsec includes performing penetration testing I would like to share some of my experience and give some advices to all you information security managers and system administrators.
All of the remarks below are based on performing internal infrastructure PT.
1. Manage permissions to devices and resources and do not allow access to sensitive information.
Most basic devices misconfigurations occur due to human errors . Providing access to restricted devices which contain sensitive data or the ability to provide access to devices holding it. Verify that all user permissions are based on need to work or need to know policy.
2. Do not store credentials in clear text.
Make sure that no clear text passwords exist in files, most of the standard location will be in GPO XML files (before win 2012), in netlogon folder batch files, VBS, XML and configuration files. One more typical place will be web.config file on IIS servers, it usually contain DB access information and/or elevated accounts credentials.
3. Do no store passwords in cache.
Using basic windows sysinternal tools it is very easy to dump user information from services like lsass.exe, this DMP file can be later extracted using hacking tools like Mimikatz and provide information on all user login data, including user, domain, password, NTLM hash, Kerberos ticket and more.
4. Deny login from application accounts.
Most organizations create specific accounts that will run services/processes for installed applications without the need to manage them. Often such accounts are not under any standard password policy since business-wise it will cause much more damage to the company if an account will stop working due to password change requirement or not all relevant systems will be updated with the password change. so make sure that all of those accounts have the “Deny log on” configured so it could not be used for logging to systems.
5. Perform security Updates regularly and keep updated AV on all devices.
Hackers (black and white) constantly find vulnerabilities in systems and create new viruses and trojans on a daily basis, software and software security companies are in a constant race to fix vulnerabilities and identify new treats. not updating will provide an attacker the ability to exploit such vulnerability or use an undetected virus to gain access point to the system.
6. Create a proper network segmentation and block ports that are not required for business needs.
Production and sensitive information environments should be segmented. access to those environment should be available from specific locations and using specific ports, all nonrequired ports should be disabled on the systems and blocked in the FW and network rules. Ports modification can be useful as well (changing 3389 to 6894 for example). Although obvious, I should mention that direct access to sensitive information should be blocked completely from WAN.
7. use NAC (Network Access Control) and configure it well.
Beside configuring computers correctly using domain membership, certificate, OS and more, it is much more important to pay attention to the “less” important devices, make sure that all network related devices (printers, Switches, VOIP phones Etc.) can use a certificate for authentication. MAC address hijacking is very easy to perform on peripheral devices if certificate is not applied.
8. disable network broadcast.
Listening to the network traffic is one of the first things to do when hacking interlay, it will provide you information on servers, workstations, users & hashed passwords and in some rare cases even clear text passwords (usually when old systems are involved). This allows an attacker to perform MiTM attack by forwarding user credentials that was harvested to authenticate itself as a legit user without the need to have clear text credentials. LLMNR, NBT-NS and WPAD broadcasts should be disabled and configured correctly using GPO.
9. Perform a full review every 3/6 months or even a year depending on the company policy.
As mentioned in paragraph 1, human errors are inevitable, performing regular review of system configuration, risk assessments, hardening surveys and Infrastructure and applicative PT will assist in locating and correcting it. also new system are constantly added to the environment, performing reviews will assist in verifying that security is applied correctly on it.
10. And finally (and sadly, this is not a joke), Sticky notes were not invented to write down your password and stick it on the screen frame or underneath the keyboard.