Experiencing a Security Breach?
contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

Category: Blog Posts

Threats and priorities for 2022

Posted on by Prism Infosec

Phil Robinson, December 23rd 2021

Many businesses will still be grappling with the seismic shifts of the pandemic as they eye 2022. The rush to roll-out systems to support home working and to activate virtual versions of real-world business channels saw unprecedented digital transformation equivalent to years achieved in just a few months. But this rapid expansion came at a cost, leaving systems and networks overly exposed. 

We’re already seeing the manifestation of more attacks, with the World Economic Forum reporting a 50.1% increase in cyber attacks due to the pandemic with 30,000 related to COVID-19 as well as huge spikes in phishing and ransomware. This has caused many organisations to task their security teams with retroactively fixing any security gaps.

Our top three issues to address going into 2022 and beyond include:

  1. Cloud misconfiguration

Research claims 90% of businesses are now susceptible to attack due to misconfiguration so businesses need to identify and assess how well configured cloud systems are to enforce access restrictions, overly permissive storage policies, clamp down on compliance, apply least privilege and practice credential hygiene, and look at virtual network functions. At the same time, they can’t afford to stand still and need to continue to expand their cloud presence to remain competitive, so will need to focus on how they can continue to build-out in the cloud but in a more resilient fashion. 

2. Ransomware and phishing

Ransomware-as-a-service or RaaS gaining ground, synonymous with groups such as DarkSide, Babuk and Cuba. These attacks typically involve the installation of malware which comes about by employees installing new software or through the security team failing to lock-down admin privileges. 

Phishing can vary, from scatter gun email phishing, to targeted spear phishing, or text based attacks known as “smishing” . These attacks usually involve the attacker emailing or co-ercing an employee to execute a malicious file or visit a website to provide their credentials. This then allows the attacker to establish a command-and-control (C&C) server connection within the environment to establish a further foothold and attempt to escalate privileges. A recent example is the texts and emails offering an NHS pass/certificate for travel purposes with a request for payment (even though these are legitimately available for free via the NHS app).

Regularly educating users on how to spot phishing attacks and not to click on suspicious links or execute unknown attachments is imperative and you can make this relevant by running a test to see how many do fall foul of a staged attack. 

When it comes to the user device, businesses need to protect user workstations with anti-virus and EDR (Endpoint Detection and Response) solutions and to prevent the execution of unknown files or scripts as well as ensuring that all Operating Systems and applications are kept up to date. 

You can also stop a lot of this from getting through in the first place by blocking unnecessary file attachments at the email gateway or cloud solution (e.g. macro files, htm/html files, executable files/scripts) and marking inbound email as ‘EXTERNAL’. But you also need a failsafe so that in a worst-case scenario you’re prepared so ensure offline backups/snapshots are being made of critical data and regularly test that these can be restored.

3. Abuse of collaboration tools

We expect to see increased attempts to copy common notifications sent from business services such as Office 365 (e.g. sharing and encryption emails). Attackers could start utilising alternatives to email to attempt to deliver payloads and this could include messaging systems such as Teams. Additionally, there will be more attempts to exploit open file sharing mechanisms such as Onedrive and Sharepoint sites that allow guest access, which is more common than you might think.

If you’d like help with attack mitigation or remediation, cloud configuration or advice on how to make remote working more secure, email us at contact@prisminfosec.com or call 01242 652 100 for a one-to-one consultation.

Alexis V elected to CREST-EU Council

Posted on by Prism Infosec

We’re proud to announce that Alexis V, Senior Security Consultant at Prism Infosec, has been elected to the newly formed CREST-EU Council. 

CREST, an international not-for-profit accreditation and certification body that represents and supports the technical information security market, announced its intention to form the Council and an EU Chapter at the end of October. Due to meet in the new year, the council will represent its international members in the European Union and will work to “ensure greater alignment with European initiatives”. 

CREST has been restructuring since 2006 by carrying out democratic elections to form country and regional councils. These councils will feed into a single International Council which will include representation from each region. These representations will enable its members to shape and influence CREST’s strategic initiatives as well as the global cyber security market at large.

Alexis was elected to one of just ten seats on the EU Council. With over ten years’ experience of working in the UK cyber security space, he has played a crucial role at Prism Infosec over the course of the past year by establishing our office in Belgium. He currently delivers a range of penetration testing services to clientele, assists with securing sales through scoping projects, and implements our training programme to help upskill members of the team. 

Commenting on his election, Alexis said: “I’m passionate about security and encouraging and supporting others to start their cyber security journey or develop their career. Growing the Belgian office by attracting new talent, getting involved in local initiatives and developing the team has been hugely rewarding and has allowed me to draw upon my previous experience delivering Advanced Web Application Testing training at BlackhHat USA. Going forward, I hope to replicate and improve upon some of the work we’ve done in the UK cyber security sector within the EU.”

Under his remit on the EU Council, Alexis hopes to be able to bridge the gap between the suppliers and consumers of security services and would like to ensure suppliers receive a consistent quality of service from within the industry which he believes can be achieved through reproducible methodologies. 

Responding to the news, Phil Robinson, Founder and Principal Consultant at Prism Infosec, said: “Alexis has such enthusiasm, knowledge and drive that I’m not at all surprised by his election. He continues to be a real asset to the Prism Infosec team and has been instrumental in our expansion and the setting up of our office in Belgium. He’s also represented the company on numerous speaking engagements where he has sought to increase awareness about new techniques and attack vectors and to promote industry best practice so he will be in his element and able to offer a unique perspective when he takes his seat on the EU Council”.

Was the NSA’s Cyber Security director right to say attackers know networks best?

Posted on by Prism Infosec

By Phil Robinson

There was an interesting spat on Twitter during September when Rob Joyce, Cyber Security Director of the National Security Agency, disputed the notion put forward by security researcher @RayRedacted that “Defenders think in lists, attackers think in graphs”. (Presumably suggesting that defenders are preoccupied with tick lists and compliance while attackers are looking at the data to see where performance discrepancies and chinks in the armour lie). Joyce’s retort was that…

“Attackers put in the time to know the network and the devices better than the defenders. That’s how they win.”

His statement suggests that far from being just opportunists, attackers study the network and carefully craft their attacks. Time is on their side, which allows them to explore and reverse engineer at their leisure. And the implication is that, if their knowledge of the network outpaces your own, they capture the castle. 

But is this really true? I’d argue that there are plenty of organisations that have a strong understanding of their IT estate and a decent awareness of their environment. They may even have implemented robust defences that have met or exceeded industry best practice across their technology stacks. They know every inch of their network and what’s running over it but this doesn’t guarantee they won’t be compromised. 

What’s really happening

Security breaches occur due to a number of reasons. These can range from a lack of coverage (OS and app patching), competence (configuration weaknesses), staff awareness (password insecurity), budget (holes in defence technology), or just plain bad luck (exploiting windows of opportunity) – so it’s not just a matter of good situational awareness.

The National Cyber Security Centre (NCSC) makes the distinction that the majority of attacks are stil not targeted. Some adopt a more scatter gun approach, such as phishing, water holing, ransomware and scanning, and these by far outnumber the more time intensive targeted attacks, with 27% of businesses being attacked once a week and 83% of these suffering phishing attacks according to the Cyber Security Breaches Survey 2021 by the DDCMS. 

There’s a good reason for this. Targeted attacks can take months of preparation and execution. The attacker will typically profile your business and probe the network for weaknesses to exploit using the oft quoted cyber kill chain approach. “Attacker time” tends to preoccupy the industry, which is why you’ll hear a lot about Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), which are terms used to hawk security solutions. But the truth is you need people and process – not just technology – to keep one step ahead of the attacker. 

What can you do?

There is no single solution or tool that can be deployed to protect against the possibility of a security breach, however, if the organisation uses a variety of proactive approaches it can reduce the likelihood of being caught unawares. Here is my top 5 list of “common sense” practices that can be used to protect an organisation and reduce the possibility of compromise..

  1. Staff/User Awareness – regular security awareness training which covers the dangers of common attacks (phishing / spear phishing etc) and educates on what to look for and how to report them quickly. Implement a “no blame” culture and encourage reports. What you don’t want are people covering their tracks for fear of reprisals from management.
  1. Device Security – ensure that devices (such as workstations and servers but also mobile devices and other networking hardware) are configured to be as secure as possible, with users having a low level of privilege, effective Anti-Virus (AV) and/or Endpoint Detection and Response (EDR) software deployed. Remove unnecessary software, follow best practice guides on hardening (e.g. NCSC and CIS) and limit execution of unknown executables and scripts (e.g. Microsoft Defender Application Control).
  1. Centralised Management – wherever possible use a centralised security management solutions (such as Mobile Device Management, centralised AV/EDR consoles and centralised patch management tools) to view and manage the estate. Do not leave the security of AV reports, patching, et al to the individual user/workstation level. This may seem like an expensive route – but solutions exist within cloud subscription fees (e.g. Microsoft 365 and Google Workspace)
  1. Logging and Event Reporting – in the absence of a SOC or SIEM solution, wherever logs and events can be enabled across the technology stack, make sure these are set-up and tuned. Ensure coverage at firewall, network device (switch/router), workstations, servers, applications and cloud services. Ensure that logging is not overwhelming to prevent alert fatigue and that key events are prioritised (e.g. multiple password failures, AV/EDR alerts, unexpected privilege escalation)
  1. Robust Authentication – many breaches (particularly for Internet-based services) occur due to weak passwords combined with a lack of additional controls such as multi-factor authentication (MFA) or password lockouts. Review all login interfaces (prioritising Internet-facing) and ensure that as many as possible support these security controls”

Taking such actions will bolster defences and take the weight off the IT/security team, allowing them to monitor and respond appropriately. And they’ll be able to mitigate attacks so that as and when they do occur you can limit incursions. This all makes logical sense but security is still being sidelined in many businesses, particularly in the wake of the pandemic.

The DDCMS 2021 survey reveals that a third of businesses took no remedial action following their most disruptive breach and it’s this inertia that then paves the way for repeat or lateral attacks. The report concludes that organisations need to “recognise that good cyber security facilitates better business resilience” and suggests many businesses have focused too much on business continuity at the expense of security due to the pandemic.

Develop your awareness

Ideally, you want to begin to look critically at your network from the perspective of the attacker and that’s where penetration testing or simulated testing comes in. There are also now frameworks that track the pattern of attacker activity. The  MITRE ATT&CK (an acronym that stands for Adversarial Tactics, Techniques and Common Knowledge) framework, identifies the tactics, techniques and procedures (TTP) attackers use and contains over 245 techniques. PRE-ATT&CK looks at attacker activity that happens prior to exploitation of a target network or system, providing some idea of how attackers scope attacks. The framework is continually updated so that new approaches spotted in the wild are added. 

Such frameworks can be used to help with penetration testing. This both identifies any security vulnerabilities and weaknesses and whether your controls are implemented and operating correctly and tests are configured to meet the needs of the business, so range in depth.

If you’d like to gain more visibility into your network to counter the ‘knowledge threat’ and to find out more what’s involved in pen testing your systems, email us at contact@prisminfosec.com or call +44 (0) 1242 652 100 for a quick consultation

No Shell? No Problem!

Posted on by Prism Infosec

Enumerating internal networks via ssh-tunnels, Alexis V, November 2021

On a recent engagement, we were tasked to assess the security of an Secure File Transfer Protocol (SFTP) server. We were provided with a regular account to facilitate the file uploads, and so proceeded to work our way through the common checks. We tried to:

  • Log in directly via SSH with the account – this failed as the user most likely had the shell set to /usr/bin/false or similar. 
  • Attempt command execution by appending a command right after SSH login: e.g. ssh user@host /bin/bash. This also failed as the sftp user was set up correctly. 
  • Log in via SFTP, which we did, and checked to see if we were in a chroot jail – as this turned out to be the case we could not access any other directories, files, etc.
  • Attempt SSH tunnelling with the valid account. This worked, as we were able to bind to an internal service via a command like:  ssh -CnfN -L 31337:127.0.0.1:22 user@host

Great, so far so good as we can now access the internal network and start searching for any services that we can exploit to gain a foothold. The problem is that this presents us with 65,535 ports to go through, and that’s just on the SSH host. It doesn’t include all the possible internal hosts. Going through all of these would be an extremely time consuming process if we did so manually.

Despite searching, I was unable to find any tools/scripts that would help me solve this problem, so we decided to write our own.

Flow Diagram of the Enumeration Technique

The concept was fairly simple and could be broken down into the following steps:

  • Create an SSH tunnel to an internal IP and port
  • Use netcat to prod the tunnel on the localhost 
  • Look for a ‘connect failed’ string from SSH, indicating a closed port
  • Or catch a timeout exception, indicating a valid port
  • Kill the tunnel and move on to the next internal IP and port

After a few hours, we had a working proof of concept that (albeit slow, with a small false positive rate) got the job done. Here’s a sample output of the tool running:

TunnelSweep Output

With this information, we can then bind to the known services, access them locally, and start exploiting them to help laterally move through the network.

We’ve uploaded the code to our GitHub. Note that the script was created during an assessment so is in no way optimised, it also sometimes reports false positives (although this can be reduced by setting a correct timeout variable in the script). We always appreciate pull requests!

Blog Post: Top 3 Common Networking Attacks

Posted on by Prism Infosec

Prism Infosec’s Senior Security Consultant, Aaron, reviews the “Top 3 Common Networking Attacks”​

During this unprecedented period when much of the world’s population is affected by lockdown measures and limited activities, cyber criminals have intensified their attacks. The state of fear and uncertainty has provided them with a new “business opportunity” and whilst most of us are spending more time on the Internet than ever before, several types of cyber-attacks have seen a drastic increase over the last few months.

1. Phishing Attacks

Amid this chaotic situation, many people are seeking out COVID-19 related information online, hoping to find reliable guidelines to stay safe and well. At the same time, hackers are taking advantage of this by ramping up “phishing” attacks that trick internet users into opening malicious files or links that report to provide COVID-19 information.

Cyber criminals do this by impersonating trusted organisations and sending out convincing emails containing attachments that are laden with malicious payloads. On opening, the attachments execute the code and allow an attacker unauthorised access to system resources and data, along with the capability to execute further attacks on other networked devices or resources.

In other phishing attacks, unsuspecting users are tricked into following links that lead the user to realistic login pages for trusted brands. On logging in, the valid usernames and passwords are captured and later used by criminals to conduct financial fraud and impersonation. 

Phishing attacks can be mitigated in several ways:

  • Implement anti-spoofing policy with malware and spam filters on mail servers to keep malicious emails from employees.
  • Implement email security protection measures such as SPF, DKIM and DMARC. This increases assurance around the validity of the sender associated with a particular domain and verifies whether it has been impersonated and prevents the emails from reaching inboxes.
  • Training employees on how to identify phishing exploits and the actions to take when they suspect phishing or have already opened an attachment or followed a link.

2. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack

At a time when Internet connections are required more than ever, a successful Denial of Service attack will have a more damaging impact than ever before.

A Distributed Denial-of-Service (DDoS) attack is when a collection of computers are infected with malicious code and controlled as a group (botnet). They are then targeted on another Internet service such as a web site, which is flooded with Internet traffic to deny its service to legitimate users. The outcome of a DDoS attack is operational disruption, which is achieved when systems and services are taken offline. Furthermore, attackers can disrupt organisations by threatening to shut down business services unless large sums of money are paid.

  • Utilising a Web Application Firewall (WAF)
  • Implementing rate limiting

It is crucial that organisations understand Denial of Service attacks and always be prepared to defend against it.

3. Remote Desktop Server Attack

Recently, many organisations have turned to Microsoft’s Remote Desktop Protocol (RDP) as a method of allowing remote workers access to corporate resources. The sharp increase in corporate services that need to be remotely accessible has significantly increased and with it the requirement to support remote working, however so has the number of reported RDP attacks.

RDP is a simple and cost-efficient method of facilitating remote working and access to corporate resources such as applications or desktops. However, the protocol is not sufficiently secure to be exposed to the internet. Without adequate security configurations in place, it can be easily compromised allowing an external attacker to gain a foothold into internal networks.

RDP attacks typically involve brute-forcing usernames and passwords, attempting all possible combinations until the correct one is found. Upon discovery of a correct combination, an attacker can gain full desktop access to a computer in the target network.

If your organisation must enable RDP, it is crucial that the following protection measures are in place:

  • Unique, long and random passwords are in use to protect the systems
  • Two factor authentication
  • Limiting the use of RDP to devices using a Corporate VPN
  • Ensure security options such as Network Level Authentication are enabled
  • Avoid connectivity of the RDP service to a corporate domain

If RDP access is not required, then it should be disabled and access to port 3389 should be blocked at the firewall.

Conclusion

In conclusion, cyber-crime is bound to increase for the rest of 2020 as cyber criminals are constantly engineering new methods to attack business operations. Hence, it is crucial that businesses stay ahead of cyber threats by maintaining good security practices, such as:

  • Regularly review network security – Audit security controls in place to ensure that network perimeters are well protected and unnecessary access are removed. Continue to monitor all systems and networks for unusual activities.
  • Maintain user education and awareness – Constantly remind employees of the importance of both physical and cyber security awareness. Develop home working policies and train employees to adhere to it.
  • Ensure Malware prevention is in place – Ensure that all anti-virus solutions are updated daily and anti-malware policies are in place.
  • Maintain secure configuration on all systems – Make sure that all servers and end user devices are patched up to date. Ensure that all remote working devices are subject to integrity checks before they are allowed access into corporate networks.
  • Secure remote access configurations – All remote solutions should utilise secure authentication, encryption technologies and have multifactor authentication enforced where possible.
  • Monitor user activities and privileges – Continue to monitor user activities for potential malicious activities and ensure that principle of least privilege is actively applied.
  • Incident response plan – Always be alert and prepared for potential cyber-attacks, ensure that an incident response plan is in place to deal with any emergencies.

Blog Post: Home Working Cyber Security Guidance

Posted on by Prism Infosec

During these uncertain times, Prism Infosec are doing their utmost to support the community with information security guidance and advice.

To start, Prism Infosec has published a blog post (longer read) and quick guide (key points) as essential updates for ensuring systems and data availability without compromising security.

A PDF of our full blog post can be downloaded from here.

For the quick guide, this can be downloaded here.

Blog Post: eCommerce Websites: Assessing the Risk

Posted on by Prism Infosec

The last year has seen a significant rise in the quantity and impact of attacks on eCommerce (eCom) websites which has cumulatively resulted in the exposure of millions of personal data and, in some cases, card holder data records.

In many cases, relatively simple attacks have been used to compromise eCom applications despite the best efforts of Information Security staff and standards bodies such as the PCI Security Standards Council (SSC). The potential impacts of data breaches include class action lawsuits, brand/reputational damage, fines from regulators such as the Information Commissioner’s Office (ICO) and card scheme fines from Mastercard and Visa.

Looking further into the recent breaches, there is no doubt that firms such as British Airways, Ticketmaster and Quora will have invested significantly in security and compliance. So where did it all go wrong? Are the standards not strong enough, or have the threats increased in sophistication? Why are breaches which affect millions of people so common?

What can organisations do to ensure that they minimise the risk of a successful eCom attack?

After investigating security across many eCom sites, it is apparent that gaps really do exist in many cases. One problem is that there are so many different ways to attack an eCom site, for example:

  • The underlying platform or environment hosting the eCom application;
  • Libraries, packages or dependencies used by the application;
  • The core web application functionality itself;
  • Network security;
  • Configuration settings across all systems and applications;
  • Remote access and management of the environment, including third parties; and
  • The Content Management System (CMS)

Many organisations only defend against a sub-set of these attack points or, in some cases, mistakenly believe that one or more contracted third parties is covering certain areas when this may not actually be the case.

Should an attacker gain unauthorised access to an underlying server involved in the delivery of a web site or the CMS application, then it can be straightforward to modify pages and code associated with critical pages such that information entered by a customer is duplicated to another web site under the control of the attacker. 

The issue associated with this particular attack is that the data (sensitive details such as personal data or credit card data) is not necessarily stored on the compromised server itself, but is nevertheless duplicated to a second malicious web site controlled by the attacker. The eCom site will appear to continue to process transactions ‘normally’ and so the attack can remain undetected for some time, harvesting many thousands of stolen records over a period of weeks or months.

This means that it is vitally important to ensure that access to the eCom servers and associated management systems are strongly protected, both from internal and external attackers. Additionally, detection of unexpected changes to core code and anomalous calls in client transactions are all measures that could be used to detect and prevent the success of such an attack.

Prevention

An online web application associated with the delivery of sales transactions can minimise the risk of a successful attack using effective eCom security management, such as:

  • Prevention of attacks with defence-in-depth (multi-layer security)
  • Detection and alerting of anomalies in eCom operation
  • Fast response to attacks to minimise the risk to the business

Regular testing and scanning of the eCom site is an essential basic, should be frequently conducted, with anomalies remediated as a priority – after all, attackers are testing and scanning all eCom sites across the Internet continuously.

A challenge mentality should be present in the teams managing the site’s infrastructure, code (whether bespoke, off the shelf eCom software / cloud service or a hybrid of the two) and cyber security. This is preferable to considering penetration testing and vulnerability scanning as “tick box exercises” – even issues rated as low risk should be reviewed and managed as part of an effective risk management regime. 

It is also recommended to conduct regular focused eCom risk assessments on new or existing sites, or when changing underlying application frameworks or adding new features such as voucher codes or customer product reviews.

An effective eCom risk assessment should cover:

  • Platform/technologies in use (hosting, network and software)
  • Effective management of any third parties
  • Resilience of eCom platform
  • Sensitive data stored, processed or transmitted, compliance obligations
  • eCom code and content development, testing and deployment
  • Logging/monitoring, testing and assurance

Relying on just baseline security practices such as patching and network security is quite clearly not the only requirement to ensure adequate protection of an eCom website, and many different threats and attacks need to be considered.

An eCom risk assessment, combined with regular testing and scanning, will ensure that the many risks of an eCom breach are understood, properly managed and mitigated as far as possible.