Not All Security Assessment Vendors Are Equal

August 10, 2009

When it comes to security assessments, each vendor has their own methodology for performing an analysis. Unlike TrustCC, many vendors rely solely on commercial applications or appliances that perform automated scans of systems using pre-built templates. Most of these applications require domain administrator privileges within the subject environment. In many cases, the results of those automated scans are given to the client as a security assessment report and in some cases the reports are not reviewed or validated, thus leaving the client with a false sense of security or insecurity.

In one case, our competitor identified a wireless access point down the street as a security threat to their bank client. When the bank asked for an explanation of the “finding”, the vendor response was “….our tool is too sensitive, so just ignore this finding.”

Assessments that rely solely on tools and automated scans will not identify many of the vulnerabilities that may exist in modern network infrastructures. To perform a complete and comprehensive penetration test, security vendors should have a plethora of tools and utilities in their arsenal and be capable of validating identified security threats using manual exploitation or other validation techniques. Below are a couple examples of how manual techniques and TrustCC’s expertise were used to gain domain administrator privileges during actual security assessments:

1. A vulnerability scan identified a workstation missing a security patch and we were able to exploit it using publicly available exploit code gaining administrative privileges on the workstation. Browsing though files stored on this particular workstation we identified backup configuration files of network devices. A review of these configuration files revealed one FTP user account password encrypted using Cisco’s level 7 encryption. This particular type of encryption (common on Cisco devices) can be decrypted instantaneously, revealing the password. For some reason this FTP account was configured to use a real domain administrator account and password and used it to gain full control of the client’s domain and network infrastructure.

2. Many clients utilize multi-function printer/scanner/fax machines. Most of these devices have internal hard drives that store copies of scanned or faxed documents and can be configured to store scanned documents on a network file server or send email copies to the owner of the document. Many of these devices are deployed in their default configuration (usernames, passwords, services, etc.) and are easily identified during a security assessment. In multiple instances we were able to gain access to the configuration pages of these devices and identify user accounts configured either with email or network file server access. The passwords on these printer accounts are masked by dots or asterisks, but are not really encrypted and can be revealed using a little application called revelation. In more than one occasion these accounts had high level access to the client domain and even domain administrator privileges which gave us complete domain administrator privileges simply by examining a printer’s configuration.

These kinds of weaknesses and misconfiguration issues will not be identified by automated scans and may give a client a false sense of security. The fact is that in many cases an entire infrastructure can be compromised rather quickly by someone who knows how to use open source tools, follows a documented methodology, knows what to look for, and pays attention to the little details.

We routinely identify security issues missed by our competitors during prior assessments. During one security assessment for a new client we identified a vulnerable and exploitable exchange server accessible over the Internet, but based on a previous analysis from another security firm, no issues were identified with the same server.

Financial institutions are required to have independent security assessments performed on a regular basis (most examiners translate “regular” as “at least annually or when significant change occurs”). Organizations should ensure that their vendors providing these services are following a methodology and are equipped with the appropriate skills to analyze the results effectively. Most examiners will ask financial institutions to verify they selected a firm that is “competent and independent”. Assessment firms should at a minimum have the ability to validate output generated by automated scans, demonstrate vulnerability exploitation, provide a comprehensive and customized report that meets your specific requirements, and not rely solely on a single tool to perform the analysis. After all, you’re paying for an expert analysis. If a report generated by a tool meets your requirements, why not just buy the tool and cut out the middle man?



One comment

  1. I’m an outsourced IT provider. In my business I’ve worked with a bunch of different security vendors. You guys are by far the most competent and helpful. Your approach is clearly not to compete, but to improve.

    I have worked with other vendors who really shouldn’t be in the business at all. Their approach makes it clear they are running a template and not examining the unique situation. Once you see a Nessus report, or Microsoft report stuffed into a document with their heading… Well, you get the idea.

    You guys do great work. If you ever need a reference, don’t hesitate to ask.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: