Validating Security Controls and Countermeasures with Penetration Testingrevsec
It’s been a few weeks and the dust is starting to settle following the reported data breach in September 2017 at Equifax, one of the big three credit reporting agencies. While other major data breaches have been the result of advanced methods possibly utilizing leaked classified attack techniques, this attack was performed by exploiting a well-known vulnerability within a popular web application. Although this vulnerability had a corrective software patch available, it was not applied to the vulnerable servers.
In March of 2017, the Unites States Computer Emergency Readiness Team (U.S. CERT), a Department of Homeland Security (DHS) organization, released an advisory stating that this specific web application was vulnerable to attack, and released a patch to secure the popular application. According to multiple reports, vulnerability scans were performed at Equifax within 48 hours of receiving this advisory. The next day, no vulnerabilities had been identified on their servers that were running the vulnerable web application. Additional scans were run the following week and those scans also completed without identifying any vulnerabilities. According to reports, after these scans were finished, no additional actions were taken. Subsequent reports also noted web facing servers that utilized default credentials were not identified by the vulnerability scans.
These vulnerability scans provided Equifax with a false sense of security. Despite running the scans, there were still servers running the vulnerable web application which reportedly led to over 143 million people having their sensitive information exposed. There are three critical steps that should be taken to help prevent a similar data breach:
1. Asset inventory: Expand your understanding
While vulnerability scans were run, which is basic good housekeeping, there is a recognized shortcoming with vulnerability scans sometimes not identifying a known vulnerability or misconfiguration. Further validation of the servers’ security should have been completed, including reviewing a comprehensive asset inventory to identify any systems running the vulnerable versions of software noted in the U.S. CERT bulletin.
2. Patching: Quickly & Everywhere (or compensate with other controls)
When U.S. CERT identified the web application vulnerability, it also noted that patches were available and should be applied to vulnerable servers. The supplied patches should have been tested and then applied to all servers running the vulnerable web application using the comprehensive asset inventory mentioned above. Where conditions exist that prevent a patch from being applied, additional monitoring or other compensating controls should be applied.
3. Penetration Testing: Ensure the real world matches your inventory
When the U.S. CERT bulletin was released, knowledge of how to exploit the vulnerability also became public. If a penetration test had been conducted on the servers after running the scans, it is likely they would have identified vulnerable servers and prevented this data breach.
In summary, this data breach was not the result of an advanced adversary running the latest and greatest tools, it was the result of an incomplete security process. If the asset inventory identified potentially vulnerable systems, or the supplied patches were installed, or the patches were confirmed through penetration testing, it is likely that this data breach would not have occurred. The more complex your operating environment, the more critical it is to have a real-time picture of your systems, versions, and controls.
An important lesson was still gleaned from this situation. Leverage multiple sources to validate patch/vulnerability management. An enterprise can’t operate without vulnerability scans, nor can an enterprise rely solely on asset inventories or security assessments to identify out of date patches. Coordinated use of current threat intelligence, comprehensive asset information, patch management tools and penetration testing practices will help to ensure proper vulnerability management across your enterprise.
Need help understanding your risk profile? From threat modeling to penetration testing, the Revolutionary Security team is ready to help you identify your gaps & vulnerabilities and create a plan to reduce and manage your critical risks.
About the Author
Trevor is a cyber security professional with experience in both Information Technology (IT) and Operations Technology (OT) environments. Trevor brings extensive experience working as a penetration tester and intelligence analyst performing various functions within global Security Operations Centers (SOCs) for Fortune 500 organizations, including IT/OT integrated SOC environments.