Monthly Archives: May 2018

What Grover Can Teach Us About Breaching Perimeter Defenses

When a firm has a known point of ingress from the Internet, it will secure that connection. It will use firewalls, IPS devices, proxy servers, and also start getting IT help in the DC area so that they stay updated with changes. Those defenses will pass audits, no problem. But what about ways to get into the corporate network that aren’t known to central IT staff? What are the consequences of those unmanaged points of ingress?

We turn to Grover the Muppet for that lesson. In the video I linked, it is ostensibly about bringing a bowl of soup to a sick friend. However, on another level, it is teaching penetration testing techniques to five-year-olds.

Shalom Sesame: Mitzvah Impossible

Grover first encounters a wall. Call it a firewall, if you want. Rather than give up, Grover finds one way around it – going over. His friend finds another way – going around. In both cases, the wall did not cover all possible ingress paths, so it did not provide sufficient security. Later, when Grover encounters a cow blocking his path much like an IPS does, he need only pass a weak test – basically a declaration that his traffic is business critical – to continue forward with his payload.

Grover’s activity would be analogous to an attacker entering a network via an insecure ingress path and then using traffic defined as legitimate to continue with his operation. He uses methods so simple, a five-year-old could grasp them. Maybe those over five would do well to review the security video I linked to…

At any rate, the wall is very nice and blocks traffic that does not route around it. Had the wall been fitted over a cave mouth, it would have been much more difficult to route around, and that would be possible only if there was another unsecured path of entrance into the cave system. As it is, it needs to be taller and wider to cover those available paths of ingress.

How many firms have frustrated employees? I suspect it’s all of them. That’s bad news, because frustrated employees are also those that are most likely to call up a local ISP for a DSL line out of their local budget so that they can have Internet access for some purpose. Nobody higher up or in the central office approved the line: they just put it together themselves. And if central IT refused to allow that connection to hook up with the corporate network, that’s not a problem. They can buy some inexpensive small business switches and hubs and allow their PCs to connect to the corporate network and the shadow IT network at the same time.

How many firms have web developers on a tight schedule? Oh my, that’s a very high percentage… That’s bad news because those developers might set up VPN servers – only for emergency purposes, of course – so that they can connect from home to the test environment more effectively than they can if they use the corporate VPN. Or maybe they have a fileshare server opened up so it can offer its files on the Internet, making things much easier. Or maybe they use an insecure coding shortcut that gets the site up that much faster, even if it means it now allows quite a lot of malicious activity over HTTP and HTTPS.

How many firms have employees that click on links in emails? How many firms have contractors whose contracts have ended, but their workstations stayed logged in… and unpatched… and maintaining a dual-homed Internet connection on the guest network? How many firms have subsidiary or ancillary organizations that manage their own Internet connections… badly… and that have full trust relationships with the parent organization?

Well, that’s bad news, because… well, I’m sure you see the pattern here. None of these paths of ingress are properly managed, let alone secured. Malicious Grovers are carrying bowls of malware-infested chicken soup to servers and workstations that lap the stuff up without questioning.

So now the problem is finding the unmanaged ingress points. The solution is simple: look at your traffic. See if there is traffic on your network that has an outside IP as its source. Next, take a look to see what ports the traffic is using. If those ports are blocked on your firewalls, and I mean *all* your firewalls, see if there are routing paths to that outside IP that take odd twists and turns in your network. Perhaps they lead to that unauthorized ISP connection or that rogue VPN server.

Once you find those things and have them shut down, check your traffic again. You may very well see those IPs again on your network, now with new routes back out. Those will lead to other paths you want to close off.

You have to check constantly, because you will never know when someone creates a new path of ingress that endangers your network. You can also check for dual-homed devices and abandoned devices and try to police links in email messages. All those measures will help to keep five-year-old kids who saw the above video and got the wrong idea from hacking up your network.

Now, the disclaimer… I work for a vendor that not only makes a product that covers most of the detection methods and remediation items mentioned above, I’ve also used it in an environment that thought it had closed off all those other ways into its network. When I told them about the IP addresses in China that were scanning for the Cisco Smart Install port, they soon discovered that there yet remained more ways in that they would have to deal with.

This is not FUD. This is a realistic assessment of stuff that happens, most likely under everyone’s noses. Not everyone knows to look for this stuff, let alone knows how to look for this stuff, which is how it can go on and on. If auditors only know to check the managed gear, then a firm could conceivably pass audits and still have these issues happening.

So, take a tip from Grover and start looking for ways people break into your network that go over, around, or right on through your perimeter defenses.