Just how easy is it to break into your company's networks? Hire a hacker, then sit tight.
After exposing and explaining that vulnerability, Breed focuses on another available server he found. It appears to be a system used by IT administrators for remote access. After he types a few commands, a logon screen for a remote terminal appears: It's Real VNC 3.3.7.
"What is that, and why can he access it?" asks the company director. The IT manager explains that it's a remote-system-administration tool, something their IT people use to make system changes without having to actually sit at the terminal. The IT manager then looks at Breed and says, "You'll never guess that password."
TOOLS OF THE TRADE
What the ethical hacker has on hand:
Ethereal: Free network-protocol analyzer that runs on Unix and Windows. It can analyze network traffic in real time or from a saved file.
NetStumbler: Free tool that can find wireless networks.
Nmap: Network Mapper, a tool to analyze a network for the operating systems, servers, types of services and ports, and packet filters and firewalls in place.
Netcat: Free network-analysis tool.
Nikto: Web-server scanner that tests servers for potential vulnerabilities that could allow a hacker easy entry.
Nessus: Free remote security scanner. It attempts to examine a network for vulnerabilities that could let bad guys in.
After several failed attempts Breed agrees, but explains that these systems often don't record failed logon attempts. "You can grind against this forever, and you wouldn't know. Again, it's just a matter of time," he says. And once inside, it's like "walking into the data center and physically sitting at the server."
By the end of the evening, the company's director is surprised at how far Breed was able to intrude into the network--and what could have happened, given more time. The IT manager is resolute, knowing the work that's ahead. "I thought I was going to be off this weekend," he says.
Breed explains that reaching the internal systems he did over the Internet was made possible by a router misconfiguration--the reason behind the flaw couldn't be determined--that enabled traffic from the Internet to flow into the internal systems of the company's network. "This dispels one of the popular security myths: that a company can focus only on securing its perimeter and remain secure."
A few days after the assessment, the company's director says the first thing she did was change her password. "If someone was intent on cracking that password, they probably could have. It was the initials of my kids," she says. "I take password security seriously, and I'll use stronger passwords and change them more frequently from now on." She had most of the company's VPs do the same thing.
Password security isn't the only thing that will change. "We're a growing company, and it's clear we have to get better security policies in place," she says. "You may think something is set up one way, but without looking, you just don't know." Breed may have gotten closer to the company's main systems than he thought. "That one server he got into, that one is connected to our main server," the director says. "That's been changed." And the misconfigured router that allowed the unauthorized access? "That still remains a mystery. We don't know who made that change," she says. The company has since patched that opening.
Now, change controls and regular security assessments will be part of the company routine. Says the IT manager: "Thank God we did this."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?