Just how easy is it to break into your company's networks? Hire a hacker, then sit tight.
After exposing and explaining that vulnerability, Breed focuses on another available server he found. It appears to be a system used by IT administrators for remote access. After he types a few commands, a logon screen for a remote terminal appears: It's Real VNC 3.3.7.
"What is that, and why can he access it?" asks the company director. The IT manager explains that it's a remote-system-administration tool, something their IT people use to make system changes without having to actually sit at the terminal. The IT manager then looks at Breed and says, "You'll never guess that password."
TOOLS OF THE TRADE
What the ethical hacker has on hand:
Ethereal: Free network-protocol analyzer that runs on Unix and Windows. It can analyze network traffic in real time or from a saved file.
NetStumbler: Free tool that can find wireless networks.
Nmap: Network Mapper, a tool to analyze a network for the operating systems, servers, types of services and ports, and packet filters and firewalls in place.
Netcat: Free network-analysis tool.
Nikto: Web-server scanner that tests servers for potential vulnerabilities that could allow a hacker easy entry.
Nessus: Free remote security scanner. It attempts to examine a network for vulnerabilities that could let bad guys in.
After several failed attempts Breed agrees, but explains that these systems often don't record failed logon attempts. "You can grind against this forever, and you wouldn't know. Again, it's just a matter of time," he says. And once inside, it's like "walking into the data center and physically sitting at the server."
By the end of the evening, the company's director is surprised at how far Breed was able to intrude into the network--and what could have happened, given more time. The IT manager is resolute, knowing the work that's ahead. "I thought I was going to be off this weekend," he says.
Breed explains that reaching the internal systems he did over the Internet was made possible by a router misconfiguration--the reason behind the flaw couldn't be determined--that enabled traffic from the Internet to flow into the internal systems of the company's network. "This dispels one of the popular security myths: that a company can focus only on securing its perimeter and remain secure."
A few days after the assessment, the company's director says the first thing she did was change her password. "If someone was intent on cracking that password, they probably could have. It was the initials of my kids," she says. "I take password security seriously, and I'll use stronger passwords and change them more frequently from now on." She had most of the company's VPs do the same thing.
Password security isn't the only thing that will change. "We're a growing company, and it's clear we have to get better security policies in place," she says. "You may think something is set up one way, but without looking, you just don't know." Breed may have gotten closer to the company's main systems than he thought. "That one server he got into, that one is connected to our main server," the director says. "That's been changed." And the misconfigured router that allowed the unauthorized access? "That still remains a mystery. We don't know who made that change," she says. The company has since patched that opening.
Now, change controls and regular security assessments will be part of the company routine. Says the IT manager: "Thank God we did this."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.