Hi, I was looking for a bit of advice. I have just recently carried out an audit on a wireless network. One of my findings was the guest SSID (which has no passcode so you can just connect) is able to route to some of their main production networks. I raised this as high risk. I should state this was an implementation issue due to limitations of the wireless kit and lack of knowledge from the company who implemented this. The client is disputing the high grade stating "any potential security breach would require high level networking skills to firstly identify the devices and usernames and passwords to these specific devices, which is seen as highly unlikely and therefore not high risk." I have high level knowledge of wirless networks and in my opinion you should not be able to route to production networks from an unprotected wireless network. Does anyone have any opinions on this? - See more at: http://globalriskcommunity.com/#sthash.YM0mC4oM.dpuf
You need to be a member of Global Risk Community to add comments!
Replies
Consider that potentially, 97% of firms subject to the popularized Heart Bleed vulnerability have not patched all their vulnerable systems. MetaSploit is moving to put a benign exploit for Heart Bleed into its inventory. Not because it wants harm, but to show the true harm of the unresolved Known Vulnerability that has been identifiable and fixable for more than six months now; but somehow under appreciated in the true risk it represents.
Consider that 4.5 million healthcare records were lost due abuse of the Heart Bleed Vulnerability already, in this case due to an unpatched Juniper SSL-VPN. The notification of risk was given and time to evade the risk was possible but the medical institution did not appreciate this risk and was later harmed. Unpatched, known vulnerabilities like this are proven to be damaging but remain under addressed. Read more on the avoidable harm of unpatched, known vulnerable Heart Bleed vulnerability and the quantifiable damaged caused. http://www.healthcareitnews.com/news/breach-alert-hackers-swipe-dat...
Simple use of a vulnerability scanner results can provide lists of known vulnerabilities. These can include a brief on the risk and occasionally proof of concept exploit code.
Since I specialize in freeware tools, Both BackTrack and Kali Linux implementations of MetaSploit are available, but on the whole, it is not closing lists of known vulnerabilities served up by a vulnerability scanner that is the greater risk and closer to the root cause of avoidable risk management.
Rather, please think of MetaSploit as a non-destructive proof of concept tool used by friend of the Business Pen-Testers. Just as I would not identify the abundance of Fire Extinguishers as proof of fire threat, but a handy solution for early management of risk and early suppression of materialized fire hazard. MetaSploit is not the fire risk, it is a handy proof of concept tool to manage unmitigated risk earlier in the defect identification and resolution process. Why wait for a raging fire of open attack by a non-friend of the business to identify materialized hazards rather than risk before it is hazard. If one does not believe the risk is real, then benignly test it.
As an actuarial matter, MetaSploit is not really used by determined attackers directly. These tend only to use MetaSploit to benignly prove out their test bed environment for attacking systems, then these build custom code in a QA environment fully capable of modeling general vulnerability or even target firm environments. Rather, MetaSploit still tends to be used by friend of the business testers and tends to have default tests built in for the direct purpose of motivating firms to avoid Known Vulnerabilities.
Proof of concept exploit is educational for IT Staff that simply cannot wrap there head around known vulnerability inventories presented by Vulnerability Scanning results. MetaSploit can help with the "Show Me" -- Missouri State of mind.
Utilities like Metasploit have made it easy for someone with average technical ability to launch sophisticated attacks. There are so many potential vulnerabilities that a defense-in-depth strategy is crucial toward protecting these systems. Without solid Network Access Control, there is one less layer of protection available.
You are most welcome.
Don Turnblade:
https://www.linkedin.com/in/arctific
Thank you very much for the information and knowledge. It is certainly pointing me in the direction if the client still disagrees to keep this as a high recommendation. My next step was to direct them to some links to back up what I am recommending so the likes from Don and yourself along with what I found will certainly help. After sitting in on a network penetration seminar earlier this year it really opened my eyes to how insecure networks can be. We are not changing the recommendation regardless of the feedback so it is really down to them to resolve this a lot quicker than they are planning to.
Will be sure to look you up on LinkedIn
Thanks for your time
Yet I have to add following:
Absolutely the best practice is not to use WIFI in corporate networks, if possible. From time to time (because people ary really lazy) it is necessary to use WIFI.
In that case we have to use accordingly network segmenting. Separate the segment of network, where WIFI are connected to sole segment and properly define route tables at the router such a way, that only those TCP/UDP connections can pass through the router, that are really necessary to use.
Also it is necessary to have implemented network monitoring and from time to time to arrange penetration testing accordingly.
You know, this is not a place where all the aspects would be mentioned, but at the beginning it might help you. Anyhow, you can freely look for me at linked-in, I am opened to new connections.
The best regards
S.D.
http://www.nowiressecurity.com/articles/things_wi-fi_hackers_hope_y... important is "Cracking the wireless encryption" paragraph...
http://unlimitedhacks.com/wifi-hacker this is a tool that requires knowledge of SSID and it resolves the password, it is currently recomended to keep passwords at least 14 characters big+small+numbers, simply strong password, more is better according to current knowledge of attackers
http://www.makeuseof.com/tag/how-easy-is-it-to-crack-a-wifi-network...
I have to emphasize that also when the SSID is HIDDEN it is possible to find it in network relatively quickly
USE ALL THESE links if possible from a compuiter that is very strongly secured please...
I hope it will help you, however I will still discuss to my son that is trained as ethical hacker also in this relation
Thank you very much for your response which is helping me explain in better words why I graded this a high risk, in particular the "for fun" reply is where I am directing my manager to ensure him I am correct (to be fair he never doubted me). So this is now back with the client, we briefly described why we believe it is graded high and that this should remain. Also explained we do not believe that advanced networking skills are required, just someone with an interest and access to Google could try attacking this network, especially considering the nature of the environment that this network is installed. Hopefully they see sense and accept the High recommendation, if not I may need to quote some of your fun analysis!
Response much appreciated. If this escalates any further I will keep this post updated with the goings on.
For extra points:
I include links to Internet freeware that would enable the average person to identify systems and wireless networks with ease. Anyone can find YouTube videos on how to use these tools for free should they wish.
Enumerating Systems in a network: Nmap:
http://nmap.org/zenmap/
Identifying Wireless Networks: Kismet:
https://www.kismetwireless.net/download.shtml
The IT organization that does not know these tools are freely available to the public is might be either naive, off its game or knowingly lying to Governance Risk and Compliance.
Danger Will Robinson.
https://www.youtube.com/watch?v=OWwOJlOI1nU
-
1
-
2
of 2 Next