Home Mitigation Examples

Mitigation Examples

Remote Entry Points

rlogin – Ports 512, 513 & 514: remotely accessible for any host that’s running rsh-client.

NFS (Network File System) – Port 2049: The Network File system can be mounted to a remote machine, effectively gaining access to the Host root filing system, a SSH authorised key can then be transferred to the Target machine and a root level privileged SSH authenticated connection can be established.

Telnet – Example – Port 21 vsFTPd Version 2.3.4: This standard File Transfer Protocol (FTP) version has a backdoor that originates from the development stage. Using a known login sequence the connection can be established and maintained at root user level.

Samba – Port 445: The Samba Client is exploitable via a remote shell and an anonymous connection. This port gives access to shared system files.

Recommendation:

Open ports that are not in continuous or regular use on the network and hosts should be blocked. If the ports are in use at least users and passwords should be created and managed using recommended formations/characteristic. Refer to weak users and passwords for more information.

A specific US governmental best practise for the Samba port recommends disabling the TCP ports 139 & 445 and UDP 137 & 138 entirely at the network boundary to avoid an attacker obtaining sensitive data stored on the shared systems.

These are basic network activities that should be managed by the network administrators, regular review of the ports status will support the security leverage. 

Weak User Credentials

SSH – Port 22: Secure Copy Protocol (SCP) is used to transfer and extract encrypted user and password information from the Host machine. Once these files are located on the Attacking Machine they can be decrypted and the user credentials identified.

Users and corresponding passwords can be cracked, credentials can be adversely used for logins and system configuration modifications. Example – The users and passwords are of low complexity and do not even meet the most basic recommended password strengths/conditions.

Recommendation:

There are various methods to strengthen the use of users and passwords. Where possible reduce the use of using passwords in the company if possible. Use Multi-Factor-Authentication (MFA) for critical accounts. Other methods are as follows:

  • Single sign-on – one account for multi systems
  • Apply account locks if too many login attempts have been made in specified time frame.
  • Monitor the network using IDS or IPS – this is asset and security budget dependant
  • Encrypted and using a hashing method for the passwords in transit or when at rest

Again, regular reviews of current password policies will support the obligation of policy adaption if required. Users and passwords protection are the responsibility of members of an organisation providing that the correct policies have been established in the first instance.

Web Application Vulnerabilities

Potential issues exposed during a programmed automated scan on a Web Application. Particular attention should be considered for the following points:

  • Outdated Software – At least 1 instance of software pertaining to a Web Service is outdated and may no longer be support for security updates. (Example – Software Identified – Apache Version 2.2.8 – Current version is 2.4.37) Outdated software can be a major security issue, some of the main reasons for controlled software updates are due to vulnerability discoveries in the live applications. 
  • HTTP TRACE method is active – Cross Site Tracing (XCT) can be exploited across the HTTP platform.
  • Administration Directory Access – Access to the admin web application pages easily identified. Access to the pages can result in User enumeration or SQL injection to gain sensitive Database information.

Recommendation:

  • Patching the software and firmware on new revision releases will help prevent possible compromise. Monitor vulnerability database for new exploits related to the organisations installed systems.

Depending on the Information Technology (IT) budget a Patch Management System could be an addition to the network infrastructure. Again, this solution is security budget dependant and should be considered in all security budget reviews and analysis.

  • HTTP TRACE method can be disabled to avoid disclosure of sensitive information.
  • Administration Directory Access – this issue is considered under the Broken Access Control category. Remedial action can be taken by means of accessing if the application is essentially reliant on admin control via the web or if can be controlled and monitored locally. Ensuing that this access is not externally accessible will inhibit the potential for malicious activity.

Web Application configurations and modifications should be correlated against standard best practises by the in-house web development team. If no In-house Web Development Team is present, the Web Development company contracted to carry out the works should be notified of any security issues that have been encountered as descripted in this report.