Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

A ‘CAN of WORMS’ ready for deplyment in Prod. – Please complete your Pentest quickly…

Sometimes you may get a complete ‘CAN OF WORMS’ to PenTest.

Well this started on a busy Monday morning where we were looking at the various PenTest jobs assigned to us. I normally use the early morning to plan and schedule my tasks for the day.

As I was about to complete the scheduling and was getting ready for a kick-off meeting with an upcoming project for Penetration Testing, suddenly my team manager came to my desk. Looking at him I had a feeling that somehow my effort of scheduling is going to be in vain soon.

Bingo! I was right. He said that we have a urgent request for conducting a Penetration test on a Server – This is a AIX box. Since This was urgent and requires skills on AIX I am going to request you to sqeeze this into your schedule. As I natively do not like things pushed to me at last moment (However in day to day operations we all have to do this) I suggested if this can wait untill next week? Answer was no. So I had to postpone my schedule and we headed to have a quick discussion with the project team to understand the design and to do our Probing exercise.

After a short discussion we realized that this was not the latest box that was being deployed even the OS was old. The project however clarified that this was due to business constraints. The PM further added that the architects have taken care that the build is secure and patched. All we need you to verify is if it has any vulnerabilities in it.



Well if i had to agree to the PM then I was heading to do really only a Vulnerability scan and not a full blown Penetration Test? I probed further and we were informed that this is kind of an adhoc assignment where The environment where this box will be hosted is already secured and does not require penetration testing. Its just 1 box that we need to assess for security… Well sounds pretty straight forward – isn’t it?

Being Paranoid when it comes to security – My next question was – Look this box is an ad-hoc arrangement that you have done and this definitely is not the best in breed. So I want to know if there were any changes made to the security controls in the environment to facilitate the smooth functioning of this box? Crickets!!!
One of the architects mentioned – Yes there were a few minor arangments done and is being tracked seperately in an excel sheet. I can send you a copy of that. I insisted that excel sheet to be opened now. Project guys hated me for doing this as I was eating time and not succumbing to their instructions to conduct the VA and close it off.

I did not budge and i humbly requested for the excel sheet to be opened now. When we looked at the sheet there were at least 2 firewall changes, Changes to the IPS policy and new routes being added…..

Does this not change the Status of the Environment? 
Will the Pentest that was done previously on this environment still remain valid?
IMHO this definitely requires the environment to be tested.The changed Firewall rules to be examined. The IDS policy to be reviewed etc. Has this been done? Now I had started making sense to the audience.

Finally it was agreed that Let us proceed with a Vulnerability assessment and if there are any major Gaps then proceed with Penetration Test in the environment – due to tight timelines. So I gathered all the required information and planned for the Security Assessment (VA + PT as the case may be) as i was not sure how this will unfold.
After doing the basic threat modelling and sending all the prior notifications i started with my assessment.

I decided to do a nmap scan before i do a VA.
A quick 5 minutes scan revealed more than 30 ports open on the box – (It appeared to me as if i was testing the Metasploitable box :))
It was getting interesting. I decided to go a bit harder and use the Nmap Scripting Engine to get into details of these services.
I will not get into the details of what came out of NSE report – but would let you know few things.
  1. It had SSH configured.
  2. It had FTP configured. (Yes anonymous and clear text)
  3. It had Telnet running. (yes clear text)
  4. The box was not patched.
It had many older versions of softwares that had Remote Code Execution Vulnerabilities.
I scratched my head and i thought is this a mistake? I checked the project documentation and found that thier design actually wanted the telnet to be available!!!
At this point I ran a Nessus scan because i did not want to spend more time on doing active penetration on a box which was hackable by 10 different ways – This was clearly a CAN OF WORMS and an open invite for the motivated hackers.
I could have done a pen test on each of this weakness and created a 200 pages long report explaining each issue. I decided to use a different approach.
I consulted the Head of our team and sent a small 2 page report. The report mentioned:
Our 1 hour analysis on the BOX under security assessment shows the following vulnerabilities:
1]
2]
3]
4]
5]
full 1st page

Next Page
These can be exploited in the following ways:
1]
2]
3]
4]
5]
The Box does not even meet the primary criteria of being build as per “XYZ” company name specifications of secure config.
If you would like we are happy to do a POC on any of the vulnerabilities reported in Page 1.
We Recommend that this box SHOULD NOT move to production. The Box should be rebuild and configured as per secure config guidelines. The environment where this will be hosted should also be Pentested.
This was one of the shortest report we had created. However, this created awareness amongst the various operations teams and with our team as well.
I am not sure if that box was rebuild and came for Pen-test again. May be the project made sure it does not come back to me …

Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more