Top 10 Audit Findings- Client Side Risks 1.Security Awareness 2.Patch Management 3.OS Hardening / Default Configurations / Build Standards 4.Excessive Privileges 5.Weak Authentication 6.Missing Audit Trails 7.Database Security 8.Web Application Security 9.Over-Disclosure of Information 10.Lack of Network Visibility & Management Vulnerabilities/Threat Areas Common to Client-Side Risk
Assure IT- Client Side Risk Client Side Risk
What are Client-side Vulnerabilities? Client-side vulnerabilities include both software weaknesses and end-user security awareness. To exploit a client-side vulnerability, the computer end-user must open an infected file/document or browse to a malicious webpage. –Occasionally, bugs in software such as MS Outlook’s preview feature could execute code with almost no user interaction. Client-side attacks often trick users into violating corporate security policies. –Targeted phishing attacks often spoof headers and known/trusted source identities. –Policy: Do not open messages or attachments from unknown sources. –Policy: Do not browse non-business related websites. –Policy: Do not install unapproved software on business machines. Client-side attacks may bypass many technical controls including anti-malware software, firewalls and intrusion prevention systems.
Outcomes of Client-side Attacks Like network-based attacks, client-side attacks often result in the compromise of computing systems. It is possible for attackers to execute arbitrary code during exploitation. Because client-software is being attacked, malicious code will execute in the context of the exploited software. –Most client software runs with the same privilege as the user who launched the software. Do your users have local administrator privileges? If so, the attacker’s malicious payload will also run with administrator privileges. –Some client software may run with elevated privileges regardless of the computer user’s privilege. The payload of a client-side attack often opens a command-and-control (C&C) connection back to the attacker. –Or worse, C&C could join a botnet. Any data or system that the compromised end-user has access to, the attacker will also have access to.
Common Client-side Vulnerabilities Internet Browsers –Internet Explorer & Firefox Browser Plugins –ActiveX Controls Adobe Flash, Acrobat PDF Viewer, Quicktime, Realplayer Common Applications –Sun Java Runtime Environment (JRE), Adobe Acrobat and Acrobat Reader, VNC, Microsoft Office (Word, Excel, PPT, etc.), Symantec BackupExec, Thunderbird, WinZip, Windows Media Player, McAfee EPO, etc. –Biggest Risks: Adobe Acrobat Reader and Sun JRE Why? Because they are found on most business machines. Critical vulnerabilities are discovered regularly in each of these applications. Sun’s JRE installer does not remove older (vulnerable) versions automatically. Computer End-Users –The security awareness of your users may be your only defense.
AssureIT- Client-Side Vulnerability Mitigation Minimizing Client Side Risks
1. Security Awareness Policies –Employees should be trained on policies at time of hire –A policy training/refresher should be given annually Procedures Standards Training –Security awareness training should be given to ALL employees annually Require testing to ensure that key concepts are retained –Security administrators should receive certification and information security training regularly
2. Patch Management Operating system patches –Microsoft, Linux, Unix, etc. Legacy Microsoft software may not get patched by Windows Update or WSUS Switches, routers, firewalls, embedded devices Application patches –Common non-Microsoft applications Adobe – Acrobat, Photoshop, etc. Sun Microsystems – Java Runtime Environment (JRE) Web browsers (Opera, Safari, Konqueror, etc.) Commercial off the shelf (COTS) Custom applications –Patch management strategy Weekly, monthly, more?? Patch testing and rollback Out of cycle patches? Zero day?
3. Operating System Hardening Default operating system and application installations are very dangerous –Microsoft Windows 2000, XP, Server, etc. all install many unneeded services –Most security controls are disabled or configured for maximum usability –Cisco routers have vulnerable configurations until hardened Remove and/or rename default accounts and set strong passwords –Windows – change “administrator” username and disable “guest” account Consider adopting an operating system standard/benchmark –Sources: Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST) –Use standards to create a “Gold” build
4. Excessive Privileges Users have local administrator privileges to their workstations –Especially dangerous for uncontrolled laptops that are used outside of a financial institution’s networks File shares not protected with access controls Employees with access to banking applications and/or GLBA data also have access to and Internet –Administrators need to ask themselves whether or not all employees should be given access to and Internet –Is web browsing secured and filtered by a proxy? Firewall egress should be locked down by strict access control lists
5. Egress Controls Principal of Least Privilege –Only Server or Gateway should be allowed to transmit outbound using SMTP –Dangerous protocols such as HTTP, HTTPS, FTP, SSH, ICMP, DNS, chat, P2P should be tightly restricted or blocked If dangerous protocols are allowed egress to the Internet, the should be monitored Gateways Web Proxy URL Filter Intrusion Prevention System SOCKS Proxy Encrypted protocols can be dangerous SSH, HTTPS Botnet C&C over valid HTTP/HTTPS posts and requests