A tale about a network engineer who makes a critical mistake that leaves his company exposed.
The following is a true story. The details have been slightly modified to protect the companies and people involved.
Hello, my name is Max. I was working in Atlanta with a company named “We Secure”. It was a normal day at the office. I was setting a new security logging server that we had just purchased. It was accessible via a web interface. So, for us to access it, we would need to create a firewall entry allowing access over http and https. It was a rather strait forward task. All I had to do is drop it into the firewall group called “Internal Websites” and boom we were in business. This server was a highly sensitive server because there was a lot of data contained in the logs like usernames and passwords and who knows what else. I didn’t bother putting a password on the website because it was only internally facing. What could possibly go wrong?
From the day that I setup this server it was live and accessible on the internet without even a password. We will call this mistake number 1. Have you ever heard of layered security? This is the first principal I violated resulting in a very dangerous situation. At this point you may be asking how did this system end up on the internet? This was caused by a case of bad cyber hygiene.
Several months before this event we had disabled a webserver. It was shut down and no longer used. The problem is that no one removed the old firewall rules related to this web server. One of the layers of your security program should be to remove all aspects of a technology’s configurations when decommissioned. For instance, removing it from the firewall, DNS servers, user accounts, active directory configurations etc. At this point we have two failures bad cyber hygiene and lack of password controls.
There we were, unknowingly we were completely exposed. How long did it sit out there? Well, it wasn’t found until we performed our annual pentest, so it was probably about 6 months. Pentest were only performed every year since they were so costly to perform at the time. We had also failed to invest in a security scanning solution. This would have at least given us some clue that there was a problem. But even vulnerability scanning wouldn’t necessarily have protected us from this perfect storm.
A product like ShadowKat could have prevented this situation or it could have at least greatly reduced the time of exposure. ShadowKat is our version of attack surface management. It helps you to identify changes to your external attack surface and actively manage your external facing assets.