SANS ISC: Doing an audit/pentest or other assessment? Here is part of the report for you. - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Audit, Security Assessments, Penetration testing and its little sister vulnerability scanning are useful tools to get an idea of the weaknesses in your network.  It is important enough for standards such as PCI-DSS, ISO/IEC 27001, SOX and others to insist on it and many governments around the world insist on it for their agencies.  So we’ll give people a hand and help you the report.

How can we do that?  Easily, we are all individuals, but we all are red inside, have a head, arms, legs, fingers and toes, although the numbers may vary.  Likewise, networks have firewalls, routers, switches, servers, desktops, networking staff and let us not forget users.  So not surprisingly, the issues you come across when doing assessments are remarkably similar from organisation to organisation.  The degree of the issue may vary, but you will find many of them every organisation. 

Why is that?  Hands up those of you who love documentation and can honestly say yours is all up to date and accurate?  Hands up those of you who have all the staff you need, the budget, senior management support, Oh and no users, if you have all of this, then well done.  For the rest of us the world is not quite that rosy, which is why every network has security issues and many of them are the same for everyone.

No doubt  for some of these your response will be, “well duh”, but you’d be surprised how many organisations have these issues.   So let us start the report. 

• Fill company name in here does not have an effective patching process in place.  The servers examined require numerous patches, some going back as far as 2000.  Workstations likewise require patching to be brought up to date.
• Servers are not hardened or the SOE is not being enforced,
• A number of test/training/generic accounts exist with weak passwords such as the account name, password, day of the week, .... Access provided to these accounts is permissive and provides access to confidential information.
• The SA account on the MSSQL server has a blank/weak password allowing the creation of domain administrator accounts (game over).
• Internet facing servers are running vulnerable versions of web/ftp/OS software.
• LDAP/Edirectory/AD allows anonymous queries
• Network devices are managed using telnet
• Default SNMP community strings are used disclosing server/switch/router information
• Policies do not exist or are inconsistently/not enforced
• Procedures are not documented
• Logs are not monitored or irregularly monitored
• Internet facing applications are susceptible to XSS/SQL Injection  attacks.
• Email header leak internal ip addresses and names.

That will do from me for now.  All of the above we see over and over and over again.  If you have some to add let me know, ideally you’ve seen them in a number of organisations and they are on the "why don't they just fix it list".

Cheers

Mark H - Shearwater