Craig Hays

You are here: Home / Archives for Cybersecurity

Cybersecurity

Cybersecurity Transformation Roadmap Checklist

By Leave a Comment

Reading Time: 5 minutes

Intro paragraph

Cybersecurity Transformation – Level 1

Setup

☐ Get buy-in from the top
☐ Assemble cybersecurity team

Asset Management

☐ Create an asset register
☐ All devices owned or used by the organisation
☐ All identity providers used across the organisation
☐ All user accounts and their levels of privilege
☐ All IP addresses in use by the organisation
☐ Internal IPs and ranges
☐ External IPs and ranges
☐ All DNS records managed by the organisation
☐ Internal DNS
☐ External DNS
☐ All data owned by the organisation
☐ Identify which data is personal
☐ Identify which data is commercially/operationally sensitive
☐ Identify which data is public/non-sensitive
☐ Create a service catalogue for all services/systems used by the organisation
☐ Define the criticality of each service/system based on it’s importance to the primary objectives of the organisation
☐ Things you can’t live without for more than a few minutes – mission-critical
☐ Things you can’t live without for more than a day – mission-support
☐ Things you can live without for weeks or months at a time – administrative
☐ Define a security classification for each system/service based on the impact of:
☐ Loss of Confidentiality of its data
☐ Loss of Integrity of its data
☐ Loss of Availability of its data
☐ Map all components of each service/system to define a complete list of:
☐ All servers that make up the service/system
☐ All identity providers that provide authentication
☐ All user accounts that can access the system and their level of privilege
☐ All IP addresses used by the service/system
☐ All DNS records related to the service/system
☐ All data stored or processed by the service/system
☐ All of the above split down by operating environment: e.g. Production, DR, Test, Development, etc.

Hardening the Network Perimeter

☐ Setup vulnerability scanner(s) on external network
☐ Setup vulnerability scanner(s) on internal networks
☐ Implement a process to continuously update the asset register based on output from vulnerability scanner asset discovery
☐ Block access to anything visible from the internet that isn’t required for the primary objectives of the organisation
☐ Admin portals
☐ Remote administration tools
☐ Configuration pages
☐ Internal-only stuff
☐ Unused ports
☐ Unused IP addresses
☐ Used ports that aren’t used by genuine end-users of the service/system e.g. only allow TCP ports 80 and 443 on web servers and block everything else
☐ Enforce Multi-Factor Authentication for all authentications from the internet
☐ Staff VPNs
☐ Admin VPNs
☐ Internal/third-party remote support access (VPN, Citrix, Azure Virtual Desktop, etc.)
☐ Cloud-delivered services e.g. Office 365, Azure portal, Google Workspace, etc.
☐ On-premises applications exposed to the internet
☐ Enforce secure Multi-Factor Authentication registration by requiring MFA or trusted IP address (fixed organisation external IP) or one-time token created during the ‘new user’ onboarding process
☐ Fully patch everything visible from things on the internet
☐ Implement a process to patch everything visible from the internet, every day


Hardening Identities

For each identity provider (including in-system identity providers):
☐ Disable unused user accounts (not logged in for 60 days)
☐ Disable unused device accounts (not logged in for 60 days)
☐ Disable unused service accounts (not logged in for 60 days)
☐ Delete unused user accounts (not logged in for 90 days)
☐ Delete unused device accounts (not logged in for 90 days)
☐ Delete unused service accounts (not logged in for 90 days)
☐ Identify user accounts shared across multiple people
☐ Migrate shared user accounts to single users and delete shared accounts
☐ Add an EmployeeID field for all user accounts and populate it with the account owner’s Employee ID from your HR system
☐ Identify any users not registered/configured for MFA and block their access from the internet (untrusted IP addresses) if services using the identity provider can be accessed from the internet
☐ Setup a banned password/passphrase dictionary that prevents password changes where 60% or more of the password is found in common password lists or words or phrases related to your organisation, its locations, its products, seasons, months of the year, days of the week, years in numerical format, anything like changeme, welcome, etc.
☐ Identify critical service / autologin / terminal device user accounts that are used on more than one computer at a time (e.g. POS machines)
☐ Migrate critical service / autologin / terminal device user accounts to one account per device (this reduces the impact when you need to force a password change in future)

☐ Create and execute a process daily to identify anyone who has left the organisation and disable and delete their user accounts from every identity provider by linking it through the EmployeeID field
☐ Setup a robust joiners, movers, and leavers process to reduce the number of exceptions identified by the daily cleanup process

Privileged Access Management

For all Windows end-user devices (PCs. Laptops, Surface Tablets, etc.):
☐ Setup LAPS to manage the built-in administrator password
☐ Remove all other users from the local administrators group – document any exceptions for later
☐ Implement Role Based Access Control for accessing LAPS managed passwords
☐ Enforce MFA before anyone can view LAPS managed passwords
☐ Enforce a rate limit for the number of LAPS managed passwords a person can view in an hour/day

Secure Your Infrastructure

☐ Implement and enforce a secure DNS resolver service to automatically block bad stuff
☐ Block all outbound traffic to the internet by default and only permit specific types of traffic (web browsing, voice, etc.) to specific locations wherever possible
☐ Domain/organisation network edges
☐ Host-based firewall on end-user devices (public/guest/private networks)
☐ Host-based firewall on end-user devices (domain/organisation networks)
☐ Implement a web security gateway with HTTPS decryption for all end-user web browsing and block:
☐ All uncategorised websites
☐ All newly registered websites
☐ All known malicious/harmful websites
☐ All lookalike domain websites
☐ All websites with categories that have no business or limited personal use purpose within your organisation (gambling, pornography, hate, self-harm, etc.)
☐ All web traffic trying to bypass the secure web gateway unless it’s an approved direct-access service such as Office365, Zoom, Google Workspace, etc.
☐ Block removable storage devices – document all per-user exceptions for later
☐ Fully patch all internal device operating systems
☐ Fully patch all internal device application runtime frameworks (.NET, Java, etc.)
☐ Fully patch all internal device applications
☐ Define SLAs for routine patching. E.g. Critical in 24 hours, everything else within 30 days of release
☐ Implement a regular patching process to patch all vulnerabilities within SLA
☐ Implement a process to discover all software installed on all devices and update at least daily
☐ Remove all software from all devices that isn’t required
☐ Create a software inventory/catalogue of all remaining, authorised software
☐ Review license requirements of all software in the software catalogue for license requirements
☐ Aquire licenses for any shortfalls / remove unlicensed software from the environment


Protect Email Users

☐ Implement SPF and DKIM protection policies to drop spoofed and tampered emails
☐ Block spam/bulk mail
☐ Implement attachment sandbox execution and malware/phishing detection
☐ Implement link sandbox execution and malware/phishing detection

Cybersecurity Transformation – Level 2

Privileged Access Management

For all Windows end-user devices (PCs. Laptops, Surface Tablets, etc.):
☐ Implement Restricted Groups or similar tools to prevent unauthorised users from being added to local administrators, remote desktop users, etc.

Protect Email Users

☐ Implement and enforce DMARC protection on all inbound email from outside your organisation
☐ Implement browser isolation sandboxing on all links in inbound email from outside your organisation – document exceptions from trusted senders












Why You Should Never Trust a Free Proxy Server

By Leave a Comment

Reading Time: 6 minutes

Free and open proxy servers promise anonymous internet access, but at what cost?

Never trust an open proxy server
Photo by Mikael Seegen on Unsplash

In a world of ever-decreasing online privacy, it’s easy to get sucked into the ‘use an anonymous proxy to stay safe’ narrative. I’ve got nothing against using reputable proxy services or VPNs (virtual private networks), but the ‘free’ proxy services you find on the web can be anything but.

What’s the Difference Between a Proxy and a VPN?

People use proxies and VPNs (Virtual Private Networks) to hide their real IP address and masquerade as other devices on the internet. There are many reasons to do this including bypassing content geo-restrictions, bypassing government filters (Great Firewall of China), bypassing censorship enforced by your Internet Service Provider (ISP), and hiding your real identity from others online.

Your standard internet connection gives you direct access to everything on the internet. Web pages, Skype and Zoom calls, online gaming, it all goes straight from your device to the final destination. To everyone else on the internet, you are you. Your access is limited to what your ISP and government will let you see. All of your traffic is from the country in which you reside.

A virtual private network (VPN) wraps all of your online activity in an encrypted envelope and sends it to another server, your VPN server. This server then unwraps it and sends it to where you wanted it to go. To everyone else on the internet, you are the VPN server, not the real you. Depending on the location of your VPN server, you will be able to bypass some or all of the restrictions described earlier.

A web proxy receives requests for web pages from your device and fetches those pages on your behalf. All other communication remains direct from your device to the destination servers and back. To all web servers on the internet, you are the proxy server. To everything else, you are you. This has a similar effect to a VPN but only for web browsing.

VPN vs web proxy
Standard access vs. VPN access vs. web proxy access

In summary, a VPN moves your visible internet connection from your device to a remote server. A proxy server fetches web content on your behalf but you still appear as your device to anything non-web related.

Free vs. Paid Proxies and VPNs

When you pay for a VPN or web proxy you can expect a minimum level of service in exchange for your money. That minimum level covers things like:

  • High-availability of access
  • Good transfer speeds
  • Untampered data transfers
  • No logs stored anywhere of what you do (optional for anonymous VPNs/Proxies)

They make money because you pay them. Therefore, they are incentivised to give a good service to keep you coming back for more.

Free VPNs and proxies, on the other hand, don’t make money directly from you. Sure, some of these services offer a ‘free tier’ where they give you a few GB of transfer for free each month. They make a profit when you upgrade to the paid version. These are freemium services with limited trials that entice you to upgrade and pay. When I talk about free proxies and VPNs I don’t mean limited-use free trials.

A ‘free’ service is one that never asks you for money, ever. When you look at these services, you must ask yourself, “why do these exist?” People generally don’t run free VPNs and open proxies for the good of humanity. When you consume these services they’re likely to be using you in some way.

As the saying goes, “if you’re not the customer, you’re the product.”

Finding ‘Free’ Open Web Proxies

A quick search on google for ‘open web proxies’ or ‘anonymous web proxies’ returns thousands of results with links to websites listing proxy servers that anyone can use without paying a penny.

Open proxy server list from a Google search

The above is a screenshot of one of these lists. Each list contains lots of server IP addresses and ports. Anyone can configure their web browser to use any of these free, open proxies to proxy all of their web traffic to the internet. None of these servers come with any guarantees and there’s no indication of who is operating them. Many of them are in countries with very lax cybersecurity laws.

Proxy directories maintain their lists by brute-force scanning the internet for open proxies and accepting user submissions by random members of the public. There is no quality control, no peer review capability, and no oversight in any way. This means people like me can set up our own malicious ‘anonymous’ proxy servers and, within a few minutes, have strangers on the internet sending us all sorts of things.

So what can we do to the users of open proxies?

Data Loss Through an Open Proxy

If you use a proxy server for browsing the web, anything you send or receive that isn’t encrypted, (anything in plain text), can be read by the owner of the proxy service. When your communications are encrypted, the attacker can spoof messages from the target server and force you to downgrade your encryption to a crackable level. When this happens, the server can crack the encryption and read your messages without you ever knowing about it. You or your company IT team can configure your devices to prevent this, but how many actually do it?

Failing that, any content you download that isn’t encrypted can be altered to change all links to secure HTTPS sites to the insecure, plain-text HTTP version. You may not even notice that your browser is no longer asking for encrypted versions of sites as it usually would.

This probably isn’t something you need to worry about with a legitimate service, but that ransom, open proxy server you found on the internet?…

Data Tempering and Content Injection by the Proxy

When data is unencrypted (plain-text), malicious proxies can do more than read what you’re talking about. They can actively contribute to the conversation.

Imagine what would happen if you received a quote for a service and the proxy server you were browsing through changed the bank details of the intended recipient to their own? What if they blocked your content altogether? What if they corrupted it so that it couldn’t be trusted? All of these things are possible when you’re using an untrusted machine-in-the-middle of your comms.

Something else which is possible is ad-fraud. The proxy owner changes any advertising content requests sent by your browser for their own ads. The subtlety of this may vary and you may not even notice it happening. When it does, the legitimate owner of a site loses the revenue you would have generated for them. For many site owners, advertising revenue is what keeps them online.

One of the scariest things I’ve seen with open proxies is the injection of malicious javascript code into the existing javascript of every web page downloaded. Nothing else was changed, it just loaded a small piece of code into your browser every time you opened a new page. This code can access your cookies, make requests on your behalf, and even join a botnet directly from your browser.

Hanging Around With a Bad Crowd

Something not often discussed with open proxies is the behaviour of other users. While you might not be committing any crimes via an open proxy, that doesn’t stop others from doing it beside you. If someone commits a crime and the ‘anonymous’ proxy server is confiscated and reveals its not-so-deleted logs, your IP address and traffic history is going to be right there with the criminals. For pretty much every scenario I can think of, I wouldn’t want my name and address linked with that activity.

Summary

Open proxies may look like a good deal, but most of the time, they’re not. If you’re not paying for them you’re most likely to be the product being sold. Stick with paid and legitimate services to stay safe. The prices are relatively low and the ‘free’ versions could cost you more in other ways.

Inside a Real SMS Phishing Attack (Smishing)

By 4 Comments

Reading Time: 8 minutes

SMS based phishing attacks (Smishing) are a real threat that we see every day. To help you spot them in future, this is how they work.

The start of an SMS Phish (Smish)

A Phishing/Smishing Attack In Action

At 17:52 pm today I received a text message from my mobile phone network, ‘EE’. I picked up the message at 18:08. This is what it said:

[Read more…] about Inside a Real SMS Phishing Attack (Smishing)

Cracking Active Directory passwords (Password audit part 2)

By Leave a Comment

Reading Time: 4 minutes

John the Ripper loves cracking Active Directory password hashes and your users love ‘Password1!’

(This is the second of a three-part series on Microsoft Active Directory password quality auditing and password cracking)

Following on from part 1 where we used DS-Internals to do some basic password quality auditing, in this post, we extract all of your password hashes from Active Directory and crack them with John the Ripper.

Cracking passwords with DS-Internals

In the previous post, we covered using DS-Internals to do a password quality audit. We did this by using the PowerShell module to examine account configurations for vulnerabilities and we provided a plain text password dictionary for brute forcing our users’ passwords. While the audit for configuration insecurities is excellent, the literal dictionary of passwords to use for cracking is not the most efficient way to do it. Nor is the output of sufficient quality to be as useful as it could be. This isn’t a criticism of the tool, it just isn’t what the tool specialises in.

When you provide a list of thousands of passwords, including globally well-known passwords and company-specific ones such as ‘Company1’ or ‘C0mp4ny123!’, DS-Internals will only tell you is a user password is found in that dictionary. It won’t suggest other similar formats such as ‘Company11111111’ which could also be in use. This is great for identifying users who need to change their passwords to something more secure, provided that you managed to create a comprehensive wordlist on your own. Which most of us probably can’t.

A better way to crack Active Directory passwords

DS-Internals is designed to let us overcome this challenge. Built in is an extensive hash export utility that will provide a range of hash table formats. My personal favourite cracking tool is John the Ripper and output support is built right in.

To export all user hashes from AD use the following:

[Read more…] about Cracking Active Directory passwords (Password audit part 2)

Brute force attack your own users (Password audit part 1)

By Leave a Comment

Reading Time: 6 minutes

The bad guys are already doing it. Here’s why and how you should do it too.

(This is the first of a three-part series on Microsoft Active Directory password quality auditing and password cracking)

If your company has anything exposed to the internet, attackers are already brute force attacking your user’s passwords. All day, every day. There are very few things you can do to stop them. Our best hope is to slow them down as they circumvent every countermeasure we put in place and ensure that users have passwords strong enough to withstand a low volume brute force attack.

[Read more…] about Brute force attack your own users (Password audit part 1)

Craig Hays