Businesses accepting small security risks may be leaving the door open to hackers who have realised that chaining small vulnerabilities together represents an easy way to destroy companies, according to researchers from Securus Global.
In a private industry briefing this week, a pair of security researchers, who wished to remain anonymous, demonstrated how a number of organisations it had previously worked with had fallen into the trap of considering threats to their business in isolation.
The researchers stated that organisations tended to look at vulnerabilities separate from other vulnerabilities, when the real issue was how these could be used in conjunction with each other to become potentially more dangerous.
They said that automated tools like Nessus, which compares target computers against a known database of exploits and provide a risk assessment on any found, don't take into consideration that a hacker will exploit one hole in an organisation's system and then search for more using any additional access gained from the first hole.
The two researchers ran through a number of case studies including one very large cloud provider.
The provider had been running a Java web server with root permissions. Combined with the server being misconfigured to allow directories to be viewed, a hacker was able to navigate to the system's shadow password file — a list of system users and their hashed passwords — and determine the passwords after cracking them.
As the system did not check remote users logging in via SSH against a whitelist, the hacker was then able to log in, gain access to the virtual machine host and compromise all hosted systems.
In another case, due to a lack of security training for users, an employee kept their log-in details in a Word document that became indexed by Google. Using these credentials, hackers were able to log in to the organisation's Microsoft SharePoint deployment. Logged-in users were able to upload HTML files, which by themselves can't be used to compromise systems, but can be used to compromise users through a phishing scheme.
After setting up a phishing page to request usernames and passwords, the hackers sent emails to staff, directing them to what appeared to be an internal web form that would actually send details on to the hackers. One user was reported to have attempted to make about 30 attempts to log in to the web form using different passwords, giving hackers more passwords to try on the company's system or on other sites.
The researchers said a common excuse organisations offered was that in order to exploit a second more dangerous vulnerability, hackers would first have to exploit a first, often obscure hole, lowering the total risk. However, the researchers said that organisations should think with the worst-case scenario in mind.
The researchers also advised against immediately fixing the identified security holes in testing environments, stating that closing those may simply hide the more dangerous vulnerabilities that could be exploited. They recommended taking the same line of thinking as a would-be hacker and using the exploit as an opportunity to look for further vulnerabilities that could be exploited.
They also stated that while automated tools like Nessus could be useful, administrators shouldn't put their trust in them and instead look at the big picture. They said that perhaps in 10 years, automated systems could examine the risk of chained vulnerabilities, but until then, administrators and penetration testers needed to get better at doing their jobs first.