![ISACA VA Chapter
Wouldn‟t it be really
annoying if all your printers
suddenly asked users to
deposit $0.25 before printing?
You don‟t even need a tool:
prompt> telnet 192.168.1.2 9100
@PJL RDYMSG DISPLAY=“foo”
^]quit
02/24/12 Auditing the Overlooked 16](https://image.slidesharecdn.com/infrastructureauditing-13309642952167-phpapp01-120305101955-phpapp01/85/Infrastructure-Auditing-16-320.jpg)
Infrastructure Auditing
- 1. ISACA VA Chapter Auditing Your Infrastructure Presented By: Bryan Miller Syrinx Technologies
- 2. ISACA VA Chapter Agenda Speaker Introduction What‟s the Issue? Why Bother? Real World Examples So How Do We Fix Things? Summary Q&A 02/24/12 Auditing the Overlooked 2
- 3. ISACA VA Chapter Speaker Introduction B.S., M.S. – VCU Adjunct Faculty Member in IS and CS @ VCU CISSP, former Cisco CCIE VA SCAN, VCU FTEMS presenter ISSA InfraGard member Published author with over 25 years in the industry President, Syrinx Technologies - 2007 02/24/12 Auditing the Overlooked 3
- 4. ISACA VA Chapter What‟s the Issue? 02/24/12 Auditing the Overlooked 4
- 5. ISACA VA Chapter Potential Areas of Compromise Printers/Scanners/Copiers CCTV/NetDVR/Cameras Alarm Systems Fire Suppression Systems Videoconference Systems UPS KVM Industrial/Machine Control 02/24/12 Auditing the Overlooked 5
- 6. ISACA VA Chapter Recently in the news: Feeds from thousands of Trendnet home security cameras have been breached, allowing any web user to access live footage without needing a password. BBC News Technology, Feb. 6, 2012 NY Times Article discusses the issue of video conferencing systems that are vulnerable to compromise. NY Times online, Jan. 12, 2012 02/24/12 Auditing the Overlooked 6
- 7. ISACA VA Chapter Using Shodan, a quick search revealed “lots” of possibly vulnerable cameras. Using the URL shown, we bypassed all authentication. 02/24/12 Auditing the Overlooked 7
- 8. ISACA VA Chapter 02/24/12 Auditing the Overlooked 8
- 9. ISACA VA Chapter Notable Points Commercial Printers Accountable for Identity Theft Protection Under FTC Enforcement of FACTA 'Red Flag Rules„ – www.send2press.com, 4/10/09 Electric Utilities Investing $4.1 Billion by 2018 to Secure Smart Grids – eWeek.com, 8/25/11 State of SCADA Security Worries Researchers – eWeek.com, 2/5/12 02/24/12 Auditing the Overlooked 9
- 10. ISACA VA Chapter CBS News report by Armen Keteyian on the issues involved with data stored on printers. April 20, 2010 02/24/12 Auditing the Overlooked 10
- 11. ISACA VA Chapter 28th Chaos Computing Congress Presentation It could be possible to discover what movies you watch by their power signature. Can you say Shazam? 02/24/12 Auditing the Overlooked 11
- 12. ISACA VA Chapter STUXNET: -Spread by USB sticks -Attacks PCs that control Siemens PLCs -MS SQL password is released Stuxnet is now an “open source weapon” that can be downloaded and improved upon. 02/24/12 Auditing the Overlooked 12
- 13. ISACA VA Chapter And the often forgotten….DUQU Shares a code base with STUXNET Signed using stolen digital certificates from the same Japanese company as STUXNET DUQU appears to be an intelligence gathering agent while STUXNET just wants to do physical damage Perhaps DUQU is gathering information for the next generation of STUXNET…. 02/24/12 Auditing the Overlooked 13
- 14. ISACA VA Chapter Why Bother? 02/24/12 Auditing the Overlooked 14
- 15. ISACA VA Chapter Every device on your network can possibly be leveraged to mount an attack. New issues are making the news every week. These devices can be configured correctly during initial installation and remove the risk. You have enough to worry about with the complex issues. 02/24/12 Auditing the Overlooked 15
- 16. ISACA VA Chapter Wouldn‟t it be really annoying if all your printers suddenly asked users to deposit $0.25 before printing? You don‟t even need a tool: prompt> telnet 192.168.1.2 9100 @PJL RDYMSG DISPLAY=“foo” ^]quit 02/24/12 Auditing the Overlooked 16
- 17. ISACA VA Chapter A True Story… 02/24/12 Auditing the Overlooked 17
- 18. ISACA VA Chapter Real World Examples 02/24/12 Auditing the Overlooked 18
- 19. ISACA VA Chapter Console Screen to Fire Suppression System. Downloaded manual from the Internet. Installation password still valid. 02/24/12 Auditing the Overlooked 19
- 20. ISACA VA Chapter Building HVAC controls. Downloaded manual from the Internet. Admin password was valid. 02/24/12 Auditing the Overlooked 20
- 21. ISACA VA Chapter Time clock system. No credentials required for admin access. 02/24/12 Auditing the Overlooked 21
- 22. ISACA VA Chapter HP Integrated Lights Out (ILO) being very helpful in regards to usernames and passwords. 02/24/12 Auditing the Overlooked 22
- 23. ISACA VA Chapter Polycom VSX 7000. Downloaded the manual from the Internet and logged in with default credentials. 02/24/12 Auditing the Overlooked 23
- 24. ISACA VA Chapter No credentials….the Directory was loaded with interesting destinations. 02/24/12 Auditing the Overlooked 24
- 25. ISACA VA Chapter Dymo LabelWriter Print Server. Logged in with default credentials from manual downloaded from the Internet. 02/24/12 Auditing the Overlooked 25
- 26. ISACA VA Chapter Belkin Remote IP-based KVM. Logged in with default credentials. 02/24/12 Auditing the Overlooked 26
- 27. ISACA VA Chapter APC Smart-UPS 8000 XL web interface. Logged in with default credentials from manual. Notice the ability to turn off the UPS, reboot it or put it to sleep. 02/24/12 Auditing the Overlooked 27
- 28. ISACA VA Chapter Intermec RFID reader. Logged in with default credentials from manual. 02/24/12 Auditing the Overlooked 28
- 29. ISACA VA Chapter BlueTree Modems. Often used as Remote Terminal Units (RTU) in SCADA applications. 02/24/12 Auditing the Overlooked 29
- 30. ISACA VA Chapter Cisco Wireless camera. The Earth replaced the actual image of the room. No credentials required for access. 02/24/12 Auditing the Overlooked 30
- 31. ISACA VA Chapter So How Do We Fix Things? 02/24/12 Auditing the Overlooked 31
- 32. ISACA VA Chapter Start by recognizing that ALL network devices can be used by an attacker. If it has an IP address and some method of storage, it can probably be used by somebody to do something bad. Develop build lists for all devices, not just servers and desktops. Turn off unused access methods such as HTTP, HTTPS, Telnet, FTP, SNMP. Be careful with TCP port 9100! Where possible, control this port with a firewall. 02/24/12 Auditing the Overlooked 32
- 33. ISACA VA Chapter Ensure that all default login credentials are changed BEFORE connecting the device. Never leave a device connected to your network with blank passwords. Remember, it only takes the bad guys a few minutes to download the manual from the Internet. Routinely test all infrastructure devices for compliance with all applicable policies. Do this on a quarterly basis to catch the low-hanging fruit. 02/24/12 Auditing the Overlooked 33
- 34. ISACA VA Chapter Include the Facilities Management/Physical Security groups in the overall security and systems management process. Help these non-IT groups develop build lists for devices that connect to the corporate networks. Offer to include their devices in the network scans and penetration tests. 02/24/12 Auditing the Overlooked 34
- 35. ISACA VA Chapter Summary 02/24/12 Auditing the Overlooked 35
- 36. ISACA VA Chapter The issues discussed in this presentation are real and they‟re not going away. They don‟t get a lot of attention but they create opportunities for massive data breaches. More research into applicable controls is needed to help reduce the risk. We need to push vendors to build in more security controls and disable “features” by default. 02/24/12 Auditing the Overlooked 36
- 37. ISACA VA Chapter Q&A 02/24/12 Auditing the Overlooked 37