Tuesday, July 29, 2008

Black Hat, Defcon, the basics

So we are finally approaching the BH/Defcon weeks, when all the new stuff is presented to the security world and the sky starts to fall once more. I'm not going to Vegas this year (I'd love to), but as I came back to work on vulnerability assessments and penetration testing I noticed the main issue is still linked to the basics.There are so many low hanging fruits that someone that is completely unaware of vulnerabilities and attack techniques from the past 5 years will still be able to do a lot of bad stuff on a 'vanilla' corporate network.Ask yourself these 5 questions. If you can't say yes to all of them, don't sign the check for that new-miracle-black-box you are buying and do your homework to fix the basics:

  • Can you promptly identify someone guessing passwords for administrative accounts on all your servers?

  • Can you say for sure that there are no weak passwords for all administrative accounts on all your servers?

  • Can you say for sure that you don't have a user/password on a test box that also exists on a production server?

  • Can you say for sure that there are no shared folders on your servers with sensitive information and weak permissions settings?

  • Do you know who knows the password for (and use) the root or Administrator account?
Maybe after that you can start thinking about some cool stuff from Black Hat :-)

No comments:

Post a Comment