After we perform an initial penetration test, we provide our clients with reports and review the results with them. It’s crucial they understand clearly what they need to fix and why. But often, when we circle back to do the remediation testing certain issues remain unaddressed.
These are rarely simple things like updating Microsoft patches. They’re generally more complex problems that your standard vulnerability patch management can’t solve, such as end-of-life software or hardware.
In these scenarios, our clients sometimes wonder, “How do I deal with that?” We often step in and offer advice on how to optimally manage the vulnerability given the specific circumstances.
Example 1: Resolving Unpatchable Vulnerabilities
For example, we recently helped a client that had over 50 security cameras in their environment. Many of these “little computers” were running outdated firmware that contained exploitable—and unpatchable—vulnerabilities. In short: 50-plus access points for hackers to get on their network and launch attacks from.
We often say, “Just because you can’t patch it doesn’t mean you can’t remediate it”, or at least greatly reduce the risk. One of the first questions to ask is whether a device needs to be exposed to the entire network. If not, you can slightly alter the network so only the machines and people that need access will have it. In this case, we recommended they add a VLAN for the cameras, and set firewall rules to limit access to the DVR server and the security front desk.
Example 2: Resolving End-of-Life Vulnerabilities
Another recent pen test client had a major vulnerability: a Windows Server 2003 machine that had been running for years. It had product test data on it, and the software that managed the test data could only run on that specific server, period.
The client was allowing the entire network to access that highly vulnerable server, which was bad. First, this system contained critical business data. Second, because it was on their domain, any attacker that compromised it would potentially have domain-level access to other data and systems as well.
Here again, no patch or upgrade was possible because Windows Server 2003 is end-of-life. Firewalling off the vulnerable system like we recommended for the cameras in the prior example also wasn’t ideal, because many users needed to access the data.
We recommended they shrink the attack surface a different way. The system was basically just a database, so our recommendation was to disable all extraneous Windows services and install a host-based firewall/IPS. There was no need for it to run a web server or to have any shares exposed, for instance.
Vulnerability Patch Management is Not an End Goal
The end goal of penetration testing is not to be fully up-to-date on patches. The end goal is to be secure.
To identify InfoSec risks in your environment and get expert guidance on the best approach to mitigating what you can’t simply patch, contact Pivot Point Security.