November 17, 2022

I Can Pillage Your Castle Without Climbing the Walls - WST

One trend we have noticed in our Penetration Tests is the difficulty of getting a presence on internal networks has gone up over the past few years. Many organizations have implemented good multi-layered defenses to keep out malicious code. Between good spam filtering, behavior-based endpoint security, and executable sandboxing, our engineer’s job at getting remote access to end-user workstations has gotten a lot harder!

The bright side for us, and the reason our success rates have remained steady or even gone up a bit, is that we don’t need to get into your network to get your data.

Remote email access, or webmail, continues to be a common place we find weakness. Rather than try to get users to run a malicious attachment, we simply ask them for their password, often via a fake logon page. With access to a user’s login information, and webmail (like Microsoft365), we have access to all the information we need. Think about what can be found in a standard user’s mailbox...attachments, reports, spreadsheets, even notes with password lists are common. All the information a Bad Guy™ may need, all without setting virtual foot inside your castle.

Remember to look carefully at webmail and other online services where information may reside when reviewing security controls. Here are a few things to consider:

  • Start with your users. Humans can be a weak link, but don’t give up on security awareness training. Don’t just stick to annual slide shows either, try to remind users throughout the year, using different methods. Intranet posts, physical posters, email reminders, etc. can all help keep the message front of mind for your end users. Be creative, keep it fun. Over time, security awareness can become a permanent part of your corporate culture.

  • Make sure all online services are protected by strong multi-factor authentication controls. And train users how they work. It is not an uncommon occurrence for us to enter a stolen password, and have a user accept the logon push notification they get on their phone.

  • Have good auditing and alerting in place wherever possible. Ideally, you should get alerts for unusual logons, or denied multifactor logons. This can help you see and respond to problems quickly.

  • Make sure this threat is covered in your cybersecurity audit and testing program. If you are only getting scans or testing done against a list of perimeter IP addresses every year, you may be missing a chance to identify important issues. Ideally, penetration testing should include these types of tactics so you can identify gaps in existing controls.

  • Authored by: Jeremy Johnson, OSCP, CISSP

    You May Want to Read More:

    The Scope of SARs - Something Old and Something New - WST

    January 28th, 2021

    Did you know that filing Suspicious Activity Reports...

    In with the new year, out with the Flash - WST

    January 21st, 2021

    The writing has been on the wall for a while now ...

    Back to Basics: Understanding Risk Concepts - WST

    January 15th, 2021

    People often make judgements and decisions about risk...

    Keep your institution off the evening news.


    Contact Us