Finding Your Own Vulnerabilities (Before Attackers & Auditors Do)

well thanks everybody for coming I really appreciate everybody for taking the time actually CJ security plus or an intro to cyber security classic when the the local colleges of the Greenville so and it's a mandatory required class so students have to come so I always appreciate it when people choose to come to my activities so I really appreciate it via the time today if you have questions or if you want to chat afterwards if you want to get a hold of me feel free to reach us for some of the work I do my day job actually one of the information security directors at floor and just real quickly just kind of set the scene

so we're one of the larger engineering and construction companies in the world our fortune 152 right now we've been as high as 110 since I've been there for about seven years my team's primarily responsible for vulnerability management penetration testing and also incident detection and response so our very defensive and offense which can be good and bad and part of the conversation and industrial controls as well so this is a power plant it's actually the largest gas-powered power plant that we have in the Americas right now that I was at a couple months ago an industrial control but a lot of this conversation is really going back to the basics not only in vulnerability management but how we build that and how

we actually see some vulnerabilities the same whether it can be at floor so we have about 80,000 IP addresses that are live internally spread out around the world so we have not as big a Sun but bigger than most may have a pretty fairly significant large testbed of course to see a lot of different issues across so lots of stories that we can talk about as we go along I won't throw a plug in for besides Greenville so will be March 30th so we'd love to have you guys in the Upstate if to make it but anyways so we're going to this presentation I initially started writing I was actually sitting at Panera with my girlfriend one day it's our work

date place right we're sitting at Panera and I was actually trying to explain to her the main focus of my job which is finding vulnerabilities and working with different people in IT to get them fixed so we no longer have the issue where it can be attacked or taken advantage of and while we're sitting there having this conversation one of the local newscasters came in with a friend and they sat down right next to us and he started having this conversation with her about with the friend he was waste about Brown anybody know who brené Brown is I hadn't until I heard was eavesdropping on this conversation because they were sitting right next to us so she actually has one of the top

think it's still top 5 TED talks at all times and she she's a psychologist and she talks about these idea of being vulnerable being vulnerable and you're personalizing your relationships you know I'm sitting there with my girlfriend and try to explain to her I'm like yes it's great for your relationship and with your significant other that's not what we're talking about when it comes to my job right I'm the type of person that I will go a couple minutes out of my way to make sure I don't have to turn left because the chances of a car accident right occurring are gonna be a lot more if I'm just making right-hand turn so now I'm

also very practical I'd like to think or utilitarian I would swear that you till sex comes from the place but the idea is so if it's just an extra minute or two I'll go that direction if it's more than that I'll just I'll take my chances with the left-hand turn right I like the thing I'm very practical and very utilitarian and in the work that I do and whether it's at floor which is my full-time job or a couple of the other side projects that I have as well and so we start talking about the vulnerabilities that we see a lot of them and we'll talk a lot about will touch on finding patience in the environment it's not

necessarily a web application security talk so then sometimes it scares people away so don't worry but I do actually like to go back to Panera cos AI do a lot of work at a Panera just like I was mentioning and back in April they actually had a big considered a breach right and that a researcher security researcher was able to go to their website and with a simple URL I dumped out the entire database of all the users including myself that had signed up for the Panera users rewards program right so they didn't have social security numbers or credit card numbers except for the last four digits email addresses they could see the point balance of the

theory was Oh somebody could take all those reward points I've earned and they could steal them and get a free bagel okay more power to you if you could pull that off right I couldn't pay back to this one also that got lost with Equifax because a month later the Equifax breach came out and so everybody heard about Equifax I mean most businesses impact all of us also had a personal level as far as allowing all of our personal information to be out there so Equifax at the end of the day though was really just somebody not patching the server right then so there's a very easy attack to pull off right it didn't take any

nuance or technical knowledge work I definitely give the gentleman that was doing the research for the Panera Bread site he actually put some work in sound like it was still very easy to find but he went through it and actually found where he could get to where he dumped all that customer information on the database right and he did the right thing he tried to do responsible disclosure the worst part about the breach was the Panera IT folks that he was trying to work with were working we really will talk about there a few more times as and as we go through but as we start to shift and we've seen over the last five or really even almost 10

years now and some of the environments that we've been in is that we have a growing number of devices that were connecting to the network and whether we talk about regular PCs and laptops and servers or if we do get into talking about IOT and so we have our thermostats on on the network along with our HVAC systems I have a friend that does a lot of building automation systems so we actually knocked over the building automation system in our corporate headquarters oops accidentally with a basic neccessity scan believe it or not and so all the door controls shut so you could get out of the facility right for safety purposes right make sense well thankfully they do feel open

so in the vent especially if you think there's a fire people are still able to exit the building but nobody was able to get into you know doors a basis our corporate headquarters and floor is about a thousand employees they make 700 of them are executives so there were a few people that weren't very happy that they couldn't get into any doors

yeah especially if you're talking wireless yeah and I've been doing a lot more Wireless work these days so if you ever sound like Ocean's eleven that was that wasn't the movie - yes we don't get too far into the back so everything we're talking about in this presentation has done over the water so and we've seen some attackers we've we've definitely experienced advanced persistent threats we've had the nation-states the Chinese the Russian probably things that actually targets a company in some way shape or form I'm not but yeah it's a big part of this presentation is is understanding that if it has an IP address if it communicates right if I can touch it right if it

sends especially a packet out to the Internet right it is vulnerable period the end and so we have to start looking at where those vulnerabilities exist well they're everywhere we still think of and probably pointed out a little bit more on this this slide is with Pender's probably is still today one of the most over look we talked about I could be IOT I saw almost thinking was industrial controls right because industrial controls we talked about you have a system that sits like at a power plant right and it has an IP address and an operating system and it's supposed to right make physical changes in the real world what a printer does right it spins gears and it spits out

paper and and so when we start looking at you know where are these issues always I do a lot of detection in response as well and of course that stereotypical situation we've talked about for 20 years now still exists if you have the sock analyst sitting there see sees a potential intrusion that's alerted on and then they go back and they realize oh that's just the printer never mind right and going ignore it and at the same time more than likely an attacker could sit there on that printer and have full control over that device using it to the rest of the network yeah their printer is just another computer right it looks like it's an HP right it's a

Xerox maybe it's one of those tall multi-function device right it's like this all and at the end of the day it runs Windows it runs Linux at you grunts Linux how often are we getting those patched how often are we getting well and that's why you see a lot of industrial controls also switching - yeah exactly yeah when you think you I can connect to that system I don't care if it's a printer a server a workstation a laptop a phone as long as I can get access and run commands on it as an attacker so one of the things I like to talk about a lot and a lot of people still haven't really got to the critical

security controls too much I'm gonna do by show of hands are familiar with the critical security controls usually there's a few people in the room okay I got one so the idea is critical security controls act they just had a more recent update in March I came out of a project that the SANS Institute had originally started and then they shifted over to the center for Internet Security which was a group that was kind of formed by the NSA the FBI back in the day when everybody had their suggestions on how to secure systems and they decided we need to put one group together to manage all this and so the SANS Institute handed over the critical

security controls and the idea is here's 20 areas in your information security program that you need to focus on and that if you apply these and then depending on who you talk to it will protect you against Bank 80% of the cyber threats that are out there now the idea being is that the nation-states are the other 2% and there's nothing that you're going to be able to do so when you look at the critical security controls though and you look at them from top to bottom the nice thing is and this is where I love using this when working especially with different executives or other folks MIT is that it's a prioritized list so the idea is

we should start and have the most impact by implementing the controls at the top of the list versus the controls that are at the very end so they're very first and they really talk about the first two items right really make up asset management I don't know about you guys but there aren't a lot of organizations that do a really good job at asset management right there's a few right but

so thankfully this year they bumped up vulnerability management to continuously assess the remediation up to three from four and then we can look at the other end of the extreme right where so number 20 you see penetration tests and red teaming right so that's both my ends of of my world response and management a lot of the questions they usually come as you put incident response event at the very end it's extremely important it is and they're not saying don't have an incident response plan don't be prepared to respond in the event of incidents right just the idea is do everything else first because this is supposed to happen after the fact right after somebody gets onto the network

after something bad is occurring versus right everything else that comes before it is supposed to protect or prevent the bad thing from occurring in the first place make sense and so I always go by the 80/20 rule I'm familiar with the Pareto principle that idea is probably more than likely 80% of our overall risk comes from 20% of our vulnerabilities or we can have maybe the 80 most 80 percent impact on our cybersecurity maturity level by implementing even just the first 20 percent of those controls I still argue that out of all of these controls the most important is vulnerability management because it actually touches on all of these I'm gonna go do a pen test I want to pull my

vulnerability scan data I know a lot of pen testers say right that we don't do vulnerability scans and it's not the end of the world and we're gonna talk a lot about that in the rest of the conversation right we're not gonna lean on and we're not going to just sole to use vulnerability scan but it's still a data set that we want to consult all right so like for example you leave me accidentally leaving your admin yes hopefully not right so the idea is these are all controls to protect the environment when something that like that happens right or what if what happens when somebody clicks on that link in an email or opens up an

attachment right because we know someone is always going to click on a link or they're always going to open up the attachment right there's always going to be an infection in the network there's potentially always going to be an attacker in the network at some point do we have any pin testers so hopefully this conversation will kind of set you on that way so yeah so I spin again the goal so depending on if you're on offense or defense depends on the gutter and the goal of that gasps yeah those are the two worlds I live and and we primarily still always focused on the vulnerability management we didn't really necessarily always have the ability to add pen test we would go out

and we would engage outside parties to do there's been an attrition test for us but we didn't do the internal testing until our internal audit team came to us and asked us to help them with their penetration test so it's like so I'm responsible for finding the vulnerabilities and fixing them and then you want me to actually see if I can break into the systems that I'm protecting so either if I can't break into the systems I'm a really bad penetration tester or if I can't break into the systems then I suck at my normal job so I

right so like ice mentioning though the idea is I still see as the main focus for organizations to really focus on vulnerability management right and that we are continually scanning the environment and that's an automated part that's still in that way yes yeah exactly and so and we'll talk a little bit about some of the automated vulnerability scanners that are out there the big one is is still Nessus and those people will use there's open baths out there which is open source but then we will the conversation does turn into not just solely relying on those automated scanners and building in these pen test light activities right into your program that you should be doing

this is true maybe not all of us we know I don't know about myself some days so yeah the idea was vulnerability management though is and that's kind of the whole title at the top right we want to be able to find the issues before an attacker dies or especially an auditor because I always even will have some examples of and and I do pen tests for other clients as well and I hate write whenever somebody comes in and says oh wow we found this issue and we were able to get domain admin credentials and you know half hour or less right so it it has taught me hopefully to be a lot nicer and more empathetic when working

with other clients as well when we go in to deliver those results but we do want to be able to find those vulnerabilities and remediate them as quickly as possible the other thing I like and this is kind of where I have like one one foot on each side of the fence is that from an intrusion detection and response perspective if an attacker gets on the network right by an employee clicking on a link or opening up an attachment which we know will happen right they're going to then have to start looking for other vulnerabilities and gaining access to other systems and services so they're looking for other vulnerabilities if we're finding them before the attackers

that just means the attackers are going to have to spend a lot more time on the network trying to find ways to gain access to their systems and resources which gives our intrusion detection teams a lot more time to be able to find them right and then kick them off the network find out how they got on the network in the first place and hopefully plug that hole like you mentioned though most of our holes come from our users right and it just goes back to that entire cycle if someone's gonna click on the link or open up an attachment so to go back over the basic so when we talk about vulnerability scanning in general

right there's the the four phases we'll just go through these real quickly but right we can use an automated tool to scan across the entire environment or we use five neces Pro boxes currently to scan the entire network takes about ten days because we are spread out globally we do business in just about every country on the planet except for the big three like Iran North Korea we actually just pulled out a Libya poly six or seven years ago when the strife really started we're gonna scan right we're gonna take those results and I've gone to clients before and say here literally as a hundred gigabyte Excel spreadsheet that'll take you an hour to open up in Excel right of all your

vulnerabilities that you need to fix what right so we do go ahead and we prioritize those vulnerabilities right on a scale of zero to ten or we say right critical the worst being the worst and maybe a low risk which we'll never get to want to get those issues fixed again before whether it's an attacker well there's not a door some come somebody coming in to do a pen test who's actually able to find this right the whole idea is raising the level of cybersecurity across the organization and will verify that the work was actually done just because somebody thinks they fix this doesn't necessarily mean it's I've done it to say trust me so what I like to do is actually like to

do vulnerability scans with out credentials because that'll is what will actually show you what a non credential attacker will see at first and then go back and do it with administrative credentials so then you can see additional information where the scanner can do things like log in to a Linux or Windows box and see you are there missing patches right and then we could see there's additional X points that are available especially local privilege escalation so we can do it with or without credentials I like to do both yeah it takes time but we get a lot of really worthwhile information out of doing both we on a prioritize game we'll look at an example from dass's where it

goes from critical to low but the idea is the critical are the worst of the worst right this is where somebody with no technical knowledge can exploit this vulnerability with the free tool that they downloaded from the internet and they can have complete control over the machine I think Apache strut equifax my grandmother can pull it out or I say my grandson who's seven he could pull it off well part of the joke right yeah if my grandmother can do it yeah not being that that's a V right that tells you it's it's bad right so yeah we want to get things fixed and this is really where we're gonna take the rest of the

conversation is yeah we understand okay there are the critical vulnerabilities out there and those typically are usually fairly easy to spot especially by an automated scanner and we can get those fixed the business these days understands alright let's get those holes plug and move on with our lives but a lot of what we're going to talk about is the low-hanging fruit that a lot of people overlook and that you aren't necessarily going to get a flag but for something like an open share a shared folder on a Windows system right that could present risk in a Windows environment or anonymous FTP that's kind of OSC P rule number one all right to see if I can log into an FTP server

anonymously an access dated that didn't and then again we mentioned verification and then we also want to and this is very important from a vulnerability management perspective we're always monitoring for new vulnerabilities and especially we've seen this shift over the last couple of years I think for a lot of folks in business because if you don't well guess what your bosses or your bosses bosses because now we get those emails that says hey I was just looking in Forbes right or our CEO was just reading in Wall Street Journal's about like not Pecha right which we'll talk about at the end of last year and they want to know are we protected against this right not Pecha caused more

than three hundred million dollars to merit write down the largest shipping company in the world right and so our our leader for our company wants to know and we need to be able to go back and say yeah we already knew about this we're already monitoring we've already skinned we know where our vulnerabilities are and we know where we're patched and we can tell you that we're good right and that's usually what executives want are we good or are we not so when you start looking at and this goes back to also a part of the the presentation really is finding the vulnerabilities well define the vulnerabilities we have to take a step back right we have to know where our

systems are and so then we look at those from the outside perspective and then as well as the inside perspective so we talk about most organizations Mo's that when I have systems that are connected directly to the internet that's usually a very small number right compared to what I have in the rest of the organization right for flora again we're probably on the higher end of the scale but we have about a hundred and fifty internet-facing systems that are open right and then we have 50,000 just end-user workstations spread out around the world big difference so usually when we talk about internet facing we see a much smaller number of networks smaller number of computers and services right

and then usually everything can be fairly well documented because you had to go back and open up a firewall hole to allow that connectivity but I will also tell you we go to new organization as a go to work with the client and we always find something that's connected to the Internet that the client didn't know about right and so we want to know about especially if it's vulnerable so if it's supposed to be exposed to Internet great but let's get it secured if it's not supposed to be there in the first place let's go ahead and talk about from the internal perspective that's where especially automated vulnerability scans come into place right because we have a much larger

number of networks a much larger number of host we see pretty much all of the services all the applications that are running on the systems it most everything could potentially be documented that goes back to critical security controls one and two for asset management all right which organization has a list of all their systems and all the software that's installed on those systems so I'm get close and so what are the attackers analogy is looking for I said for me what I've always seen is they're either focused on really the easy attack right which takes advantages of those critical vulnerabilities that most vulnerability scanners automatically look for so that's why if we're looking at a tool like necess and

I see it critical yes I want to get that fixed really quickly but again there's a lot of these low-hanging fruit items that a lot of people in their enterprise vulnerability management programs are not looking for in any way shape or form this is what we're for the rest of the conversation so I do talk about right there are vulnerabilities scanners out there like open vazh so when necess right went closed source and so you actually had to pay for messes that open files was an open source version of that you could use for free and you still can it's not as fast and it has less than half the plugins or the vulnerability checks that neces does but it's free and

there's a lot of awesome resources that built up around it so it truly awesome right great work most organizations will at least have an automated scanner though that they're paying for like neces professional which is about two thousand dollars a year now I tell if in anybody if your entire IT security budget is only two thousand dollars go by necess and run the scans it doesn't do everything and I'm not saying it's a silver bullet but for most organizations it's a really great start right and we'll see why that's not but that here you can see not only do we find vulnerabilities but we've gone ahead and categorized them by a risk right so we see those criticals patch

here first and that's 17 Oh 10 that's the vulnerability that was leaked right by shadow brokers that they borrowed from the NSA and that was responsible eventually for one a crying not text you know and it's one of those wonderful very very very easy to use vulnerabilities because it works almost every single time so we see there's high those are still pretty bad and we want to get to those we just want to do them after the criticals and then most organizations the mediums and lows the informational you'll never ever get to because you're still spending time on the criticals bless you and the highs that's just the sad truth I did doctor some of the slides so this is actually a

combination of your Windows and UNIX rumor I was gonna fix it then I just kind of left it alone if you don't typically see X server running on Windows boxes but I knew the low and used to make it pick up I think I've got all the IP addresses and MAC addresses a filter out of all the slides which would be good thing so when you start talking about looking for other things on the network outside of the servers and the workstations right our laptops other types of services that fall outside of our normal baseline ideally we try to have zero default SNMP community strains on the network period the end when we see one pop up we know to investigate

and look something is here not only did they use default community string which from a security perspective is normally not the end of the world though I have used them to take over a network infrastructure before which was fine not only SNMP default commute strings but they're running Talent and so we could device you can actually see it's running in setup mode right so nobody even touched it so it's essentially default potentials right or default factory says it just turned out to be one of the humidity and temperature centers and one of them so at the end of the day this was fairly limited right and at the same time we've seen issues you love the

story about the thermostat at the casino in Vegas right the thieves I've used to funnel data and money out the door potentially right there's still an issue right one of the other things in this we start looking at is you have to remember web applications are everywhere just about every IOT device and just about every industrial control system that you'll see has a web interface that's all I always preach now if you're not learning web app security now start even I'm definitely behind the curve on that but the idea is just about everything these days comes with a web application front-end so we can start looking for web apps across the environment and when something new pops up like this this is

somebody in one of the Asia offices that went and bought one of these little wireless access points so you can actually buy them here for 20 bucks off at Amazon all right and they wire it to the physical floor network and then they actually had 12 different people accessing it wirelessly of course the kicker is they didn't change the default administrator name or credentials so we could log in we could see the name of all the devices that were connected we could see their MAC addresses and then oh well we just kicked them all off change the password shut the device down that that will do gate it right like you can see if somebody starts screaming to

figure out you know whose it actually was they actually did have somebody complain and they got a corporate security policy violation for it these devices are out there though right this was another interesting case I thought because it was where we're skinny found a web application on a workstation so usually we start thinking shadow IT right somebody's doing something that they shouldn't but yeah I've been shadow IT before I understand people are just trying to do their job so it's like hey let's work with you to make sure this is done securely in this case we found this web application if you hit the web server that was running on their workstation it actually redirected you

out to the internet your browser out to this Chinese search engine and so what happened was their workstation actually became infected with a browser hijack tool and not only would it take their browser to this page but it actually ran a web server on the workstation so if anybody hit the web service it would take them to thought that was interesting right they got a corporate security policy violation - they were they were doing maybe some not necessarily business yes yes exactly and so we started looking at talking about finding you know our presences out on the Internet how many of you are familiar with Showdown okay so usually there's a discrepancy a lot of folks know about

about census and in in show Dan and since this and show Dan talk but the idea is like if I want to do a pen test or if I work for let's say Panera and I want to find where my presence out on the Internet is I can go to census type in Panera and like show down both of those services scan the entire internet right the index the information that they find now they're not scanning all 65,535 TCP ports but they're scanning a couple dozen and they'll get most of the web server so if you have a web page out there that mentions Panera right or if you have a digital certificate that mentions Panera you can actually pull

those up through census showed in does it as well but I think if you're just do pure name searches census will actually have a lot more usable results versus showdown which is more hey give us an IP address or a network range and we'll tell you what's on it so usually I'll start with census to find the networks and the IP addresses and then switch the showed an to do so but really the rest of the presentation I know we're kind of winding down but this is an example of where I actually was trying to demonstrate to a client the dangers of WordPress and if your WordPress sites are updated and secure bad people can do

bad things with them and it's very easy so in this case this is just an example I found off of the Internet but I found this site your living body through Google which has where they have the WordPress like API right exposed unit where somebody can go and upload content to the site does that sound like a good thing to allow just to be wide open to the Internet no right no this is osep trick number two so one of the tools out there and then this kind of build on anybody heard of Spyder foot I got the graphical interface that follows recon ng so recon ng which was written by tempt Holmes is supposed to

automate the open source intelligence gathering process for you for a lot of people though it's difficult to use because it follows the Metasploit interface is Vic man mind driven so it's not easy or accessible to everyone spider foot is right so you have a web interface you literally can go in and say Panera comm right it's actually Panera Bread comm which I found out through my useless spider foot right but put in Panera Bread comm right and let it go off to the races well what he started to find out was when I was looking at these different WordPress sites so somebody was going ahead and hacking all these WordPress sites some of them are actually on the same

hosting provider some of them were scattered across other servers all around the world and they would hack the site so that way if a visitor went to the page they would get redirected to the site called best meds dot biz which is probably what you can imagine right is is for online buying pills so we did some additional research so I can go yeah I can use google dorks or specialized Google searches exploit database the offensive security guys doing awesome job hosting the Google hacking database to give you some ideas and you don't even have to go to this extent but right we can use Google search searches to find all of these pages on the Internet and so we started

to look at all the connections and then we see the Stanley Spencer gallery it's like it's an art museum essentially and buying Xanax online from Canada probably not their actual business model right and so when you start looking at yeah here's best men's biz and if you go to some of those picture one of them I think was the soos group and I sent him an email and say let them know hey you've been hacked by the way and the idea is if you went to the page their high-end realtor's for you know Manhattan and then like Central Park apartment and and then also like high-end real estate out in LA right and that if you go to part of their page you

can oh here's where you get redirected to not part of their business model as well I would I would imagine I did find it funny so then of course oh here's the little chat right that pops out so I went back the next day and I thought maybe it would be a good idea to actually talk to them and see so in this case I actually went back I thought it was being super smart and setting turning on my private VPN so that way oh I saw the servers hosted in Germany so I said I'll make it look like I'm coming to Germany so actually it's hard to read but they actually say oh they tell you

like right away oh hey not to waste your time we don't ship to Germany looks like oh well okay obviously you're already looking at all of my information that you can pull these from my public IP address and I'm coming from thought that was interesting yeah okay well well thanks for letting me know so go back a couple hours ago made it look like I was coming from New York right and then have the same conversation and there's other conversation it doesn't take long to realize it's just somebody might be a woman might be a man they could be in a call center in Bangalore they could be in a call center in Denver Colorado

you never know right and the ideas they're just another person sitting there doing a job all right because you probably don't have a clue right when I say oh yeah our site was hacked and that helped redirect me to your web site but technically build by pills I wasn't going there right and have them sent to you here in the United States without going to a doctor even though I think in this case EF diazepam and Valium you have to have a prescription for and then they even ask you to rate their service afterwards so gave them at some time so again there's low-hanging fruit out there though and just to mention a couple to wrap up right looking for

things like open shares when your systems get infected ransomware crypto mining infections right that want to spread one of the ways they'll spread is by open shared folders on the network when attackers gain access they're going to start scanning for open shared folders on the network you need to be scanning for them and I do have a lot of slides and that's partly not to throw everything in the kitchen saying it's just so you'll have the references for later on right so you can see nASA says hey you have a instance of Windows shares could be good could be bad they could be all restricted well if we start looking well mostly has a scanner to

look for open chairs and in this case we've found some default chairs as well as a chair for accounting HR and sales one of those is wide open to the entire war and hard to tell from there right so I loved esses and all the necessary engine scripts we have right this one a little rough that doesn't give us a lot of information the one tool believe it or not we use the most I'm looking for open church because it's so easy and has this wonderful graphical interface is perfect my network scanner or network scanner by soft perfect how about that so the idea is I can run a scan on the system write all the information

redacted of course but you can see on this 10.10 10.10 I have an accounting folder that's open to the world anybody can open that folder as long as they're connected to the network they don't even have to have a user account that's a red exclamation point there's a lock on the sales folder says I'm not getting into it and then there's HR folder open that means it's read access only so depending on what information is there right the attacker can take that and use it to do other things on the network right which goes to the next one for a non MSF TP all right in this case Nessus doesn't even say hey it's anonymous X it just says you have an FTP

server running so then you can go back and I can run a scan for anonymous FTP servers so can i log into the ftp server with a username of anonymous and a password of any email address I choose all right Joe odd Joe calm and there's a Nessa there's an nmap script to do that as well and then and the story is we actually got a client where we had gone in right found anonymous FTP server login the one their web developers had stored their project file there and even one of those project files they had a text file with the default credentials for their web service and then that web service had local administrative access

to a system so even though Nessa Stein I'm a today at owner ability scanner doesn't find an issue it doesn't mean that there's not issue their language is really the Poynting definitely do the automated vulnerability scans but also you want to be taking the time to even build in those penetration light techniques to be able to look for those things that the scanners just aren't going to find automatically one of the tools and I don't put in here but it's built into Kali it's called sparta which will actually automate a lot of those I guess low-end if we call them that pin test techniques for you and so if it finds a webserver it'll take a screenshot for you so you

don't even have to open it up in a browser if it finds an FTP service it'll try to log in and nonnamous daily I'll let you know if it finds a sequel server service running and it'll try to log in with default or maybe some easy to guess credentials so check out sparta but and there's a lot of other slides like I said I put a lot in there but it really brings us to kind of the in just a couple quick reminders again there's just some recommendations remember from my perspective is owner Bill vulnerability management still has to be a key aspect of anybody's security programs right it needs to be it touches on all those different areas right that

we saw laid out with the critical security controls all right work with the folks in IT the system owners to fix those issues based on priority right you don't want to give anybody a hundred gigabyte Excel spreadsheets right change those risks that make sense to you right just because NASA said oh this is a medium risk vulnerability that might be high or critical to you depending on your organization maybe you're in finance and that could be a compliance finding we started to look at build open source intelligence into your vulnerability management practices put your domain name into spider fuzz fighter foots free it's very easy to download and run and see what the results come back right see if you have

any you know hacked WordPress sites on organization's servers right okay don't rely on just the scanners go build in those pen tests like that at a bare minimum and then always be looking for those will have applications because they're out there IOT industrial controls servers workstations shadow IT right they're out there just waiting to be found so find them and take a look at it and make sure that they're supposed to be there and if they are supposed to be there secure them if they're not supposed to be there get them off from there so thank you everybody again I really appreciate you guys taking the time and hopefully some of you might make it up

to Greenville it's about three hours from Charleston we have a great show I think lined up Doug Burch is Doug Burks from security onions doing our keynote a lot of local guys like Tim towns got Chris Sanders coming up from Gainesville a lot of we have a lot of great local talent gonna be at the Clinton automotive research facility which is a really exciting place so we're expecting about 225 to 250 this year for a second year really awesome exciting show and the clemson automotive research campus is very very techy and very cool so and feel free to reach out in time if you want to shatter catch up so thanks again I really do shame