One of our daily tasks is to assess and improve the security of our customers or colleagues. To achieve this use security tools (linked to processes). With the time, we are all building our personal toolbox with our favourite tools. Yesterday, I read an interesting blog article about extracting saved credentials from a compromised Nessus system[1]. This in indeed a nice target for the bad guy! Why?
Such security tools deployed inside a network have interesting characteristics:
- They have credentials stored in configuration files or databases. They just need those credentials to be able to perform their tasks. A vulnerability scanner is a good example. It may have Windows credentials, SSH credentials to connect to the scanned systems and perform a local scan.
- They contain interesting data to build the topology of the network or to discover all the assets (IP addresses, VLANs, remote sites, etc)
- They are allowed to connect to ANY hosts in the network (just because they need to scan the network)
- Their IP addresses might be excluded from the log files (just because they are way too verbose)
The security of security/monitoring tools must be addressed like any other regular asset. Access to them must be restricted, logged and they must be installed with least privileges.
The worst thing that can happen to us is to have our own security tools used against us
0 comments:
Post a Comment