What Hannibal Lecter did was unconscionable.
But have you heard about the organisation that stored its passwords in an unencrypted field in Active Directory – for all and sundry to view. Well, exactly. Horrifying.
To celebrate Halloween, we’re lifting the lid on the stinking crypt of IT and cyber security bad practices as witnessed by our shocked and stricken – but ultimately victorious – Intersys team members.
While this will provide cheap thrills to the security conscious, there’s a serious side. By reading this post, you can avoid the foul, monstrous practices exposed here.
Join us as we enter the house of IT horrors. Preferably, with your wooden stake emblazoned with the motif ‘ZERO TRUST.’
I Know What You Did in Active Directory
Stored the passwords, that’s what – and unleashed hell. The Intersys team has seen this too many times. Passwords stored in the description field in Microsoft Active Directory – an unencrypted field – can be gathered by any user regardless of their role. It’s like baring your neck to a vampire and saying, ‘Proceed my pale, fanged foe – bite away.’
Somebody is Watching You…
Imagine if someone were prowling your organisation, lurking everywhere and gathering facts. If you expose read-only domain controllers – those security checkpoints for network security – to the public internet, you’re basically inviting these creepy ghouls in.
It allows anyone, anywhere, with valid credentials to harvest information in Active Directory and gather data like usernames, groups and organisational structures. We’ve also seen RDP ports – used to control another computer remotely – exposed to the internet from a corporate server, posing similar risks.
‘Shut the Doors, Shut the Doors – They’re Coming!’
You can board up doors and nail shut windows, but in horror movies, someone always leaves an unattended entrance wide open. In your organisation, that is the person who deployed TeamViewer remote support software without configuring whitelists for appropriate partners.
It potentially allows anyone on the internet to attempt connecting to your system and makes you vulnerable to brute force attacks and unauthorised access. Shouted one of our IT heroes, who witnessed and repaired this carnage while fending back evil with a flaming torch, ‘It’s so, so important to lock down remote support software.’
The Thing Inside
What if your organisation generally did good but was possessed by a malevolent presence? One that used you like a vessel of evil to spray bile all over the Internet?
One of our ghoul-slayers became aware of a large IT estate with permissive outbound rules. A machine on that network became infected and was used to projectile vomit – Exorcist-like – many thousands of emails, which resulted in the office IP being blacklisted.
Our hero, while wiping the slime off his shoulders, said, ‘It’s so important to explicitly define what ports can be accessed outbound. Port 80, 443 and 53 are essential for web browsing, but is it essential for port 25, 3389, 445 and 139 to be opened to the internet? This is a question every organisation needs to ask itself.’
Somebody is Watching You…
What giggling, masked maniac is looking through your cameras and spying on your people? Our team has seen network video recorder (NVR) systems used to record the work environment exposed to the public internet.
The problem stemmed from failing to use a unique password. But also, as best practice, Intersys’ maniac hunter-in-chief states, ‘It’s very important to ensure an NVR system can only be accessed while connected over a VPN. It’s also important to ensure that such equipment exists on a segregated network.’
Invasion of the Body Snatchers
Impersonation is at the heart of phishing, of course. And it’s made all the easier when users fail to use controls to stop this identity theft. According to our shaken, but ultimately victorious horror hunter, ‘I once did an ad-hoc audit for a company and found that a mailbox had been compromised and accessed over IMAP.
When a mailbox is connected this way, the contents mailbox is effectively downloaded to the local computer in full. Threat actors typically then use this information later on to launch indiscriminate attacks on other users in the organisation, and even a businesses’ suppliers.’
All of this happened because MFA wasn’t enforced and basic authentication wasn’t disabled. Whoops.
The power, the Power, the POWER!
Power corrupts. And great power corrupts absolutely. It’s a common horror trope and could also apply to Kevin in HR if you give him admin privileges.
Not because Kevin is inherently evil. It’s more about the evil he will inadvertently unleash if his account becomes infected. Says our guy on the front line, in philosophical mood while stirring a hot coffee for Kev and wrapping a towel around his shoulders, Malware will run with the same permissions as the user who launched it. If you’re logged in as an administrator when you accidentally run malware, it will have administrator privileges too.’
You see what’s happened here. It’s monstrous to give admin privileges beyond that which a user requires. It’s a central tenet of the principle of least privilege (PoLP) to give only what they need and nothing more.
A word to IT technicians, too. For similar reasons, don’t run day-to-day activities with the domain admin role. One wrong decision (e.g., downloading and installing a piece of malware to your device) could impact on the entire IT estate.
THAT Shower Scene – Cue Screeching Music
Finally, here’s a horror IT set-up that gives a nod to Hitchcock’s classic Pyscho. During a client audit, we found critical backup servers stored directly beneath an emergency chemical shower – exactly where water would pour if someone needed eye decontamination.
The implications, of course, are horrifying. And to allude to that film (but not too closely in case you’re eating your lunch), the results of a shower on those servers would have been a right bloody mess.
I’m Shivering and Scared – What Should I Do?
Fear not, this is the bit where we give you the ammo – silver bullets, stakes, machetes and what have you – to defeat the IT ghouls.
Whatever the threat, good IT and cyber security are based on a series of founding principles.
On our blog, you can read up on:
Zero Trust and the Principle of Least Privilege (PoLP)
The 3 – 2‑1 Rule for backing up your data
Fundamentals for good cyber security, including the recommended NIST framework.
Also, subscribe to our cyber security newsletter to stay up to date with the latest criminal activity, and follow the Intersys LinkedIn Page
Finally, if you need further help with cyber security services, get in touch. We provide everything from one-off ransomware recovery services to sophisticated cyber security as a service.