I love telling stories about some of the things I’ve seen or done because it helps align mere talking points (or theory) to reality. This is a story I’ve told and presented on several times. It always resonates with the audience and businesses so I figured I would share it here.
I was approached by a friend who works in the healthcare space. He asked me to perform a security assessment and light penetration test of his business. My immediate response was honestly ‘why?’ I knew their business just recently installed all of their equipment in the last few months. Yes, I realize you can royally screw up an install and nothing is 100% secure by default. Still, I wasn’t convinced this was the best use of his money. After all, a default install of today is far better than a default install of yesteryears and the business was clearly not carrying a ton of technical baggage like a company who has been in operation for 20 years. He explained that he had some concerns about his managed IT service provider that also claimed to handle all their cybersecurity. Ok, that’s a fair point and valid reason. I explained the process of the test, when I would come onsite, etc.
I’m not going to lie… I walked in thinking I was basically going to make a few recommendations on how to tighten things up and I would call it a day. Once onsite, I get setup on the network with my laptop. I start off rather quiet to get a lay of the land. Right away, I started seeing some oddities. I did some quick network scans and even a little responder action. More interesting findings and no alarms or phone calls. I tested egress firewall rules… Non-existent. I find everything is on a single, flat as all get-out network. Ok, let’s go with some heavy network scans and even some password brute forcing. This last bit is the equivalent of banging on every door and window in a house and nobody notices. At one point I was doing a password brute force attack against the firewall; if a security person helped define words in the dictionary, this act would likely be pictured next to the word ‘irony’ to say the least. What did I hear? Crickets. No phone calls, no ‘hey something strange is going on with your network’, no nothing. Just silence.
During the testing process, one of my scans completed and it found an unpatched Windows 8 machine. This is typically the point where you as a tester can do a little dance because this is a security death knell 99.9% of the time. The only issue was the Windows 8 system wasn’t the same make and model of their standard office builds. The conversation went like this. “I found an unpatched system, it’s on the domain, and it is trivial to exploit…but I’m not going to exploit it. It could be an end user system, a dedicated machine, etc.” Without the ability to look in the switch and find ports <-> MAC addresses, we went with the next best option which means I’m going to get my steps in. Fortunately, it wasn’t a big office! We walked the halls looking for anything that might have fit the description of what we were looking for. Bingo! Dedicated, high-dollar machine… And I breathed a sigh of relief because I was sooooo happy I didn’t try to compromise it.
With the job mostly complete, I took a quick peek at the rest of the environment. The basics were completely lacking even beyond what I had already uncovered. For example, I found systems in the office had *not* received a Windows or third-party patch since they were installed. Why? Oh, they just forgot to install their patch management agent. WHAT?!?! Going back to the default of today (vs. yesterday), this IT provider technically made this customer far more vulnerable than if they just left everything default. <face palm> A little more digging revealed their endpoint protection was an unmanaged product you can buy at a big box retail store for $20/year. <another face palm> And no, I’m not saying endpoint protection is the end-all, be-all, but just stick with Windows Defender if you’re installing absolute trash and you’re not going to manage it. Wireless? They relied on a pre-shared key instead of using an “enterprise” configuration even though the customer already had all of the pieces in place for the latter. Between poor prevention and even worse detection, this customer would have been compromised eight ways from Sunday and no one would have known the difference. “This” is why businesses are compromised for months or even years (see MTTI graphic) and never know about it. It is also why most businesses first learn they are breached when they receive a phone call from law enforcement to tell them.
Customers deserve better. Customers often don’t know or understand cybersecurity so anyone can tell them anything. And I would argue this is far worse than ignorance because the customer is led to believe they are secure and in “good hands” when that couldn’t be further from the truth. If you are an IT provider or business leadership, understand that cybersecurity is so much more than a handful of products and not a single aspect of cybersecurity is set and forget (install and walk away). Even something as mundane as anti-virus is not set and forget. Cybersecurity involves a *lot* of processes that must be followed and more importantly, monitored. Even then, nothing is perfect which is where detection plays a key role. If you are a customer, ask questions!!! If you’re uncertain, ask for someone you can trust to verify what you have. And no, you don’t need a full-blown penetration test to verify your overall security posture although a penetration test or security assessment from someone who is qualified to do so is rarely a bad idea.
At TreeTop Security, we combined our knowledge of technology, cybersecurity, and business to create a cybersecurity platform tailored to small businesses. The Peak platform is a near-enterprise cybersecurity solution that is both comprehensive and affordable… and there’s nothing else quite like it. We work with small businesses interested in improving their security whether they have 3 computers or 2000 devices. If you’re an MSP or IT provider, find out how you can partner with us. We help our partners boost the cybersecurity posture of customers using industry best practices and continuous monitoring. Partners receive improved information while fulfilling the day-to-day IT needs of their customers. Customers, in turn, receive better support without breaking the bank. Win-win.
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.