When thinking of an organization’s network security, most people naturally focus on the perimeter of the network; the infrastructure that is exposed to the Internet. While defending against outside threats is crucial to the overarching security of an organization, it isn’t the whole picture. In the event of a malicious insider threat or a breach of the perimeter network, internal network security may be the last line of defense between attackers and your sensitive data. Here are the top 5 internal network security risks found by LMG’s penetration testers.

Insufficient Security Patching/Obsolete Operating Systems

Critical security flaws are often fixed by vendors in short order; however, it is up to the organizations that use the vulnerable systems or devices to apply the security patches. Missing security patches leave these devices vulnerable to potential exploitation, some of which can lead to direct administrative access to the affected system at the push of a button, like the critical EternalBlue (MS17-010) vulnerability. Furthermore, obsolete operating systems such as Windows XP or Windows Server 2003, no longer receive security patches and should be removed from service as soon as possible.

Recommendation:

Implement a patch management program to ensure all devices and applications are up-to-date with the most recent vendor security patches. If the systems are unable to be fully updated, replace them with systems that use supported versions. Alternatively, isolate these systems and allow access only to the ports/services necessary to support business functions. Keeping your systems current and patched will significantly reduce internal network security risks.

Lack of Server Message Block (SMB) Signing

SMB is the network file sharing protocol used by Windows that is also used to facilitate authentication. SMB signing is a feature within the protocol that cryptographically signs the communications at the packet level. This feature allows the recipient of the packets to validate the sender and the communication’s authenticity, which was designed to prevent Man-in-the-Middle attacks. This feature is disabled by default except on servers configured to be Domain Controllers. Attackers can capture authentication over SMB and relay it to a host with SMB signing disabled, and because the host does not verify the authenticity of the communications, it will be accepted as legitimate. If the captured authentication request has administrative privileges on the target host, the relay attack gives the attacker full access to the machine which can serve as a foothold in the target network.

Recommendation:

Keep internal network security tight. Require SMB signing on all hosts, where applicable, to prevent tampering of SMB communications and relay attacks. SMB signing can be configured through Group Policy but should be implemented in groups of hosts at a time as it may have adverse effects, especially with older Operating Systems.

Vulnerable Name Resolution Protocols

The Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBNS), and the multicast Domain Name System (mDNS) protocols are name resolution services that are enabled by default on Windows networks. These protocols are susceptible to poisoning attacks and generally only act as fallbacks for Domain Name System (DNS) servers. Hosts configured with these protocols will send a broadcast or multicast message, depending on the protocol, if their configured DNS server can’t resolve a queried hostname. Malicious actors on an internal network can poison these broadcast/multicast queries to coerce the host to authenticate with their machine, revealing the user’s NetNTLMv1 or NetNTLMv2 hashed password. This hashed password can then be cracked offline, and if successful, it will reveal the user’s password in cleartext. Additionally, the Web Proxy Auto-Discovery (WPAD) protocol will broadcast a message (likely using LLMNR or NBNS) looking for the “WPAD” server if the DNS query for that server fails, which can be poisoned in the same manner.

Recommendation:

If possible, disable the LLMNR, NBNS, and mDNS protocols and ensure a DNS server exists to resolve hostname queries. If an internal web proxy exists, ensure a DNS entry for “WPAD” exists that points to the proxy server. Otherwise, disable Internet Explorer proxy auto-detection.

Weak Passwords

Weak passwords are often the bane of any system, and users are inherently apt to set them to be easy to remember and guess… There is a fine balance between easy to remember passwords and secure passwords that tends to lean towards the former and as such, are insecure. Malicious actors can launch brute-force password guessing attacks that attempt to guess valid credentials for users at very high speeds. These attacks often yield access to internal corporate networks, and other systems, due to the use of easily guessable passwords such as the current season followed by the year, or the organization’s name followed by a 1 etc. Passwords can also be guessed offline if an attacker retrieves their hashed version with software that can perform billions of guesses per second. Complexity (changing “a” to “@” etc.) does little to strengthen the password as the software used to crack passwords can account for those substitutions very quickly. The use of weak passwords without multi-factor authentication is also particularly dangerous on externally facing systems.

Recommendation:

To improve internal network security, all user passwords on all systems should be configured to be at least 14-16 characters in length, and administrative accounts should be a minimum of 25 characters. The ability to guess or crack passwords takes exponentially longer and becomes more difficult the longer the password is; the longer the better. Additionally, implementing a form of multi-factor authentication where possible can help reduce the risk of weak passwords.

Unprotected or Overly Permissive Shared Folders

Shared folders often hold sensitive data, despite any internal network security policies that might exist to discourage it. Unprotected documents containing passwords, Social Security Numbers, and financial information are not uncommon in shared folders on internal networks. Improper permissions, or a lack of permissions, on these folders can lead to a leakage of sensitive data either by unauthorized users or malicious actors who have gained a foothold on the internal network. The risk of this issue is considerable, especially for unprotected shares that don’t require a password to access as data in these shares may be of particular interest to malicious actors looking to commit fraud or other attacks.

Recommendation:

Ensure shared folders are configured with proper permissions that adhere to the principle of least privilege. This is a foundational building block of internal network security. Users should only have access to a share if that access serves a business need. A data classification policy can help outline the management of sensitive data and its storage. Also, considering implementing a Data Loss Prevention (DLP) solution to aid in classifying and protecting sensitive data. File access logging can support investigations into unauthorized access and encryption can prevent prying eyes from seeing data above their pay grade.

Addressing these “low-hanging fruits” is a good first step in supporting your organization’s internal network security.

Contact us if you would like LMG Security’s experienced consultants to help identify these issues and other gaps in security through a myriad of technical and non-technical assessments.