Believe it or not, organizations are getting better at protecting network perimeters. Companies with mature security programs, such as financial institutions, usually make a point of allowing only certain ports through the firewall and hardening Internet-accessible servers to minimize attack surface. As a result, when searching for low-hanging fruit, attackers are paying closer attention to client-side vulnerabilities on internal workstations. So should you, when performing security assessments.
A client-side vulnerability often takes the form of unpatched software on a desktop or laptop. Depending on the nature of the vulnerable application, an attacker could exploit it via a specially-crafted email attachment or by convincing the user to visit a malicious Web site. Web browsers are common targets. Other attractive targets include Adobe Acrobat, Macromedia Flash, QuickTime and Java Runtime Environment.
When assessing your organization's exposure to such threats via client-side penetration testing, you should mimic two common scenarios:
A related attack tactic involves relying on social engineering to convince the user to install a backdoor program without bothering to exploit a software vulnerability. The attacker may initiate contact through an email or an instant message, enticing the victim to launch an attachment or to download and run some program. (See my related social engineering article.)
Here are three methods for testing your organization's exposure to client-side attacks during a security penetration test, listed in the increasing degree of intrusiveness:
If you are looking to install software on the client-system in the last two scenarios, penetration testing tools such as Metasploit, CANVAS, and CORE IMPACT can be beneficial. Each offers a mechanism for targeting client-side vulnerabilities, and may also assist in generating a backdoor program for the medium-impact scenario described above.
Assessing an organization's exposure to client-side threats via penetration testing is not for everyone. If you cannot justify a penetration test that employs the methods described earlier, at least examine the workstations to identify missing patches. Such a vulnerability assessment may lack the pizzazz of attempting to plant a backdoor; however, it will highlight the type of vulnerabilities an attacker may target via client-side techniques. Your examination should include both mainstream software from Microsoft, as well as applications from vendors such as Adobe, Apple and Sun.
As attackers shift their tactics to targeting client-side vulnerabilities, organizations must keep up by assessing their exposure to such threats. By incorporating client-side testing into your security assessments, you will be able to collect metrics for that will help you prioritize your security-improvement efforts.
Authored by Lenny Zeltser. Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Copyright © 1995-2013 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.