Often when his company investigates intrusions, they find that the perimiter, public web servers are not compromised themselves. Rather, SQL injection attacks are performed on vulnerable websites hosted on them and these are used to exploit database servers (via the xp_cmdshell MSSQL stored procedure, for instance). In addition to containing actual valuable data, the database servers are often less isolated from the rest of the network and easily facilitate deeper intrustions.
Another point that I found interesting from the presentation is that these days very few intrusions use a vulnerable service as the initial attack vector. This situation is certainly a drastic change from several years ago when IIS exploits were once very common. These days the most common initial attack vectors (when they're known at all) are SQL Injection and client application exploits.
In addition, very few of these intrusions that Kris's company responded to were discovered via anti-virus software or IDS systems. More often than not, a company's IT staff discover the intrusions via complaints from customers, other victoms, or law enforcement. The IDS systems often produce vast quantities of unimportant information for actual attacks to get lost within if they see the attack at all. It is vital to configure an IDS system to only cause alarm when true attacks occur and not to "cry wolf" and encourage ignorance of IDS output.
Posts
0 comments:
Post a Comment