Enterprise IAM Assessments

Today’s enterprise has become an array of tools, systems and applications as businesses continue their drive for efficiency, cost cutting, and competitive advantages. In time this has led to a lack of concern for security for many enterprises. The short term it makes sense as revenue is going to keep the business going and growing. The problem with this approach is many businesses have ticking time bombs yet undiscovered. There are a few new risks that have been introduced with the ever growing reliance on the cloud.  The other real issue is many of these “threats” detailed below aren’t ones that take a dark web hacker to do, but any savvy IT user can perform. I’ll review some that should be assessed in any environment and give you an idea on how to prevent these threats.

To start I’ll give an example of an application most enterprises rely on heavily which is ServiceNow. It’s a tool that has slowly grown over the years into a behemoth for IT departments. The wealth of knowledge it holds should make it a first target for any attacker. One, almost everyone in an organization will have access to it and taking over a users account is usually trivial for most hackers. (I believe there was an article online where some enterprise accounts sell for a few dollars) Next they can slowly recon much of your IT and enterprise data through the tool. A simple escalation to an ITIL role will present even more information about the various applications and methods for accessing them in the environment. Even better is when you find plain text passwords in tickets for privileged accounts. Next you can start finding sensitive attachments and downloading them easily since it’s a internet accessible application. In most cases enterprises won’t even know your actions until its too late. In the end ServiceNow is a great place for an attacker to start and recon their next steps. They will become familiar with the IT environment learn of the processes and better be prepared for their next action. It is good to check what type of security is in place. i.e. do they have adaptive detection, device ids, ip checks, splunk, or any other security tools used to detect malicious behavior. From there it will allow you to know how evasive you must be. There is not much an organization can do to stop this as account takeovers are inevitable and user errors led to data available on SN which should have been scrubbed or controlled better through IAM.

Next is Github or any other code repository accessible in the cloud. Many organizations lack access controls around team repositories. A simple search in Github will return all repos available to the organization. While these aren’t public online they are still public to anyone working at the same company. Better yet you should start searching for passwords with the correct syntax. Even better is when you find one that is removed you just browse to the commit history and find the changelog with the hardcoded password. Developers need to be taught updating the master code doesn’t mean that it is gone forever. Next you can start downloading the gigabytes of repos through your browser of course using evasive matters or mostly likely it wont matter since the enterprise doesn’t have DLP controls for Github. CASBs are relatively new still and are definitely something organizations should look into to prevent these threats. Another option is to create some api keys and start downloading the source code through the API endpoints. For even more nefarious actions you can take the step further and dig through the repos to find sensitive applications. Now that you have the source code its possible to run it through some static code analysis to find basic vulnerabilities or even locally setup the app since there exists a devops process and start dynamically testing the app. From there if you are lucky you will find a XSS or some other vulnerability (wait for a CVE as many apps run on open source frameworks) that will allow you to infect the app which in turn will infect all visiting users. From there more lateral movements can be made and specifically targeting the executive level will bring in more return. Next, with the advent of devops its become even more important that you are securing the entire process to make sure this exploit can not happen. Separating even your DB from your app code is a simple segregation that could add another block for an attacker. At this point an attacker would have enough fire power to do serious damage to an organization.

Next applies to usually any cloud hosted app as I have seen the use of SSO and WAF. A few applications you will be able to access via the IP directly which should let you bypass many security controls. You can enter in the IP of the app in your browser and start scanning for more issues. This is why it is extremely important for your firewall or loadbalancer to whitelist certain IPs and deny everything else. Googles Identity Proxyaware and Cloudflare are two examples that definitely require this setup. Some companies without robust networking teams will forget this during development and it can lead to bypassing your security. Another important thing to remember is that there are ways to find the server IP and don’t think someone will never know it and make sure to not even trust internal IPs in your network unless its required.

In the end these are all simple checks that can be done in about a day with some automation that can greatly reduce risk to the enterprise. The key for businesses is to not miss the easy checks and be exposed to limitless issues in the future. Spending all your budget defending the perimeter won’t help much once an attacker is inside your enterprise.