Wednesday, November 25, 2020
Home>Security News>Misadventures in operational security

Misadventures in operational security

Security News ThreatsCybercrime Uncategorized

This week on our blog, we have a guest post from Mark Wee, Senior Security Consultant, Offensive Security, at NTT Security.

Organisations today spend a disturbing amount of money in trying to secure their environment with technologies such as APT/SIEM/DLP solutions – and to teams such as IR/Intel/Offensive Security teams but with questionable effectiveness.

Over and over again, the security community has preached that operational security awareness is imperative to an effective security program.

A recent example highlighted the need for teams and organisations to be well aware of their operational security risk while having valid communication pathways for individuals to report potential findings.

Not too long ago, my team stumbled upon a bunch of IT infrastructure assets sitting by the road side unsecured. These assets contained tags showing IP addresses, network share mappings, and potentially sensitive documents sitting on the printer tray. All were in full view of the anyone who might want to get a better understanding of how the organisation’s internal IT infrastructure was set up.

What we noticed was that there were a bunch of printers that had tags indicating they were directly connected to the public internet(?!) and were likely to contain sensitive information which prompted us to grab a couple of pictures surreptitiously.

These assets were later determined to be part of an office move by an external vendor.

Exhibit 1: 

Exhibit 2:  

Back in the office, it was relatively easy to do look ups against the IP addresses to identify the organisation that it belonged to using open source tools like WHOIS and while getting a clearer understanding of potential attack vectors.

We did try to reach out to the affected organisation but ran into difficulties as there was no direct contact to the security team. Attempts to communicate the findings over their official Twitter account were ineffective and, at some point, we were directed to a hotline, while promised follow ups over email went ignored after a request for communication over PGP.

This was finally reported and resolved through an acquaintance who works at the affected organisation over LinkedIn but it really shouldn’t be this difficult to report a potential security issue.

In closing:

  • Organisations must develop better pathways of identifying and sensing lapses in operational security
  • Proper manned communication channels (Twitter/email) for the public to report potential security incidents
  • Valid PGP key for secure communications
  • Understanding the risk when engaging third party vendors who are not “security people” or do not have the right risk mitigation controls.