Filter

Cyber Essentials basic achieved

I’m pleased to say that we’ve now achieved Cyber Essentials basic level with our chosen suppliers, SureCloud. Onwards to the Plus level now.

Active Directory password audit using Kali

Following on from my recent security education, I recently performed an internal security audit of Active Directory passwords on my Kali build. There are many tutorials online for this (and if you’re a domain administrator, give it a go, it’s fun).

I had a couple of issues, but by cobbling together instructions from various places I managed to get what I wanted (and found that about 40 members of staff had a password that featured the company name, now rectified).

I am unfortunately too lazy to write my down detailed post on how to do it, but the resources I used were:

https://blog.didierstevens.com/2016/07/13/practice-ntds-dit-file-part-2-extracting-hashes/

https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/

http://security.sunera.com/2014/05/starting-active-directory-password.html

https://github.com/libyal/libesedb/wiki/Building#source-distribution-package

https://github.com/pentestgeek/smbexec/issues/127

Sec-1 Seminar

I recently attended a seminar on security presented by Holly at Sec-1 – she started with external, covering off injection attacks, pivoting to internal systems, and then talked about compromising from the inside. She also went through some interesting stuff about physical access to buildings and in particular server rooms.

It was a good talk, and I thoroughly enjoyed hearing what she had to see and seeing some ‘live’ attacks. Holly gave some great tips about things that can be done to further-secure existing networks (which I’ll probably go away and do now), but in addition to that she did effectively say that she’s managed to get access into any system she’s tried; a bit like a domestic burglary, if someone wants what you have badly enough, they’ll find a way to get it.

What’s particularly interesting about the new wave of information attacks is that due to the number of automated tools now, one doesn’t have to be an expert to be able get some data out of a system and have a good root around – almost anyone can do it.

For me though, the biggest takeaway was about password re-use, Holly mentioned in particular watering hole attacks – why bother breaking into a company, instead target a website that they use, break into that, and the vast majority of the users will have re-used the same password on the site you’ve accessed as on their company network.

Of course there’s a nice little xkcd comic all about it.

The only drawback was that they took us to the less-nice Marriott in Bristol…

 

Cyber Essentials

In line with plans from a few years ago, and a recent drive from Governmental departments, I’ll be leading the organisation through our attempts to become Cyber Essentials accredited, first the ‘normal’ version, and then hopefully onto the ‘Plus’ version shortly after.

The good news is that we have a lot of the infrastructure in place to enable this to happen, so the changes will be in the majority about process and people rather than about redeveloping what we already have.