Qualys Blog

www.qualys.com
wkandek

Verizon Data Breach Report and what you can do about it

Verizon Business published their annual data breach report for 2008 in mid april 2009 (h). It is excellent reading and has a wealth of interesting data on 90 forensic investigations for a total of 285 Million compromised records. Verizon states (pg. 18) that roughly 4 out of 10 attacks are executed through poorly secured Remote Access and System Management Applications. This refers to applications such as Windows RDP, Citrix, VNC and PC Anywhere, but also telnet and SSH. Attackers scan for these applications on the internet and log in using default or easily guessable passwords. Once on the machine they install a malware (i.e. a backdoor and a sniffing application), if necessary using a local exploit to become administrator or root. The Malware can then capture data on the network such as Credit Card numbers and search for profitable data on local and remote drives and databases and monitor keystrokes for usernames and passwords. At BlackHat US 2008 there was a PCI session where a restaurant owner told his breached story and it sounded very similar (PC Anywhere, user: POS password: POS).

Companies can address this scenario by scanning their entire perimeter IP range and reporting on Remote Access applications found. Any of the available scanning tools should be able to do this. In QualysGuard QID 42017 "Remote System Mgmt Application detected" can be used to generate a list of all machines that have a Remote Access application enabled. Currently QID 42017 scans for Windows RDP, Citrix, VNC, PC Anywhere, telnet, SSH and radmin on standard and non standard ports. So launch a scan on your perimeter and report on QID 42017 to see if there are any unexpected instances.

For information about the setup steps for the scan or report and how to further drill down on the information using the QualysGuard Asset Search Portal, please contact your TAM or Qualys Support.

Leave a Reply