Cyber attack video simulations: NEVER trust default security settings again

If you work in an organization that values its digital data and a good relationship with suppliers, partners and customers, I am willing to bet you have a number of cyber defenses in place.

Your web access will be likely protected by a robust firewall. Your wireless can perhaps only be accessed via a unique login. Maybe you even encrypt data that you store.

I bet you also ensure vulnerabilities are patched regularly, and you even reply on the default security settings in apps. After all, if the makers recommend them, surely they are optimized for performance and security?

Wrong. And we can prove it.

TBG’s Offensive Security expert Ryan has created a video series showing organizations how vulnerable they may be to a targeted attack – risking the theft of valuable and confidential data – if they choose to rely on default security settings.

Without relying on zero-day exploits or known vulnerabilities, Ryan created a handful of attack simulations on the popular log aggregation and correlation engine, Splunk.

“Turns out many IT administrators rely on Splunk’s default security configurations, assuming the default settings are strong enough to thwart cyber attacks.They’re not,” says Ryan.

The purpose of his research is to show IT administrators how easily someone with a motive and intermediate cyberattack skills can bypass default security settings.

The goal is to encourage the IT teams to review their security strategy, which is why we pulled together the following expert IT security recommendations. 

Top tips for securing your Splunk installation

• When architecting and deploying Splunk, security ought to be a top consideration. Here are a few tips:
• Deploy Splunk from trusted media source downloaded directly from splunk.com.
• Validate the hash of the file you are installing using MD5 or SHA and match it against Splunk’s claims.
• Follow the principles of least privilege and deploy the software suite using a non-root user account.

Top tips for securing your network

Splunk needs access to machines to receive and collate logs, but it doesn’t require unrestricted and unmonitored access.

• Restrict network communication to just the required ports.
• Segregate the Splunk server from the rest of the corporate network.
• Monitor communications and logs and have them reviewed regularly by security experts, be they staff or a consultant.
• Limit access to the CLI security to only local connections to prevent attackers from remotely querying the Splunk server using API calls.
• Prevent attackers from perform Man-In-The-Middle attacks by enabling SSL on the Splunk Application.

Top tips for securing your accounts

The “Administrator” accounts hold the master keys to the kingdom – not just for the Splunk installation itself, but access to all the data Splunk is parsing, as well as access to the systems running universal forwarders. Implement the following policies across the organisation:

• Educate users on security IT practices and enforce its use on the network.
• Enforce the use of complex and unique passwords.
• Enable multi-factor authentication (or 2fA) [Splunk now supports two-factor authentication using Duo as of version 6.5 of the Splunk Server software.]

Top tips for monitor your environment

IT Security staff need to be intimately aware of the environment architecture, continuously monitoring for anomalies, threats or suspicious behaviour. This offensive approach acts as a vital line of protection, sniffing out potential problems and abnormalities before they cause damage to the system, data, users or organisation.

• Create a strict monitoring policy of the Splunk application and its many communications.
• Regularly perform an advanced penetration test against internal and external threat agents to uncover any vulnerabilities. https://tbgsecurity.com/penetration-testing-services/

TBG Security: Resources and information

• Offensive Security services: Red Team
• TBG Security Penetration Testing

If you are concerned about your Splunk installation and want to discuss how to test, assess or remediate it, get in touch. Our team’s certified Splunk experts know how to architect secure and scalable Splunk installations.  Go on – put them to the test!