Protected by (in)Security Tools
I was at my local ISSA meeting listening to a vendor talk about their Security Device. The first part of the slide deck was the marketing piece. This device will protect you from all attacks, allow you to control your network and alert you to any shenanigans.
I really liked this tool but I believe it "trust but verify." He said that you could install an agent on every machine (meh) or you can use the new and improved agent less deployment option. Using remote procedure calls, the device would to authenticate to the machine and perform compliance checks against a pre-defined security policy. It would do this on a periodic basis.
Me: So the clairfy, the device uses a SINGLE log in to access EACH machine it enconters on the network.
Vendor: Yes, usually a domain admin account. We don't recommend using an Enterprise Admin account.
Me: No $hit, I don't recommend this either. So what about kidnapping the tokens?
Vendor: We don't log into the machine, we just run code on it.
Me: I can steal the token with incognito and I will have domain admin rights. Your "security tool" just compromised every machine on the network.
I explained it to one of the people in the room who use his product. I haven't heard back from him in a week because he is probably removing that garbage from all of his machines.
Today I saw a tweet taking about UNITED Summit and HD Moore's presentation.
RT @RealGeneKim: #UNITEDSummit: @hdmoore: pointing out that security tools often vector to shells, due to Windows auth mechanisms. Ouch
This is a problem with many tools in the marketplace. I do have to admit, until the gaping hole was noted, I did like the product. Hopefully they get 2.0 out soon!
Reader Comments