Jesper Johansson gave a session on the Anatomy of a network hack: How to get your network hacked in 10 easy steps. He set up a local network with several machines and hacked through a SQL injection attack, through an outer domain controller, to the corporate domain controller, and took over the entire network. He used several command-line tools and several built-in windows tools to accomplish the hack. The guy next to me got very depressed and declared after the talk, “I’m going to unplug all my servers.” Security is a very real concern, and IT Pros need to be experts on security, but the problem is that if you don’t know how to hack, you don’t know how to secure against those hacks. I don’t pretend to know a lot of hacks, but I’ve committed to knowing application security. If the server on which my application runs is vulnerable, then we may be sunk anyway. It was a great session, and Jesper is a great speaker.
How to get your network hacked in 10 easy steps:
1. Don’t patch anything.
2. Run unhardened applications.
3. Use one admin account, everywhere.
4. Open lots of holes in the firewall.
5. Restrict internal traffic.
6. Allow all outbound traffic.
7. Don’t harden servers. Run them in the default configuration.
8. Reuse your passwords everywhere.
9. Use high-level service accounts in multiple places.
10. Assume everything is OK.