Global Secure Systems (GSS)penetration
testershave found a spreadsheet that held the
domain admin passwords for every server at a financial services
company, plus quotations, methodologies, terms of business and
reports from a number of the firm's competitors.
Robin Hollington, director of consulting for
GSS, which uncovered the lapse,
said the unencrypted information had been contained in a folder,
but had been protected using access rules.
"Using the access rules we had acquired at the time, we were
able to read the information, including passwords, which gave us
system administrator access to every server (several hundred) in
the organisation," said Hollington. "That level of access not only
gave us complete control of their systems, but we could have
deleted any audit trail we might have left."
Citrix users were still
leaving their companies open to data breaches, six months after GSS
had reported that poor implementations of the thin-client system
left holes in the security that surrounded it, said Hollington.
In other cases, GSS had found a company's complete disaster
recovery plan, records of all the broken locks and windows on a
housing estate, and directors' emails containing details of planned
site closures. In one case, GSS was able to write and run a Java
port scanning tool, which led to the discovery of the entire
network disaster recovery configuration and admin passwords.
Hollington said this was not an issue with Citrix itself, or the
applications, but mainly with configuration errors. "Too many
people install Citrix without comprehensive knowledge of the design
and management of the Citrix environment, and careful consideration
of how to mitigate risk," he said.
"Rule one is to implement Citrix's own guidance about how to
lock down a system - read the manual, please. Rule two is to be
meticulous in how you define and provide access to information.
Switching to role-based access is a step in the right
direction."
He said GSS had performed about 50 penetration tests, around 20
with financial services companies, and had found:
• 100% of Citrix deployments tested were vulnerable to arbitrary
code execution.
• Sensitive information in each test.
• Many breached the Data Protection Act.
• Standard security procedures were not applied to most
deployments.
Breaches are now faster, said Hollington. Last year a breach
took 15 seconds now it is less than 10. "Even in the most
locked-down environment GSS ever encountered, we discovered five
high-risk vulnerabilities," he added. These resulted from small
errors made in configurations.
Hollington said GSS had reported
its
findings to Citrix.