Dark side of the “worst security audit ever”

Redaction’s note: Originally, this story was going to be written from the perspective of how to defend a network on a budget of nothing. We felt like this different angle would make the story more relevant to a larger audience.

People who work in IT probably all have their horror stories of the “worst network they’ve ever seen”. Whether they’re taking over for someone else or doing an audit, they’ve all seen networks that were in such poor shape that it blows their mind. What self-respecting IT person could possibly oversee such an open invitation to steal data? They have to be incompetent, right? In this story we are trying to show you the other side of things. This is the story of how a company’s network was gradually dismantled by poor decisions, which was then sold as incompetence on the IT person’s behalf because the company didn’t want to face the reality of who was responsible.

This story begins with a man, who had been working for an SMB for nearly a decade. Things had not being going well for the company due to systematic and symptomatic problems that plagued the company and it’s decision making. We start this story at the very end. Suffering from mental health problems, the IT person decided to resign from his job. While in the middle of his period of notice, he was suddenly removed from the office for questionable reasons.

Immediately after he was fired (“You can’t resign, you’re fired right now!”) there was an evaluation of what he had left behind. In fact, they’d started to do that evaluation the very same day he got kicked out of the office. The network was “evaluated” by a “qualified” “IT expert”, who came to the conclusion that the entire IT infrastructure was a complete mess. Afterwards, the IT man was called a few choice things by his former employer, who was more than happy to violate the understanding that they wouldn’t sue each other over The Event. Dishonest, incompetent and a few other terms that disqualified him both as an employee and person were used – and spread to anyone who wanted to hear them.

The “expert” had “discovered” a network that was undeniably in a poor state. Nothing was up to standard.

It is widely accepted that the epxert in this story is not, in fact, an expert on all things and security.

Servers were running an outdated OS, and the same was true for all the desktops. While a few of them ran Windows 7 some were still running Windows Vista with no clear path to upgrade as the equipment was too old. The expert falsely claimed that no devices were running any form of anti-virus. There was a firewall which also scanned the traffic for threats and malware but its license had expired years ago.

There was also no proper back-up procedure in place, because no software was found on the server(s).

And to make matters worse, there was a huge insider threat because the IT man was sabotaging them by not handing over the network credentials.

From an “expert” POV it looked like the IT man had done a poor job, and he was egged on by the owner who was “shocked” to see what the IT man had done to his network, because he was “lead to believe” that everything was in top shape. Was he not right to fire him? Just look at the facts!

The problem with these facts is that the “expert” didn’t consider how the situation had manifested himself. And of course the owner wasn’t going to tell him the full story. But if you’re still following us, we’re going to look at this mess of a network from the dark side of neglect, lack of resources and money.

The Dark Side Of the Audit

As far as the network credential goes, this was a problem that didn’t exist. The owner had received a copy of the credentials on multiple occasions in an Excel file (a format they’d existed on), a file that was also stored on both the Sharepoint-site of the company and on the old NAS of the company that anyone could access. Since he was forcibly removed from the office, there had been no time to hand over the updated version of the file. The poor decision making of the company could have lead to some serious “fuck you, see you in court” but this was a non-issue.

The lie of the company owner that he wasn’t “aware” of any problems was easily countered by a document written that week. In it, the IT Man had audited his own network and he’d created a SWOT analysis that listed every single problem they’d run into.

Every single item was listed in the document and the root cause of all issues was explained: there was no money for IT and ownership didn’t respond to any of the requests that were made to solve the problems.

To start at the edge of the network, the firewall license hadn’t been renewed since a personel shift. Ever since the IT person had to directly report to the owner and the owner was the only one who could approve purchases, the mails to renew the license had gone unanswered. With no new license, IT had no choice but to accept that the services on the UTM stopped functioning properly and hope for the best.

With no AV / malware scans on the edge of the network, anti-virus on the devices had become even more critical. But the requests to renew the license for their anti-virus product had also gone unanswered, so IT had no other choice than to remove the outdated product everywhere and bet on Microsoft Defender before it had a reputation of “being good”. It was not their favorite choice, but whatever Microsoft offered in updates was better than the constant alerts that there weren’t any AV updates at all.

The desktops and servers also had the problem of running outdated operating systems. You can already imagine why they hadn’t been upgraded – there was a lack of money to do so. For a long time, IT had been using a relatively cheap solution to build their network. They were a Microsoft partner for a long time, which meant they were entitled to MAPS / licenses for partners that they were allowed to use internally. However, the company had also decided that the €300-400 yearly fee to stay enrolled in the program was “too much”, so the only resources they could access were the (outdated) versions of Windows and Micorosoft tools installed on the DVD’s they still had.

The devices itself were also old and outdated, but no device refresh had been approved in the last five years. The “newest” device in the company was a Mac that had been bought for the IT guy five years before he quit. That purchase had been approved by his manager, before everything had to be rubber stamped by the owner.

There weren’t just the technical problems, either. There were issues with how IT was handled. Users were using sticky notes to remember their passwords because they “were too hard”. These sticky notes were hanging in clear sight of anyone who entered the building, on a PC that gave access to the full network and all of it’s resources (“They need to be able to use accounting software on the server”). Passwords were generously shared with each other so they could “share software” that was running on a “better computer” And users had started to become creative with where they sourced software from, which was made possible because an Administrator account was circulating around the company. Changing the password of the Administrator account wasn’t allowed as the people “who used it” were to “be trusted”.

The entire company was a powder keg waiting to blow and if you’d audit it you would probably also wonder if IT had been doing its job. But hopefully you’d have noticed some of the design decisions they’d made on their budget of nothing.

On the edge of the network, the company was using a DNS solution to filter traffic, which was free but did an okay job of keeping most malware at bay. Backups were made with Windows’s built-in tools to the shitty NAS. But the IT person had made sure the server wasn’t actually all that essential anymore. Ninety percent of the services on the server had been disabled after they’d migrated to Office365. All that was still running on it was the accounting software, DHCP, DNS and AD.

In a rejected proposal, IT had suggested to decommission the server completely and to start using local accounts on all devices since AD was overkill for their network. DHCP and DNS could easily be migrated to the firewall. Can you guess what happened to that proposal? Left on read, of course.
Most of the “assets” of the company now took the form of their websites, which were in a decent shape. THey were backed up and protected, but the tools to do so were using the personal license of the IT guy. Back-ups were made to OneDrive and a local desktop – the only places the IT person had access to. They’d even rolled out MFA to all sites – but it wasn’t used by anyone except by the IT man himself.

To an external auditor, the entire network would of course look like a powder key ready to blow. You would probably be questioning the abilities of the IT person. We would be doing the same thing. But the truth is that some companies’ IT is held together with bubble gump and spit. And they’ve run out of gum ever since they’ve stopped bringing the gum from their home.

The assigned “expert” only saw what he wanted to see. He saw the network through the lens of what the owner told him, who had conveniently left out the part where they’d refused to pay for any upgrades or upkeep, hid the audit report that had already been written and painted a picture of the IT person as incometent and dishonest.

When you audit a company like in the above story, you could easily come to the same conclusions as the “expert”. Wow, the IT staff there sucks! They’re so easy to hack, and the users are stupid! And sometimes that is justified. Sometimes it’s not. It’s our job to audit the infrastructure, processes and the company while looking through a neutral lens but that’s not always possible. After all, companies will always be willing to lie to absolve themselves from responsiblity. They lie about their willingness to invest and often don’t care about security because it gets in the way of doing things they way they want. And their fall guy? Sometimes, he wishes he was working somewhere else entirely.

Epilogue

Immediately after the audit, the company spend thousands upon thousands of euros on new equipment, including new servers. Their inability to be honest with themselves allowed them to spiral further. And the IT person? They’ve moved on to a new job, pivoted careers and they are now helping to audit the security of companies as a Junior Pentester on a Red Team they’re helping to build out.audi

Leave a Reply