During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents them and provides tips on how to avoid them - for #moresecurity across all IT assets.
Today we look at the three most common security-critical vulnerabilities that our analysts have identified in Pentests of Workstations and Company Notebooks in recent years.
Why Pentests of Workstations and Company Notebooks?
The term workstation covers a wide range of end devices in the context of our pentests. Whether laptop, desktop or terminal devices - workstations and company notebooks are usually the primary access point for employees or customers to company resources, data and applications. As workstations are often also used outside the company, for example remotely or on business trips, they are an attractive target for attacks.
In contrast to standard application or system pentests, workstations also have a physical component, which poses additional challenges. This raises questions such as: Is the data on a stolen laptop secure? Is it possible to gain access to the company network via a logged-in user? Can unauthorized persons execute code as an administrator and install malware? In our workstation pentests, we therefore focus on the technical possibilities of securing a workstation in these different scenarios.
Vulnerable Software
Our analysts frequently encounter outdated software and software with known vulnerabilities. This is not surprising, as workstations usually have many tools installed that are relevant to everyday working life. Companies want to enable their employees to carry out their work effectively and flexibly. A workstation therefore consists of an interplay of very different software components. However, this complexity also harbors the greatest danger for company notebooks. From an unpatched operating system and outdated device drivers to new, as yet untested AI tools - each of these components can potentially contain a vulnerability.
While many big companies have clear policies for operating system updates, both post-installed third-party software and proprietary software is often overlooked. In many of our projects, we have found that software was installed on the devices that allows privilege escalation. This vulnerability allows a user with limited rights to execute code as an administrator and thus take control of the entire device. If the device is part of an Active Directory domain, access data from other accounts could be read under certain circumstances. Even anti-virus software with such vulnerabilities was discovered during an analysis. The risk of exploitation is particularly high for software that requires administrator rights by default in order to function.
Security tip: As a preventive method, we recommend always keeping installed software up to date and regularly installing updates and security patches. However, standardized update management can only function reliably if the installed software is managed centrally. The software required on workstations should therefore be made available via a central download portal.
Insecure Authorizations
The installation processes can be as varied as the software installed. While some software products are managed centrally, others are downloaded and installed manually. In our analyses, we repeatedly discover that files and directories are configured with insecure authorizations. An insecure authorization exists when a normal user can write to a directory that should only allow read-only access. This misconfiguration makes it possible, for example, to change configuration files or executable files. This in turn can lead to a service with elevated rights reading or executing the manipulated files.
But even read-only access should not be possible everywhere, especially not in directories where sensitive data is stored. Normal users often have access to network shares. Passwords and confidential documents can be read at this point due to insecurely configured authorizations.
Security tip: To minimize such risks, authorizations should be checked regularly and adjusted restrictively so that only authorized users have access to sensitive data in the company.
Missing Hardening Measures
Even without a large amount of installed software and despite restrictive authorizations, there are ways to further increase security beyond the basic configuration of an operating system. Security hardening involves systematically reducing the attack surface. Even if there are vulnerable components, a secure system makes it much more difficult for attackers to successfully exploit security vulnerabilities. The implementation of hardening measures should be part of the security concept for workstations.
Security tip: Measures such as deactivating unnecessary services, restricting remote access options and configuring secure network settings can further reduce the risk. The implementation of logging and monitoring tools that monitor suspicious activities also contributes to the early detection of potential threats. In addition, security settings can be activated that prevent the execution of unknown programs and scripts, for example, or implement additional protection mechanisms for access data.
Let's Recap
Overall, it is shown that workstations are often susceptible to attacks due to a combination of vulnerable software, insecure authorizations and a lack of security measures. Consistent and regular protection of these areas is crucial to ensure the long-term security and integrity of company resources.
Performing pentests is one of our core competencies. Our workstation pentests are specifically designed to uncover and mitigate the vulnerabilities listed in this article and others. Properly executed pentests remain one of the most important tools to improve your security and resilience to evolving cyber threats. Contact us, we will be happy to help you.
