Pratum Blog

Pratum team outing to The Escape

Pratumeers recently took turns getting away from the office to put our skills to the test in an escape room. We split into four teams total – two different teams went on consecutive Friday afternoons, while the opposite teams stayed back to hold down the fort. Each team contained at least one member from every department. We worked together, racing against the clock to uncover clues, and solve riddles to escape. It was a memorable outing that our entire company enjoyed.

Same Skills, Different Mission

When it comes to requiring finesse, Pratum and an escape room have a lot in common. Just like operating an information security firm, you can’t complete an escape room without a few necessary skills. If you’ve ever partaken in an escape room, maybe you already know the formula for success: a great deal of critical thinking, a bit of creativity, add some wit in there, and the final, most important part is teamwork.

The same formula is used every day at Pratum to be leaders in the information security industry and deliver top-notch service to our clients. Let’s take a closer look at the similarities:

You’ll Need Critical Thinking

You’ve just entered the escape room, the door locks behind you, and the clock begins. The room is unfamiliar to you, and you may only have a few clues. What little information you have must be analyzed so you can form judgment on how you’ll proceed to uncover your next clue.

Critical thinking is just as important to Pratum as it is to an escape room. In the early stages of consulting a new client, we are in the discovery phase learning about their business model and current security practices. It’s up to our consulting team to interpret current security policies and procedures, dissect information and figure out the best approach for their security needs.

Get Creative

You’ve uncovered a few more clues now, but they’re not in a logical order. You must use a bit of your imagination and think outside of the box to make sense of them.

Pratum’s ethical hackers use obscure ways of thinking when performing a penetration test to uncover vulnerabilities. Social engineering assessments require our team to find clever ways to remain incognito. Whether it’s pretexting phone calls, email phishing or onsite facility access, taking on a new identity to ethically uncover an organization’s security risks takes quite a bit of creative thinking.

Don’t Forget the Wit

It’s now down to the final five minutes, and it seems as though the only thing that’s escaping is time. You begin to realize that you need to kick your brain into high gear if you’re going to make it out of the room. You must be careful to not rush and make a detrimental mistake that will set you back even further.

Often, we receive new clients who come to us because they are facing a security breach. These clients rely on us to help them get through this stressful time. Our incident response team is always prepared to think on their feet and deliver quick, intelligent solutions to minimize damage. It’s safe to say that we have wit down pat here at Pratum.

All Together Now

Success! You’ve cracked every code, solved each riddle, and have escaped. Your cheer is echoed as you proudly walk out the door with the rest of your team. You didn’t complete the escape room on your own, rather it was a team effort. Everyone contributed in their own way, and that’s what got you out.

Pratum celebrating at Cheesecake Factory
Celebrating Escape Room Success with Cheesecake!

At Pratum, above all, we are a team. Though we are each individually skilled in critical thinking, wit and creativity, it’s our collaborative effort that makes Pratum an enjoyable place to work.

Team building is important to an organization’s overall health, and Pratum recognizes that. An escape room was the perfect outing for us to use our skills in a fun and unique way. Having a member from each department on every team gave us the opportunity to open some new doors for communication and strengthen our team as a whole.

Jason Moulder, one of Pratum's valued information security consultants (penetration testers) discovered a critical WebVPN Denial of Service Vulnerability within Cisco's Adaptive Security Appliance Software and Firepower Threat Defense Software. This vulnerability received a CVSS Score of 8.6. We are proud of Jason and the excellent work he performs for our clients. Jason tells the story of his findings in the following article.

For many of us that conduct penetration testing for clients, we discover bugs on a regular basis. Sometimes they are just quirky things that produce interesting output that, may or may not, be the intended function of the developers.

During a recent client engagement, I ran into such an issue with a Cisco ASA device. Most of the time, testing firewalls is a pretty mundane task, but you still follow your testing methodology. From time to time, it pays off for the good guys.

To me, being a penetration tester isn’t just about popping boxes and owning the network. While this is REALLY fun, there is a lot of critical thinking that goes into your daily work. Being able to think “outside-of-the-box” will get you a lot further.

There are tons of products on the market, both free and commercial, that help testers every day. While automation helps a great deal and helps reduce the amount of time you dedicate to an engagement, it only catches the known issues. This could be from a rule or signature incorporated within the tool. If whatever it is that you are testing is properly updated, most likely it has received something to prevent the attack you are trying to discover. The best way to find the unknown is by manually testing your devices and applications utilizing a solid methodology process..

Discovering the Cisco ASA Critical Denial of Service Bug

While going through my manual testing process, I began looking at all the pages the application reported back to me. To start out, I usually open the links, see what they are and monitor the responses I receive. One particular link stuck out.

Currently, we will not be disclosing details of how to exploit this vulnerability, but stay tuned for a future update in coming weeks.

When I visited the link, I received the following error page.

Cisco Adaptive Security Appliance (ASA) Error from Critical Denial of Service Bug

It seemed benign at first glance, but I noticed the browser was still trying to load the page. Well not exactly… the address bar icons jumped between Stop and Reload. This wouldn’t stop unless you manually closed the tab that was opened. It appeared something was executing on the back end to establish a connection. All this while I was unauthenticated.

When the link was loaded into any browser, it was observed that a connection was established and tore down. It seemed like that is what it should do, but not infinitely, however. The best way to describe the connection is like an infinite loop scenario within an application.

When more tabs were opened in the browser to the same location, utilization of CPU and RAM on the ASA began to increase significantly (4 open tabs from two IP addresses increased utilization from 9% to 27%+ in a 1-minute timeframe) and continued to grow on its own. Now, that is a big increase for two hosts!

Connection count rose in upwards of 200+ connections by itself, and tear down times began to increase from 1 second to, in some observations, over 30 seconds. The ASA was struggling from this simple test in one minute.

The size of the packet began to increase as well, even though no manipulation was done. The connection had to be forcibly closed in the browser by either closing the tab or by stopping the loading of the page, otherwise it would continue to make the request. Looks like DoS to me.

Since this was a client’s production system, I didn’t want to really do much more testing at this point and inadvertently bring it down.

Disclosing the Issue to Cisco

I began the disclosure process with Cisco’s PSIRT team at the beginning of May 2018. All the findings we had collected at this point were disclosed to them for further testing. An immediate response was received. Within two days, Cisco confirmed the finding. In late August 2018, Cisco contacted me and informed me that they had an anticipated disclosure date for the beginning of October 2018. After some further testing on the Cisco side, the fix was not adequate, but on May 1, 2019 Cisco released an alert and software updates addressing the vulnerability. As of the time of this article, there is no workaround for this vulnerability.

Notes about Pratum and its clients.
  • The client was also notified of the issue from the beginning.
  • As a managed services provider, we were able to create our own custom rule to detect for this activity for our clients.

There’s no replacement for robust cyber security and training programs but having these programs in place doesn’t mean you should avoid implementing a cyber liability insurance policy. Cyber insurance has proven to be a critical component of an enterprise risk management program, and if properly aligned with business needs, it can provide coverage for many of the costs associated with a cyber breach.

To ensure your organization has appropriate cyber insurance and a plan for responding to security incidents as they happen, you need to develop and implement an incident response plan. Developing the plan will force you to examine your risks from inside and outside your organization. Once you have identified and categorized your risks you will be able to make the appropriate business decision to either accept the risk (take no action because it doesn’t concern you enough), mitigate the risk (develop new policies and procedures to reduce risk), or transfer risk (purchase cyber liability insurance to help with the cost in the event of a security incident).

The categorization of your risks will guide you in selecting an insurance policy that aligns with business needs. Whether you are developing your response plan internally or with a 3rd party, your organization will be responsible for complying with the terms of policy to ensure you qualify for usable coverage. Terms include things like identifying when (how quickly) you need to contact your insurance provider and who is approved to handle the data involved in the breach.

In addition to helping select the appropriate insurance policy, developing an incident response plan will take you through the steps to identify key contacts from skilled firms that specialize in various areas of expertise. Adding these contacts to your incident response plan will ensure you are prepared to take immediate action when an incident arises.

Each group of specialists provides services to help ease the burden of cyber events. Let’s look at a few of these specialists and how they can help you:

  • Information Security/Forensics Firms — These are information security experts, like Pratum, who can assist with developing an incident response plan. These same experts can also help determine the extent of a security breach and provide remediation services.
  • Agents/Brokers — These individuals help you understand your exposure and tailor insurance programs to meet the unique needs of your organization.
  • Insurance Carriers — Carriers help you transfer liability to the carrier as a third-party via insurance contract. Coverage provides balance sheet protection, and often times, policies provide access to and pay for pre-qualified breach response experts and vendors.
  • Breach Coaches — These specialized attorney firms help navigate the turbulent waters after a cyber breach. You gain legal privilege by working with these firms, and they’re experts in handling cyber events and coordinating the specialists on this list to mitigate exposures to your organization.
  • Notification/Call Centers/Credit Monitoring/Identity Monitoring Services — These are professional firms that provide services required in the event of a breach. Many of these services are required by various state and federal laws in the event of a breach.
  • Public Relations — A firm will provide crisis management communications that help with loss of reputation and consumer confidence. What you say as well as how and when you say it matters.

Cyber liability insurance is an important part of an information security program and gives your organization a helping hand with the access it grants you to cyber experts. Make sure to incorporate these experts into your incident response plans and do your research on which firms best fit your organization’s needs. Planning is a critical step in ensuring events are handled properly and in helping your organization avoid additional liabilities from third parties. If you’ve planned properly, you will not be alone when an incident occurs, and you will be in a better position to minimize damage.

A special thank you to Miles Weis at Holmes Murphy for helping provide some of the content featured in this article.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.