Chapter 37 Β· Tricks & Performance

Trick Questions & Performance Tasks

The misconfiguration misconceptions most likely to cost exam points β€” and the performance task that tests whether you can diagnose and remediate a misconfigured environment.

Trick 1: "Misconfiguration vulnerabilities are less serious than code-level vulnerabilities like buffer overflows or SQL injection because no exploit is required β€” attackers just use the system as intended." True or False?
FALSE β€” the absence of an exploit requirement makes misconfigurations MORE serious in many cases, not less.

This trick inverts the logic of what makes a vulnerability dangerous. An exploit requires skill, time, and a specific target. A misconfiguration requires none of these β€” it is accessible to anyone who looks.

Why "no exploit required" is worse, not better:
A buffer overflow requires finding the vulnerability, developing or acquiring an exploit, targeting a specific version of specific software, and executing the attack. It is a directed, skilled effort. An open S3 bucket requires typing a URL into a browser. It is accessible to the least sophisticated "attacker" imaginable β€” including an automated scanner, a curious employee, or a security researcher doing routine work. The attacker population for misconfigurations is effectively unlimited, while the attacker population for complex exploits is a much smaller set.

The Verizon example illustrates this:**
14 million customer records were exposed by an open S3 bucket. The "attacker" was a security researcher using publicly available scanning tools. An actual attacker with the same tools would have had the same access β€” with worse intent. No credentials, no exploit, no skill requirement. Just a wrong configuration setting.

Exam tip: When a question frames misconfigurations as minor or less serious because they require no exploit, the answer is that this reasoning is incorrect. The absence of exploitation requirements expands the attacker pool to anyone on the internet. Many of the largest data breaches in history have involved misconfigurations, not sophisticated exploits.
Trick 2: "Code signing and encryption prevent packet capture attacks on insecure protocols. As long as an organization signs its software and uses HTTPS for its web traffic, Telnet and FTP on internal networks pose minimal risk." True or False?
FALSE β€” code signing and HTTPS on web traffic do not protect Telnet or FTP sessions in any way.

This trick asks you to conflate two different security controls that address two different problems. Code signing protects against software tampering. HTTPS protects web traffic. Neither has anything to do with what happens when someone runs a Telnet session on the same network.

What code signing does:
Code signing verifies the origin of a software package and whether it has been tampered with after signing. It operates at the software distribution layer. It says nothing about the protocols used for device management or file transfer once software is installed and operating.

What HTTPS does:
HTTPS encrypts web traffic between a browser and a web server. It operates on port 443 and protects web application traffic. It does not encrypt Telnet traffic (port 23) or FTP traffic (port 21), which are entirely separate protocol stacks.

The actual risk of internal Telnet and FTP:
An attacker who gains any foothold on an internal network β€” through a compromised endpoint, a misconfigured VPN, or a phishing attack β€” immediately benefits from Telnet and FTP still running on internal networks. All traffic on those protocols is readable in plaintext. A single compromised machine on the same network segment can capture every Telnet session's credentials, regardless of how well-encrypted the organization's web traffic is.

DEFCON's wall of sheep β€” the internal network lesson:
The wall of sheep worked specifically on an internal conference network. All the HTTPS traffic was unreadable β€” correctly encrypted. What the researchers captured was cleartext IMAP, Telnet, and FTP traffic. The encrypted protocols were invisible in the capture; the cleartext protocols broadcast every credential.

Exam tip: Protocol security questions test whether you know which control applies to which threat. Code signing answers "was this software tampered with?" HTTPS answers "is this web traffic encrypted?" SSH answers "is this remote terminal session encrypted?" These are different controls for different threats β€” they do not substitute for each other.
Trick 3: "The Mirai botnet demonstrated an advanced persistent threat β€” it used sophisticated zero-day exploits against IoT firmware to gain unauthorized access to devices." True or False?
FALSE β€” Mirai required no zero-days and no sophisticated techniques. It used a list of approximately 60 publicly documented default credential combinations.

Mirai is the opposite of an advanced persistent threat in terms of its attack technique. The sophistication of Mirai was in its scale, speed, and design β€” not in its exploitation technique. The exploitation step was trivially simple: try known default credentials until one works.

What Mirai actually did:
(1) Maintained a hardcoded list of ~60 username/password combinations from published vendor documentation for common IoT devices. (2) Scanned random internet IP addresses looking for open Telnet (port 23). (3) When a device responded, tried each credential from the list in order. (4) If a credential succeeded β€” which it did immediately for any device with unchanged factory defaults β€” the device was enrolled in the botnet. No firmware analysis, no CVE research, no zero-day exploit needed.

Why this matters conceptually:
Mirai demonstrated that you do not need advanced techniques to cause catastrophic damage β€” you need scale. A simple technique applied to a misconfigured population of hundreds of millions of devices is more effective than a sophisticated technique applied to a handful of hardened targets. The vulnerability was not in the software; it was in human behavior (not changing default credentials) applied at global scale.

Exam tip: When a question describes Mirai or similar IoT botnet attacks and attributes them to zero-days or sophisticated exploitation, the answer is false. The attack vector was default credentials. The lesson is that simple misconfigurations, multiplied across large populations of devices, can produce serious consequences without any technical sophistication.
Trick 4: "An organization's firewall is configured with a 'default-deny' policy β€” all traffic is blocked unless explicitly permitted. Since this is in place, there is no need for periodic firewall audits. Any traffic that reaches internal systems is there because a rule explicitly allows it, which means it was authorized." True or False?
FALSE β€” a default-deny policy ensures that no unauthorized rules are absent, but it does not ensure that authorized rules remain necessary or correct over time.

Default-deny is an excellent foundational control. All traffic not explicitly permitted is blocked. This prevents access via forgotten or assumed-open paths. But the logic in the trick question contains a hidden flaw: it assumes that rules, once correctly added, remain correct indefinitely.

Why default-deny alone is insufficient:
Rules become stale. A rule permitting VPN access for a contractor who left 18 months ago was correct when it was added. Today, it permits access from credentials that should no longer exist β€” and possibly now held by different people if the IP range was reassigned. The default-deny policy does not evaluate whether a rule is still needed; it only ensures that all traffic entering the network has an explicit matching rule.

Rule creep in practice:
Consider an organization that runs its firewall for five years. Year 1: 50 rules, all necessary. Year 2: 15 new rules added for a new application β€” 65 total. Year 3: 8 rules added for a vendor integration, application from year 2 retired but rules not removed β€” 73 total. Year 4: acquisition adds 22 rules for merged network, merger falls through β€” 95 total. Year 5: current, active rules: maybe 45. Stale rules: maybe 50. Default-deny is in place throughout β€” but there are now 50 rules that permit traffic with no current business justification.

What periodic audits catch that default-deny does not:
β€’ Rules for decommissioned systems or ended projects
β€’ Rules for IP ranges that are no longer owned by the intended parties
β€’ Overly broad rules (allow any/any) added "temporarily" and never narrowed
β€’ Rules that duplicate or conflict with each other
β€’ Rules with no documented owner or business justification

Exam tip: Default-deny is a best practice β€” but it controls what is blocked at the boundary, not whether the rules permitting traffic are still appropriate. Periodic audits are required regardless of the baseline firewall policy. The question is not "does a rule exist?" β€” it is "should this rule still exist?"
Performance Task: You are conducting a security assessment of a mid-sized financial services company. During your review, you discover the following five findings. For each finding: (1) identify the misconfiguration category, (2) explain the specific risk it creates, and (3) describe the remediation.

Finding A: The Amazon S3 bucket used for storing customer account exports has "Block Public Access" disabled. A bucket policy grants read access to "Principal": "*".
Finding B: All 12 network engineers have full Administrator rights in Active Directory. The built-in Administrator account on all domain controllers has the password "Admin2020!"
Finding C: Internal switches and core routers are managed via Telnet. An email capture shows the financial analysis team's mail client connecting to the mail server on port 143 (IMAP) without TLS.
Finding D: A new IP phone system was deployed last month. All 80 VoIP phones are accessible over the network with the manufacturer's default credentials (admin/admin).
Finding E: A firewall rule audit reveals 340 active rules. 90 of these were created during a core banking system migration completed three years ago. Documentation for 70 rules lists "temporary β€” review in 6 months" as the justification, dated between 2–4 years ago.
Model Answer:

Finding A β€” Open Permissions (S3 Bucket)
Risk: Any person on the internet can navigate directly to the bucket URL and download customer account exports without any authentication. No exploit, no credential theft β€” the access control simply permits it. For a financial services firm, this is a regulatory breach (PCI-DSS, Gramm-Leach-Bliley) in addition to a security incident.
Remediation: (1) Immediately enable "Block Public Access" at both the account level and the specific bucket level. (2) Remove the "Principal": "*" from the bucket policy; replace with explicit IAM role ARNs for the specific applications and users that require access. (3) Audit all other S3 buckets in the account for similar misconfigurations. (4) Implement a Service Control Policy (SCP) at the AWS organization level that prevents Block Public Access from being disabled on any bucket. (5) Review what data was stored in the bucket and assess breach notification obligations for the period of exposure.

Finding B β€” Unsecured Admin Accounts
Risk: Twelve accounts with Domain Admin rights means twelve compromised accounts give full Active Directory control. The password "Admin2020!" on domain controllers is weak, known-format, and likely to appear in password dictionaries. An attacker with any internal foothold who cracks or guesses this password gains unrestricted control of all domain-joined systems.
Remediation: (1) Immediately change the built-in Administrator account password to a long, randomly generated credential (20+ characters); store in a privileged access management (PAM) vault. Consider disabling the built-in Administrator account and using individually named admin accounts. (2) Conduct a privilege review of the 12 Domain Admin accounts β€” identify which specific administrative tasks each person performs. Grant only the minimum required rights (most IT operations do not require Domain Admin; specific OU admin or role-specific rights are usually sufficient). (3) Require MFA for all privileged accounts. (4) Implement a Privileged Access Workstation (PAW) policy β€” domain admin actions should only be performed from dedicated, hardened machines, not standard workstations.

Finding C β€” Insecure Protocols
Risk: Telnet (port 23) transmits all network device management sessions β€” including login credentials and all commands β€” in cleartext. Any attacker with access to the network switch spanning tree or the ability to capture traffic on a trunk port can read every management session, including passwords. Plain IMAP (port 143) similarly exposes email credentials and email content in cleartext to any network observer.
Remediation: (1) Disable Telnet on all network devices. Configure SSH (port 22) for all device management β€” every enterprise-grade switch and router has supported SSH for over a decade. Add firewall rules to block port 23 inbound to all network management interfaces. (2) Configure the mail server to require TLS on IMAP connections (IMAPS, port 993); disable plaintext IMAP authentication on port 143. Push a mail client configuration update to all financial analyst machines. (3) Verify with a subsequent packet capture that no cleartext authentication traffic remains on the management network.

Finding D β€” Default Settings
Risk: All 80 VoIP phones are accessible with credentials that are publicly published in the vendor's documentation. Any person on the network can log into any phone, reconfigure call routing, enable call recording, access voicemail, or potentially use the phone as an audio surveillance device (many VoIP phones have accessible microphones through their management interface). In a financial services environment, unauthorized call recording access is both a security and compliance issue.
Remediation: (1) Immediately change the credentials on all 80 phones β€” unique credentials per phone are ideal; at minimum, a non-default shared credential across all devices with a strong password. Use a configuration management tool or the phone management system to push credential changes in bulk rather than doing each manually. (2) Disable any management interface services not in use on the phones. (3) Segment the VoIP network from the general corporate network using a separate VLAN, so that even with credentials an attacker cannot directly connect to phones from a standard workstation. (4) Establish a pre-deployment credential change policy: no device connects to the network until default credentials are changed.

Finding E β€” Open Ports and Services / Firewall Rule Creep
Risk: 90 rules from a completed migration and 70 rules marked "temporary" with no subsequent review represent access paths with no current business justification. If any of those rules permit access to production banking systems from now-unnecessary sources, they represent unmonitored entry points. The complexity of a 340-rule ruleset with no accountability for most rules also makes it impossible to assess the true security posture.
Remediation: (1) Treat this as a formal remediation project, not a routine task. Assign a firewall rules owner. (2) For the 90 migration rules: verify whether the migration is fully complete and no process still depends on those rules. For each rule, contact the business team responsible for the migration and confirm: "Do you still need this?" Rules with no business owner and no current function should be removed. (3) For the 70 "temporary" rules that have been in place 2–4 years: these should be treated as expired. Contact the rule requestors (if identifiable) or the business owners of the systems the rules touch. Without positive confirmation of continued need, remove them β€” scheduled during a change window. (4) Going forward: require a business owner and expiration date for every temporary rule; calendar quarterly firewall reviews; require that decommissioning checklists include a firewall rule review step.