Scary stories you won't believe until they happen to you!

October 27, 2022

For halloween this year, we wanted to share some scary scenarios along with security recommendations to help avoid them. All the names, companies and characters are made up, but the events and experiences are based on things which could happen, or have happened in the real world.

Hallowen terrors coming true in IT security

1. Horrors of the logging library

Mary the sysadmin looks over at her monitoring system, noticing an increase in requests with special characters. She recognizes the strings as log4shell vulnerability exploit attempts. Months earlier, when the vulnerability first appeared, she concluded they were safe, since the vulnerability was in a Java library. She was wrong. One machine goes offline, then another. She tries to look online for scanners, but it’s already too late. Slowly, one by one, the attackers succeed, they are remotely executing code and bringing down her entire datacenter.

Recommendation: Having up-to-date and complete software inventory and automated ways of running scans and patching across your hosts is essential to reacting to vulnerabilities. CFEngine provides extendable software inventory out of the box, and you can use modules to scan for vulnerable hosts, such as the log4shell module: cve-2021-44228-log4j.

2. SSH-ut out by mistake

James gets a low disk space alert for one of his production web servers and logs in with SSH. He notices that the configuration for SSH is wrong: it allows root login and empty passwords. He quickly fixes it and moves on to the disk cleanup. Suddenly, his connection drops, and he tries to log back in, but SSH is not working! He must have made a mistake in the config and has locked himself out. All their management is based on SSH and he has no way back in to fix his error! The server runs out of space and the website starts showing error messages to users. He calls the datacenter to get someone to walk over to the server with a laptop, well aware that for every minute of downtime, they are losing thousands of dollars, and he is the one who will be blamed.

Recommendation: Don’t rely on SSH as a single point of failure - it is very risky. With CFEngine running on all your machines you can manage the SSH configuration, or just fix it if you’ve accidentally locked yourself out. For help with installing and using CFEngine for the first time, see our getting started tutorials.

3. New boss in town

Susan, the new CEO of DE-Corp, is tasked with turning the company around. She starts looking for ways to modernize and upgrade their IT systems, as well as reduce unnecessary cloud spending. For this, she needs David, head of IT, to provide reports of host counts across data centers, departments and cloud providers, as well as information on outdated operating systems. David talks to different managers and logs into multiple web UIs to collect the necessary data, but Susan starts noticing discrepancies in his reports, as it becomes obvious he does not have a good and complete overview. Ultimately, she finds out about hundreds of machines in AWS which are not being used and costing them thousands of dollars per month. David gets fired on the spot and the company starts looking for a new head of IT.

Recommendation: With CFEngine Enterprise on all your machines, you get a complete overview of hosts, including operating systems, versions and other customizeable inventory data. To learn more about the benefits of our reporting, see this part of the getting started tutorials: Reporting and Web UI.

4. The rogue won

One of the senior admins, John, is unhappy with the direction of the company under new management. He hands in his resignation and goes home, but continues arguments with his now ex-boss and colleagues over email. As the arguments escalate he loses his temper and decides to take revenge. During the night he first goes through the company’s backup servers, then production servers, deleting as much data as possible, and then issuing a reboot for good measure. The next day, all of the company’s systems are offline and it takes them months to recover. Their reputation is damaged beyond repair.

Recommendation: Use CFEngine’s powerful automation to manage access keys on all machines, allowing you to quickly revoke someone’s access when necessary. See this example policy to get started: cfengine-example-ssh-management.

5. The kiddo

Railio, the hottest self-driving train startup in Silicon Valley is in the news again, but this time to CISO Kevin’s dismay. A 13 year old boy shows how he hacked the train company’s systems, using very basic exploits found online. This is just 1 month ahead of the planned first driverless voyage. The minor didn’t harm the servers as he got in, but Kevin is concerned and embarrassed, as the brand damage is substantial. Their stock price plummets and the city of San Francisco cancels their contract. The worst part is, it could have been avoided very easily.

Recommendation: Run basic security hardening on all your systems, enforcing secure configuration and detecting security issues. CFEngine can be used both for enforcement and detection, for example using the lynis module and compliance report: compliance-report-lynis.