Possible Vulnerability in Client Security due to Network Scanning Default Settings
I'm aware of the following post (see below) which does touch on this issue but I decided to create a new thread as while our issue is related, our requirements differ.
Because we have to meet certain security standards & compliance in my organisation, we have a yearly penetration test which is done against our perimeter & then against hosts on our LAN.
This year, the Pen Tester found an interesting issue which he suggests needs addressing ASAP as it's a security hole.
Basically, because by default Client Security 9 does not scan network drives, he was able to compromise any internal PC host on our network & then launch an attack against our servers! Effectively, our PC's acted as a stepping stone to further penetration in to our network.
The way the compromise happened is by the tester connecting an unauthorised machine on to our LAN, creating a share on that machine & then compromising someone's account credentials & impersonating them (which on a Windows network isn't that hard). He then logged into that PC & executed malware code which he deposited there. Because F-Secure wasn't scanning the network share & he wrote a zero-day vulnerability for which F-Secure had no signature for, the malware was able to execute & subsequently managed to disable F-Secure on the workstation, resulting in an infected compromised host, from which he was able to start attacks against other workstations & then servers.
This kind of attack isn't "James Bond" style espionage as this is typical of how hackers have gained access to corporate LANs using APT techniques & it was such a technique which resulted in RSA being compromised.
So, what I'd like to know is how we mitigate against this situation & what F-Secure do to protect their LAN from such an attack?
Let the debate begin as I can think of methods which would minimise this situation but they don't involve changes to F-Secure's set-up but it would involve using other network infrastructure shall we say but for this case, I'm really interested in closing down this "loop hole" shall we say!