Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

GSS warns of Citrix environment vulnerability.

Global Secure Systems (GSS) : 09 January, 2008  (New Product)
Global Secure Systems provides assessment service for Citrix users to ascertain level of risk and potential for security issues.
Recent testing by leading security consultancy, formerly PeapodUK and now incorporated into Global Secure Systems (GSS), proves serious issues can leave organisations vulnerable to a breach of their internal systems and data when deploying Citrix incorrectly. It stresses that whilst this is not an issue with Citrix itself, nor the applications it presents, it is the potentially devastating result of poor implementation of Citrix. Too many people install Citrix without comprehensive knowledge of the design and management of the Citrix environment, and careful consideration of how to mitigate risk.

Recent security assessments on Citrix environments carried out by the organisation have yielded the following statistics:

* 100 per cent of Citrix deployments tested have been vulnerable to arbitrary code execution.
* More than 80 per cent of deployments exposed commercially sensitive data.
* Many breach Data Protection Act requirements.
* Standard security procedures were not applied to most Citrix deployments.

The fastest breach was carried out within 15 seconds of logging on to the service. Even in the most locked-down environment it ever encountered, five high-risk vulnerabilities were discovered! These were the result of small errors made in configuration - typically many more such errors are found, any one of which could lead to the network being compromised.

GSS, through its merger with Peapod, has been carrying out security reviews as bespoke consulting assignments for more than five years, in environments ranging from Citrix for Windows NT 4.0 to the latest Citrix nFuse deployments on Windows 2003 Server. The different attack methods developed during this period have now been distilled into the company's new security assessment: Citrix Environment Security Assessment (CESA). CESA aims to identify the risk of anyone with legitimate access (or a compromised user account) gaining access through Citrix to system files and sensitive data belonging to colleagues, managers and directors. The ease with which this could be accomplished with the right knowledge, and the type of information that could be stolen or corrupted, is also assessed.

Robin Hollington, director of Consulting for GSS said, 'Imagine how your board would feel if they discovered that a junior clerk had subverted controls to gain access to board members' restricted network drives, had the freedom to browse through payroll, trading and research data, and the facility to export this and other sensitive information such as business plans and customer databases without being detected. Our assessments prove that this information can be readily accessed with very little knowledge and easily leaked out of the business.'

Although hardening guides are useful, simply working from these is not sufficient to secure the Citrix/Windows environment; even a single, small, overlooked opening can be exploited to give high-risk access. Furthermore, applying additional mitigation measures merely addresses the symptoms, not the causes, and can often target expenditure in the wrong areas. Testing is therefore essential to identify the real issues and select the appropriate controls.

Each CESA is unique to a given organisation, according to compliance requirements, risk appetite and experience in security architecture and administration. From the assessment results, clients gain an independent, balanced and pragmatic view of risks arising from their implementation of Citrix and the threats affecting them. The report provides a high-level executive summary, with a detailed breakdown of technical findings and quantified vulnerabilities, along with practical recommendations and guidance on appropriate countermeasures to help avoid compromise.

Given the potential for misuse, GSS will not publish exact details of the CESA test methods undertaken, but the company is concerned that some of the techniques involved are now being openly discussed in the hacker community. Even though there is not a flaw in Citrix itself, but in the implementation of it, GSS can confirm they have reported these findings to Citrix.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo