Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Business

PENETRATION TESTING

PENETRATION TESTING

offers greater reassurance than a vulnerability assessment

John Weinschenk, General Manager, Applications and Security explains

John Weinschenk General Manager, Applications and Security, Spirent Communications

John Weinschenk General Manager, Applications and Security, Spirent Communications

It is generally accepted that no IT system can be totally invulnerable, but the next best thing is to learn about the system’s weak points before anyone else discovers them. That is why so many organisations use, or are planning to use, the services of penetration testers. “Penetration testing” – or “pentesting” for brevity – means employing people with skill and experience to seek out weak points in a company’s security – not in order to do damage, but rather to inform management and find ways to seal any gaps.

A pentester might use various tricks such as a cross-site scripting, SQL injection, a man-in-the-middle attack to capture a user’s session cookie, or a social engineering attack that gets someone to click on a link. The link can transparently download malware such as a key logger, or code that leads to remote control of the system. With roughly 70 to 80% of pentests revealing at least one critical vulnerability in the client’s infrastructure, it’s deeply satisfying to bring vulnerabilities to light.

Any organization has a range of IT environments, each with its own strengths and vulnerabilities. Here are some examples.

Supervisory control and data acquisition (SCADA) networks control vital public utilities, and rely on legacy equipment designed for efficiency and reliability, but not for security. Security solutions are typically bolted-on, introducing points of vulnerability. Some SCADA networks are isolated from the Internet, but this may encourage a false sense of security, because telecommunications networks offer many backdoors and holes. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 245 attacks in 2014, with one third of these against the energy sector.

Internet of Things (IoT) attacks. A fourfold growth in IoT is predicted in the next four years: when devices are connected, they create exponential value by communicating with each other. Communicating devices can learn to boost productivity and better suit our needs, but they may add vulnerabilities such as remote code execution, unauthorized access, authentication bypass, or stealing unencrypted data or any personally identifiable information. An attacker could look for weaknesses in device firmware, the ability to download unsigned updates, or the use of low-security FTP protocol, etc. Lack of strong passwords is common – one website allowed access to 73,000 security camera locations, because they used the default password.

Network attacks are more likely to exploit older vulnerabilities. One report found that 44 per cent of breaches came from vulnerabilities two to four years old. Server misconfiguration is another attack vector. Once an attacker gets access, he/she may search for files and data, attempt to steal login credentials, execute brute-force password attacks, hack accounts, escalate privileges, infect a system, intercept network traffic, and scan network devices. An attacker might download software in stealth mode: masking the code in high traffic, downloading it in sections, or obfuscating or encrypting the code. Malware could be masked within audio/video files or images.

Remote access and virtual private networks (VPNs) are tempting because many businesses don’t restrict access or keep VPN software up to date. An attacker might look within a network for privileged accounts and credentials still active after employees have left.

Web App attacks. eWeek reports that SQL injections are responsible for 8.1 per cent of all data breaches. It is possible to probe if SQL database commands can be injected into a data entry field, and cause a web application to deliver data, destroy data, plant malicious code, delete tables, or remove users. Attackers could send phishing links via a cross-site scripting (XSS) attack. This can cause the relay of harmful scripts through a vulnerable application from an otherwise trusted URL. The goal is to compromise information such as the session data maintained in the victim’s browser. Does an application accept invalid parameters to enable a command injection attack? This could make the application convey unsafe user-supplied data (forms, cookies, HTTP headers) to a system shell. Operating system commands could be executed using the privileges of a vulnerable application.

Mobile App attacks. Mobile traffic is more vulnerable in that it does not require a hard connection: a fake cell tower or rogue base station might be used to attract connections from targeted devices. The number of mobile users and time they spend on their mobile devices is larger than that of desktop users and it is now the leading channel for being online. But to meet this demand, many organizations prematurely port their traditional applications to mobile, leaving lots of vulnerabilities. A mobile application could be probed for excessive permissions, unsecured data in transit, exploitable device management capabilities, and extractable data such as contacts, location, and archives.

In view of the above list of possible threats, it would be wise to consider pentesting. A competent pentester is not only trained to be able to commit the attacks described above, but has also sufficient experience and creativity to combine these attacks in endless novel ways that may never occur to an internal security team. A trusted pentesting organization with a record for integrity should be chosen.

Good pentesters will start with a good idea about what to look for. They will work with the customer to design a comprehensive test plan incorporating relevant elements that can include:

  • External tests and attacks from outside a firewall
  • Internal tests and attacks from behind the firewall or using VPN
  • Application-layer tests to identify insecure application design and configuration
  • Network-layer tests using automated tools to probe the infrastructure’s configuration and reveal attack surfaces, or potential

There is also a choice of test approaches, according to the level of prior information the tester is given:

  • Black-box, where no prior information about the environment is given. This can help reveal what is discoverable from outside and where to shield.
  • Grey-box, where some information is provided to ensure that specific aspects of the infrastructure will be tested, while also revealing what is discoverable from the
  • White-box, where extensive information about the environment is given in order to enable a worst-case attack – the sort only possible with inside information – for maximum pressure on your

Professional pentesters are not only clever and experienced but also extremely motivated. They need persistence, determination, learning, and creativity every day.

A good pentesting team will provide a report that ascribes a level of risk to every vulnerability – allowing the client to prioritize security measures to ensure minimal affordable risk.

Attack can indeed be the best form of defence. Some clients tell us to go ahead and do anything, as long as we don’t remove any sensitive information.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post