offers greater reassurance than a vulnerability assessment
John Weinschenk, General Manager, Applications and Security explains
It is generally accepted that no IT system can be totally invulnerable, but the next best thing is to learn about the system’s weak points before anyone else discovers them. That is why so many organisations use, or are planning to use, the services of penetration testers. “Penetration testing” – or “pentesting” for brevity – means employing people with skill and experience to seek out weak points in a company’s security – not in order to do damage, but rather to inform management and find ways to seal any gaps.
A pentester might use various tricks such as a cross-site scripting, SQL injection, a man-in-the-middle attack to capture a user’s session cookie, or a social engineering attack that gets someone to click on a link. The link can transparently download malware such as a key logger, or code that leads to remote control of the system. With roughly 70 to 80% of pentests revealing at least one critical vulnerability in the client’s infrastructure, it’s deeply satisfying to bring vulnerabilities to light.
Any organization has a range of IT environments, each with its own strengths and vulnerabilities. Here are some examples.
Supervisory control and data acquisition (SCADA) networks control vital public utilities, and rely on legacy equipment designed for efficiency and reliability, but not for security. Security solutions are typically bolted-on, introducing points of vulnerability. Some SCADA networks are isolated from the Internet, but this may encourage a false sense of security, because telecommunications networks offer many backdoors and holes. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 245 attacks in 2014, with one third of these against the energy sector.
Internet of Things (IoT) attacks. A fourfold growth in IoT is predicted in the next four years: when devices are connected, they create exponential value by communicating with each other. Communicating devices can learn to boost productivity and better suit our needs, but they may add vulnerabilities such as remote code execution, unauthorized access, authentication bypass, or stealing unencrypted data or any personally identifiable information. An attacker could look for weaknesses in device firmware, the ability to download unsigned updates, or the use of low-security FTP protocol, etc. Lack of strong passwords is common – one website allowed access to 73,000 security camera locations, because they used the default password.
Network attacks are more likely to exploit older vulnerabilities. One report found that 44 per cent of breaches came from vulnerabilities two to four years old. Server misconfiguration is another attack vector. Once an attacker gets access, he/she may search for files and data, attempt to steal login credentials, execute brute-force password attacks, hack accounts, escalate privileges, infect a system, intercept network traffic, and scan network devices. An attacker might download software in stealth mode: masking the code in high traffic, downloading it in sections, or obfuscating or encrypting the code. Malware could be masked within audio/video files or images.
Remote access and virtual private networks (VPNs) are tempting because many businesses don’t restrict access or keep VPN software up to date. An attacker might look within a network for privileged accounts and credentials still active after employees have left.
Web App attacks. eWeek reports that SQL injections are responsible for 8.1 per cent of all data breaches. It is possible to probe if SQL database commands can be injected into a data entry field, and cause a web application to deliver data, destroy data, plant malicious code, delete tables, or remove users. Attackers could send phishing links via a cross-site scripting (XSS) attack. This can cause the relay of harmful scripts through a vulnerable application from an otherwise trusted URL. The goal is to compromise information such as the session data maintained in the victim’s browser. Does an application accept invalid parameters to enable a command injection attack? This could make the application convey unsafe user-supplied data (forms, cookies, HTTP headers) to a system shell. Operating system commands could be executed using the privileges of a vulnerable application.
Mobile App attacks. Mobile traffic is more vulnerable in that it does not require a hard connection: a fake cell tower or rogue base station might be used to attract connections from targeted devices. The number of mobile users and time they spend on their mobile devices is larger than that of desktop users and it is now the leading channel for being online. But to meet this demand, many organizations prematurely port their traditional applications to mobile, leaving lots of vulnerabilities. A mobile application could be probed for excessive permissions, unsecured data in transit, exploitable device management capabilities, and extractable data such as contacts, location, and archives.
In view of the above list of possible threats, it would be wise to consider pentesting. A competent pentester is not only trained to be able to commit the attacks described above, but has also sufficient experience and creativity to combine these attacks in endless novel ways that may never occur to an internal security team. A trusted pentesting organization with a record for integrity should be chosen.
Good pentesters will start with a good idea about what to look for. They will work with the customer to design a comprehensive test plan incorporating relevant elements that can include:
- External tests and attacks from outside a firewall
- Internal tests and attacks from behind the firewall or using VPN
- Application-layer tests to identify insecure application design and configuration
- Network-layer tests using automated tools to probe the infrastructure’s configuration and reveal attack surfaces, or potential
There is also a choice of test approaches, according to the level of prior information the tester is given:
- Black-box, where no prior information about the environment is given. This can help reveal what is discoverable from outside and where to shield.
- Grey-box, where some information is provided to ensure that specific aspects of the infrastructure will be tested, while also revealing what is discoverable from the
- White-box, where extensive information about the environment is given in order to enable a worst-case attack – the sort only possible with inside information – for maximum pressure on your
Professional pentesters are not only clever and experienced but also extremely motivated. They need persistence, determination, learning, and creativity every day.
A good pentesting team will provide a report that ascribes a level of risk to every vulnerability – allowing the client to prioritize security measures to ensure minimal affordable risk.
Attack can indeed be the best form of defence. Some clients tell us to go ahead and do anything, as long as we don’t remove any sensitive information.