In the 2013 Stallone/Schwarzenegger movie, “Escape Plan,” Stallone plays a guy who literally wrote the book on prison design and security. He is paid to go into prisons under cover and try to break out. He looks for any flaw, weakness, or vulnerable area he can use to escape and reports his finding back to the (very unimpressed) prison officials. It’s an interesting idea but what a terrible job to have! Penetration Testing is very similar except much more fun. When we test systems (from both onsite and offsite locations), we are trying to break in, not out, and we do it from a comfortable office, not a prison cell.
Penetration Testing is often called PenTesting but you may also have heard the terms Ethical Hacking, White Hat Hacking, Black Box vulnerability testing. PenTesting is an important part of a security risk assessment or it is often a stand-alone service we provide to executives who would rather have weaknesses revealed by us than by a hacker who is actually going to steal data or manipulate their networks or systems to do serious damage.
The network structure and organization of each company we work with determines the types of testing that are necessary for a complete PenTest and vulnerability analysis. Our methodology includes a non-destructive White Hat approach to Penetration Testing to execute a simulated targeted attack against an organization’s in-scope infrastructure for the purpose of gaining access to sensitive/protected data. Every PenTest we conduct will involve a combination of automated and manual testing methods to reveal the vulnerable areas that should be addressed.
PenTesting involves port-level and application-level scans to determine what services or ports are open, listening, and vulnerable. This can include any device or system that may be accessible from the internet. If a scheduling tool, client interface, or website form may be a target for hackers attempting to gain access to your data or systems, a PenTest can reveal openings that may be exploited. Exploitation and penetration will occur at this stage using a series of vulnerability scanning tools and manual techniques. Additionally, vulnerabilities identified need to be confirmed and validated to ensure there are no false positives.
Each designated IP address must be scanned to identify web-based vulnerabilities and site exposure risk along with ranking their threat priority. In addition to assessing IP vulnerabilities, advanced analysis should be performed to identify inherent exposure to future or emerging threats. This can be critical in determining security requirements and site architecture planning to mitigate future threats. Exposure should be communicated via a security posture rating and qualitative analysis of findings.
If a vulnerability is successfully exploited, actions will take place according to the Rules of Engagement (ROE), which can range from a cessation of testing, preparation of incident report, taking screen shots, and briefing, to starting the incursion clock and attempting to penetrate as deeply into the network as possible before it expires.
Verizon’s 2014 Data Breach Investigations Report (DBIR) listed web app attacks as a top security threat in 2013.
Common Threats Identified by Penetration Testing
Brute Force Password Guessing
Hackers now have access to powerful tools that can quickly guess an almost infinite set of possible password combinations. These tools will gather whatever information they can about you (names, dates, addresses, numbers, places, etc.), use common password variations, and even go through the whole dictionary until they find a combination of letters or words that works with the information they gleaned from your various online records. Using strong password encryption and locking accounts after multiple login failures can slow down a brute force attack and give your system enough time to sound an alert. But this type of attack is becoming harder to thwart in systems that only use passwords for user authentication. A PenTest will determine how vulnerable you could be to a determined cybercriminal.
Evernote, LivingSocial, and Drupal have all suffered major attacks in which users’ passwords were stolen.
Session Management and Session Hijacking
Session management protocols are evaluated to eliminate any opportunities for session hijacking. Cyber criminals can use cross site scripting or proxy server manipulation to generate an authentic session ID and take over.
The highly publicized Heartbleed bug in OpenSLL encryption software exposes session tokens that can be used to gain access to an entire network.
Web, FTP, DNS and Mail Vulnerabilities
Attacks aimed at your website or email system’s files can be devastating. Malware can be used to steal FTP login credentials. Gaining access to a site’s DNS essentially let’s a hacker redirect visitors from your site to an entirely different domain.
An August 2013 DNS attack by the Syrian Electronic Army affected the New York Times, Twitter, and the Huffington Post.
Denial of Service Testing
A Denial of Service (DoS) or Distributed Denial of Service (DDoS) is a relatively simple attack that will temporarily make a computer or network unavailable to users.
More than a dozen suspected members of “Anonymous” were arrested in 2011 following a series of DDoS attacks on PayPal in “Operation Avenge Assange.”
Wireless Access Points and Network Penetration Testing
Increased Risk with Wireless Availability
Wireless access to your network can be a convenient tool for the productivity of your team but it also extends the availability and, with it, any security risks that are unaddressed in your network. The Penetration Test must include a thorough examination of all wireless access points to locate any weak areas or rogue access points that could be exploited.
Network Penetration (Drive by Hacking)
New security issues are raised by “Bring Your Own Device” (BYOD) policies and employees using personal devices to access corporate networks. Employees who access corporate networks through unsecured public Wi-Fi systems often provide hackers their easiest access to their employers’ systems and data.
A recent CyberRX simulation revealed the risk that unsecured mobile devices pose for healthcare organizations and found health information systems and medical devices to be highly vulnerable to cyber-attack.
Internal Threats to Consider
Internal network access may seem like the least risky access point and the least likely channel for hackers to reach your company’s protected data. But human error, inattention to security procedures, malicious past employees, disgruntled current staff members, and manipulation by hackers can turn your well-meaning employees into your highest risk.
Desktop Penetration & Password Cracking
Inadequate security policies and lack of training invite increased risk of unauthorized access to your network. Desktops left logged on and unattended and weak user passwords are just two ways that employees can leave the network unnecessarily at risk.
Social Engineering
Internal users on your otherwise secure network may also be targets for sophisticated phishing or social engineering attacks. Employees who are trained to be aware of potential threats will significantly minimize the risk of a breach resulting from social engineering tactics.
Social engineering tries to exploit human weaknesses. Social engineering is defined as gaining computer information by deception, which includes the use of fraudulent means to gain unauthorized access to computer systems that are protected by passwords, user IDs, etc. Social Engineering is a non-technical kind of intrusion that relies heavily on human interaction and often involves deceiving individuals so that they will break or breach normal security procedures. Hackers use cleverly crafted emails to convince employees to click on the links or open attachments in unsolicited emails. This is a preferred method of gaining access to systems. Your employees must be trained to be aware of such tactics and reminded to remain vigilant.
Social engineering is a component of many, if not most types of exploits. Another aspect of social engineering relies on people’s inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.
It has been predicted that social engineering will become the greatest threat to an organization’s security system. Prevention includes educating the workforce about the value of the information, training them to protect it and increasing their awareness of how social engineers operate. Rolling out appropriate corporate policy and procedures to the staff so they know what is acceptable and not acceptable with regard to their day-to-day activities within their individual organizational roles and responsibilities is also advised.
Each Organization’s Penetration Testing Needs are Different
These and other potential areas of risk are considered when developing an appropriate PenTest plan for each client. If you would like more information or to discuss your organization’s particular needs for network vulnerability analysis and Penetration Testing, please contact us to get started today.
