“Don’t break anything” – Stickman Penetration Testing
Please don’t break anything!
This request is often heard at the end of a sign-off meeting committing to a penetration test. This offhand client request speaks directly to the importance of selecting an organisation with penetration tester skills that are sensitive to the fragility and dependencies of complex IT systems. Every business-critical service and software application are at constant risk of attack. A critical piece of a comprehensive security health plan is undergoing a regular penetration test. The metaphor for medicine is apt with a penetration test having a lot in common with surgery: you need the best practitioners to find the weaknesses. Penetration testers must rigidly follow the equivalent of the hypocritic oath “do no harm”. Their cybersecurity equivalent is “don’t break anything”.
Your employees still make mistakes
Australian privacy legislation mandates that security breaches must be reported to the Office of the Australian Information Commissioner (OAIC). In the previous twelve months since compulsory reporting began, the OAIC has revealed some intriguing statistics. Of the average 80 monthly data breaches reported, one third can be attributed to human error. This is in spite of billions of dollars of expenditures to upgrade firewalls, train staff, deploy anti-virus and vainly attempt to catch phishing links in email systems. After all of this investment in training and skills, one third of breaches are still due to proficient staff getting things wrong.
Who is being attacked? Everyone!
During 2019 the following well known organisations have reported serious security breaches to the OAIC;
Australian Catholic University, Revenue NSW, Australian National University, Microsoft, Canva, CCH Software, Wolters Klewer, WhatsApp, Wipro, Australia Post, ASUS, Bank of Queensland, Kathmandu, Citrix, Cabrini Hospital, Toyota Australia, AMP, Landmark White, Department of Parliamentary Services, Bunnings, Facebook, Optus, Fisheries Queensland, First National Real Estate, NSW Department of Planning and Environment, Victorian Government, Marriott Hotel Group / Starwood, Big W, Hawthorn Football Club, Nova Entertainment, My Health Records.(#2)
These are just the high-profile reported breaches. In spite of the legislation, successful attacks still go unreported. Leading security vendor Symantec recently faced allegations that Australian Federal Police data and other sensitive government information was hacked in one of their Australian test labs. (#3)
Even the kids are trying to break into networks.
IT administrators and CISO’s can tell when the school holidays begin because of a marked increase in security defence probes. They are referred to as “script-kiddies” and use the same freely available open-source hacking tools that the bad guys do. Even though most lack malicious intent, an unplanned intrusion (usually a lucky guess) has the potential to stop business operations if security controls are breached. If a child can occasionally break through an organisation’s defences, what mayhem could a committed, skilled adversary wreak upon an organisation’s IT infrastructure?
Downtime costs a lot of money
What is the cost to business if a complete system restore is required to bring systems and operations back online? If it takes 6, 12 or 18 hours simply because some bored kid locates a way to breach security safeguards, what disruption could a malicious actor create? One massive outage may have been caused by a privacy activist in 2016. The attack against the Australian Bureau of Statistics took the agency offline for 24 hours during the much-vaunted eCensus migration to online forms. The organisation had taken the threats seriously, but didn’t foresee a targeted denial of service attack. The agency lacked the defences to counteract it. The police investigation remains open. It isn’t just passwords and customer information that attackers want. (#4)
Harden infrastructure against attack with a Penetration Test
One of the most important ways to increase infrastructure resilience is by commissioning a Penetration Test (pentest). A pentest is an authorised, simulated attack against an organisation’s cybersecurity defences that’s designed to discover and exploit gaps within security safeguards. The penetration tester is typically a CREST certified security researcher and their goal is to breach security measures by any legitimate means to exploit weak safeguards. A pentest is arguably the most important stress-test used to ensure the integrity of security controls. A pentest should not be confused with a vulnerability assessment in spite of their similarities. A pentest is invasive, intensive and thorough and designed to reveal shortcomings and report to the CISO on any security lapses found. A vulnerability assessment is usually automated, typically superficial and undertaken to ensure the efficacy of your security maintenance program. The audience for a vulnerability assessment is usually IT operations staff.
Penetrating your defences – Vulnerability Assessment versus Penetration Testing
The main difference between a pentest and vulnerability assessment is intent. A pentest is an intensive, proactive audit to locate and exploit the ways and means to reach resources within your systems from an attacker’s perspective. A vulnerability assessment is reactive and designed to scan your systems looking for vulnerabilities. Another important distinction between the two is that pentest’s are manual and requires a highly-skilled, certified tester who can think and act like a devious attacker. Vulnerability assessments are software-driven automated scanning, that locate, categorise, rate and reports on weaknesses.
What is involved with a Penetration Test?
The goal of any pentest is to identify and classify security deficiencies and assign a risk priority to the assessor’s findings. This information is provided to the CISO and CIO in a detailed report that explains the limitations, prioritises them and offers suggestions on appropriate remediation. As in all things related to IT, the definition of a pentest encompasses a very broad category so let’s focus on the key business drivers for two specific types of penetration tests; External and Internal;
External Penetration Test
An external pentest is used to try to reach digital assets from outside your security perimeter by breaching access controls to exploit and gain access to sensitive data. Assessors try to gain ingress via login screens, scanning the internet for network connections or breaking in via any sanctioned means. At the outset of the pentest the client may or may not exclude social engineering. Social engineering is used to trick staff into revealing login credentials or divulging passwords. Clients often exclude certain parts of their network from scrutiny too, in most cases for legal or privacy reasons. In the case of government agencies, it may be to protect state secrets or to comply with legislation.
Internal Penetration Test
An internal pentest is used to seek unauthorised access to sensitive data located within your security perimeter. It’s often used to ensure that highly sensitive data or commercial-in-confidence information is only accessible by those with a suitable clearance or appropriate role or responsibility. Salaries and intellectual property are examples of information that may be located in secure silos unavailable to all staff. Protecting sensitive government data or securing trade secrets to protect against industrial espionage is another business driver. One further example is testing internal barriers between operating entities. Creating a digital “Chinese wall” that prevents access to sensitive data is very important for many larger organisations. Another important use-case is where your organisation is linked to another using a dedicated network connection. Your security is only as good as the organisation you are connected to and vice-versa. This type of interface is common within some industries where secured direct connections are required for higher performance.
Pentest Deliverables – what you will receive with your pentest report.
A pentest report is a very detailed technical document that explains to the CIO what vulnerabilities and security gaps were discovered and the risk they pose to the organisation’s security posture. These risks will be allocated a severity ranking and given a remediation priority that will help IT administrators allocate resources. The type of severity level may also prompt the penetration tester to advise the CISO of a threat that poses an imminent risk of breach and should be dealt with immediately.
If I knew you were coming.
An important pentest variable is whether the testing is scheduled or will be part of an unplanned security audit. Often a surprise pentest can reveal poor housekeeping or lax safeguards. This type of engagement often occurs where regulatory oversight is important to the business for ongoing licencing or continued certification. This also applies in high-security environments like Defence. Random audits are also common within government to meet legislative oversight. The higher the risk, the more frequent the amount of testing the organisation undergoes. Banks and Finance providers are notorious sticklers for unscheduled security audits to ensure their high standards are maintained. Failure to do so could risk investor funds and initiate a lawsuit against management and the board. Self-interest can be a compelling driver for more diligent security initiatives!
Change is good and bad
Another driver for penetration testing is operational change. Pentest’s are common after the completion of a software refresh, office move or deployment of a new business application. Change is often combined with renewal or replacement within the IT department. An office relocation may coincide with upgrading to new network hardware, replacement or augmentation of Cloud infrastructure or upgrading to a new telecommunication service provider. Every add, move and change requested poses a possible security risk that must be mitigated.
Constant vigilance requires Vulnerability Testing
To test that controls and safeguards are operating correctly a regimen of automated security testing is often part of a robust security housekeeping program. The purpose of a vulnerability assessment is to mitigate risks posed by weaknesses within IT systems, infrastructure and processes. This automated process is another tool used to help IT administrators maintain their organisation’s security posture at the highest standards that budget, time and resources permit. Vulnerability testing is usually provided by a third party, typically a specialised security provider. Organisations can purchase testing software themselves but the best products are prohibitively expensive and require specialised practitioners to produce actionable results. In reality, it’s a perpetual state of warfare between the security defenders and attackers: savvy administrators maximise their budget returns with automation and skilled practitioners. CREST certified testers are well versed in using the best resources to maximise the return on budgets and deliver good outcomes.
Understand your real nemesis – human fallibility
Discovering vulnerabilities is a matter of pride within the ethical hacker community but in spite of their portrayal in the media, most “White-Hat” researchers spend their days finding identical types of errors across all organisations. This is why combining regular penetration testing with scheduled monthly or fortnightly vulnerability assessment is so important. The overarching goal is to strengthen your infrastructure from the threats posed by criminals, hackers and automated attacks like denial of service. Never be complacent and overlook the risks posed by the person sitting across the room. Insider threat is often more insidious than external attack: you don’t see it coming.
Harden Up – build more resilience into infrastructure and processes
Penetration testing is a vital piece of an organisation’s security defences. The goal of a penetration test is to locate frailties and offer security advice about areas within your organisation where design, operations or dependencies could be improved. Most organisation’s technology stacks are a mish-mash of point solutions built up over the years. Keeping ahead of security attackers is a relentless task and the same rules apply to organisations irrespective of size or market vertical. Applications and technology become obsolete, products reach their end-of-life support phase and the people with the requisite skills needed to achieve the best outcome retire or move on. Penetration testing helps harden your systems and increase resilience.
Nobody enjoys going to the dentist or being audited
A pentest is an important auditing process used to dispassionately locate security failings and advise on remediation. The pentest identifies and prioritises the risks allowing the organisation to define a timeframe to repair or replace, depending upon the issue. It also is a great source of independent advice and knowledge that enables IT staff to provide their management team with business cases that support new security safeguards or investment in updated controls. The relentless attack against every organisation’s infrastructure will continue and scheduled penetration tests are a critical resource that helps to protect intellectual property and digital assets. It’s like going to the dentist. That clean bill of health at the end provides a lot of comfort that offsets the inconvenience.