Why penetration testing is an essential part of an effective security strategy

The latest in our series of comments on security, Chris Oakley, managing principal security consultant at Nettitude gives us an insight into the recent spear-phishing and black box security tests the company has run on clients – gaining access to an alarming amount of sensitive company data, including intellectual property, employee information and company contracts – as well as outlining what should have been done differently.

As data breaches continue to hit the headlines, organisations in all industries are wise to assume that they are a target.  With this in mind, the focus for businesses – particularly those that hold high-value information, such as law firms and financial services institutions – must be to ensure that a layered security strategy and incident response plan are in place, with technology, people and processes tested by security teams on a regular and ongoing basis.

The best way to prepare for a cyber attack is to run controlled simulated attacks in advance and carefully construct drills and protocols that can be put into place when any similar, real-world attacks take place.  Penetration testing (or pen testing) involves running controlled hacking exercises against an organisation’s network and systems in order to show how cybercriminals may be able to gain access.  It can involve any number of manual and automated tests being performed on corporate networks, systems and people to ascertain if they are susceptible to an attack.  The intelligence gathered during these exercises can then used to address any weaknesses that are uncovered.  This helps companies to quickly close any open avenues to attack, as well as to fully understand how attacks work so that they are better equipped to deal with real-world incidents in the future.

Example one: Spear-phishing – a simple but highly effective attack method

As a security professional with many years’ experience conducting pen tests on corporate networks, using methods ranging from simple social engineering tricks to advanced vulnerability exploits, the results are often alarming.  Here is an example of our security testing team’s success in targeting a client’s employees with a spear-phishing email in an attempt to trick users into divulging sensitive information: Of 6,000 employees, 14 received an email containing a link to a spoofed website; eight people clicked on the link and two went on to enter their credentials.  One was a senior executive and we were able to demonstrate access to their inbox and view direct and regular communication between them and the CEO.  The second individual worked on the help-desk and had certain network privileges as a result of their role.  We were therefore able to take control of their account and access the help-desk inbox, which contained a number of sensitive passwords in emails.

Example two: Gaining access to the keys to the kingdom with the black box testing method

In another recent example, our security team conducted a ‘black box’ test of a large international corporation with more than 12,000 employees.  The black box approach means that a client does not provide security testers with any information about their infrastructure.  With just a simple URL or even just the company name, pen-testers are tasked with assessing the environment as if they were an external attacker with very limited prior information.

Firstly, we located a web application with single sign-on authentication based on Windows domain credentials, which demonstrated predictable and consistent username formats.  Despite the organisation having a policy in place which required passwords to be no shorter than eight characters, with a mixture of upper and lower case letters and numbers, our team was able to gain access using ‘Password1’.  Reconnaissance led us to access a list of 400 usernames and when ‘Password1’ was tried against each of them, we gained access to the aforementioned web application.  From there, our testers were able to access an invite to the internal social network and collect 5,000 usernames.  When we re-tried ‘Password1’ against all 5,000, we gained access to another five accounts.  This led us to uncover a Secure Sockets Layer Virtual Private Network (SSL VPN) with single factor authentication.  With the log in details we’d already accessed, we had a foothold in the internal network and managed to pivot to other machines with ease, including a mail server with a number of users logged in.  After cracking some of these credentials, we found one individual who had a domain admin account with an almost identical username and the same password.  From this point we gained control of the entire Windows domain and from there, took control of the global network.

This test took less than 12 hours in total, with no prior knowledge of the organisation’s internal systems.  We gained access to an alarming amount of sensitive company data, including intellectual property, employee information and company contracts.  The client had no visibility of this and was unable to identify that anything had happened, determine the extent of it or perform any other type of incident response.  If this had been a real-world situation, an attacker would have been free to remain in the network undetected for some time, with ample opportunity to cause significant damage.

What should have been done differently?

Security is nothing if not an exercise in minimising the attack surface and there is absolutely no need for multiple employee related management services to be directly accessible to the internet.  Two factor authentication is also a must, particularly for those services that would be high value in a breach situation.  The most stringent password policy in the world, though important, will likely still result in someone choosing something memorable and weak.  Lastly, monitoring, alerting and incident response are crucial.  The ability to detect a breach and respond to it is key to mitigating the damage that can be caused by an attack.

As evidenced by a string of high-profile data breach incidents, people are often the weakest point in an organisation’s cyber security.  The risk of even the most security conscious individual clicking on a malicious link or opening a malware-laden attachment in a moment of distraction is all too real.  Added to which, with an increasingly mobile and borderless network, maintaining control over entry and exit points and knowing exactly where sensitive data resides, is becoming increasingly difficult.

With the stakes higher than ever, complacency is simply not an option and a robust security strategy must be complemented by rigorous and continuous testing, to ensure that sensitive data is better protected from increasingly sophisticated cyber criminals.