Why penetration testing is a vital part of any effective security strategy

With high-profile data breaches continuing to dominate headlines, attitudes to enterprise cyber security are starting to shift, with businesses accepting that their networks will inevitably be targeted, if they haven’t already been affected.

As a result, we’re seeing an increased focus on detection and remediation strategies rather than simply prevention. This more holistic approach is particularly important for organisations that hold high-value information, such as law firms and financial services institutions, and with the associated costs of a breach increasing exponentially, enterprises must now ensure that they are fully prepared with a layered security strategy and incident response plan in place.

However, the most sophisticated security strategy in the world will only be effective if technology, people and processes are regularly put to the test to identify and iron out any weaknesses.

The most effective way to do this is for security teams to conduct controlled simulated attacks and to carefully construct drills and protocols that can be implemented when any similar, real-world attacks take place.

Penetration testing (pen testing) involves running simulated hacking exercises against corporate networks and systems in order to reveal how cyber criminals could gain entry.

>See also: How to create an IT security strategy that balances defence with offence

The process can involve numerous manual and automated tests being performed on networks, systems and people to ascertain if they are susceptible to an attack.

The intelligence subsequently gathered during these exercises can then be used to address any weaknesses that are uncovered. Organisations are therefore able to shut down any open avenues to attack, and can gain an understanding of how today’s attacks work in order to better plan for a real-life incident.

As a security tester with a number of years’ experience conducting penetration tests on enterprise networks – using methods ranging from social engineering emails to more advanced vulnerability exploits.

A notable example involved our team targeting a client’s employees with a spear-phishing email, which aimed to dupe users into revealing sensitive information.

Of 6,000 employees, 14 received an email containing a link to a spoofed website; eight people clicked on the link and two entered their credentials. One was a senior executive and we were subsequently able to access their inbox and view direct communication with the firm’s CEO.

The second individual worked on the help-desk and held various network privileges as a result of their role. The testers could therefore take control of this account and access the help-desk inbox, which contained a number of sensitive passwords in emails. As this test revealed, spear-phishing is a simple but highly effective attack method.

Another memorable example involved a ‘black box’ test at a large global corporation with more than 12,000 employees. The black box approach means that security testers are not provided with any prior information about a client’s infrastructure.

>See also: Businesses should support the new National Cyber Security Strategy

With a URL or even just the company name, black box testers must assess the environment as an external attacker would with very limited background information.

First, the team identified a web application with single sign-on authentication based on Windows domain credentials, which revealed predictable and consistent username formats.

The organisation had a policy in place requiring passwords to be no less than eight characters, with a mixture of upper and lower case letters and numbers, yet our team was still able to gain access using ‘Password1’.

Reconnaissance led testers to access a list of 400 usernames and when ‘Password1’ was tried against each of them, we gained access to the aforementioned web application.

From there, the team accessed an invite to the internal social network and collected 5,000 usernames. By trying ‘Password1’ against all 5,000, they then gained access to another five accounts, which led them to uncover a secure sockets layer virtual private network with single factor authentication.

With the log in details that had already been accessed, testers had a foothold in the internal network and could pivot to other machines without challenge, including a mail server with a number of users logged in.

After cracking some of these credentials, they found one individual who had a domain admin account with an almost identical username and the same password. From this point the team had gained control of the entire Windows domain and from there, took control of the global network.

This particular engagement took less than 12 hours in total and was conducted with no prior knowledge of the organisation’s internal systems. The team gained access to a vast amount of highly sensitive company information, including Intellectual Property, employee data and company contracts.

The client was unable to spot that anything untoward had occurred, let alone determine the extent of the breach or perform incident response. If this had been a real-life situation, an attacker therefore would have been free to remain in the network undetected for some time, with ample opportunity to cause significant damage.

>See also: Cloud security strategies rest too heavily on blind trust – research

Organisations must take steps to minimise the attack surface by reducing the number of services that are directly accessible to the internet, and by implementing two-factor authentication to protect high-value assets.

Best practice password security policies are also important, but the tendency for people to select memorable and therefore weak passwords is an inevitability.

As a result, attention should be turned to monitoring networks, alerting on suspicious activity and immediately responding to incidents; the ability to identify a breach and take action in real-time can make all the difference in the event of an attack.

People are often shown to be the weakest link in enterprise security. Even the most security conscious individual is susceptible to clicking on a malicious link or opening a malware-laden attachment in a moment of distraction, particularly if they are expecting the email or if it’s from a trusted sender.

What’s more, with an increasingly mobile and borderless network, controlling entry and exit points and identifying where sensitive data resides, is becoming more and more difficult.

Complacency is no longer an option for enterprises. Comprehensive and robust security strategies must be supported by rigorous and continuous testing, to make sure that networks are well defended against an increasingly complex cyber threat landscape.

 
Sourced by Chris Oakley, managing principal security consultant at Nettitude

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...