What Does IT Security Look Like From A Pen Tester’s Perspective?

What does IT security look like from a pen tester’s perspective?

Understanding your areas of vulnerability is the first step in strengthening your security measures.

Key Takeaway

Pen testing is one aspect of a vulnerability management plan. If you or your business are relying heavily on the internet or networked systems (and who isn’t these days), then this is an important tool in your arsenal.

In an earlier article, What is Penetration Testing and Why Is this Important?, I mentioned that penetration testing (pen testing) is only one aspect of a vulnerability management plan but a proactive approach that brings tremendous value.

Everything is networked

One of the main concerns in IT security today is that everything is networked.

________________________________________________________________________________

Shore up your defence – get on the offensive !

Ethical Hacker and Penetration Tester Tactical Bootcamp

________________________________________________________________________________

Most organisations have network based applications and networked systems. Since the internet boom of the 1990’s, many have focused on development systems and applications. In the rush and excitement to ‘get themselves on the net’, both people and organisations found it easy to forget the security challenges that might arise. As is typical of many other security situations, the issues tend to come to the foreground once losses are suffered.

However, in the early 2000’s, many IT security incidents began to develop which led to security issues taking on a far more focused approach and effort.

I spoke recently, to Belly Rachdianto, a well regarded regional IT security trainer. With deep skill and experience on this topic, he gives us a sneak peek into the way a pen tester approaches the issue of IT security.

The challenges for the IT security engineer

In terms of infrastructure, inter-networking is a must – everyone needs and depends on it. While devices and internet bandwidth capacity are becoming more readily accessible and cheaper, the flip side of this is that many users are not giving enough attention to the potential security issues and this applies even amongst the technical crowd.

It is clear that whenever organisations spend their time reacting to these developments, hackers are taking advantage of the inconsistencies, vulnerabilities and careless mistakes caused by a lack of vision, inadequate awareness and education about these issues and inept processes.

Further complicating this issue is the ease with which hacking can be accomplished today.

Some kids, as young as 11, have the capabilities to conduct massive attacks on large organisations. They may not necessarily understand fully what they are accomplishing – the risk levels, exactly how the attacks are taking place, the impact of their action and the resulting consequence. But they are accomplishing a lot.

Hacking tools, underground forums, websites dedicated to hacking tools and technologies and seminars flourish and seem to be available almost everywhere.

So, what is the challenge for the IT security engineer? Is their focus on how to secure the system? Should they concentrate on technology or put more emphasis on people and processes?

It is clear that whenever organisations spend their time reacting to these developments, hackers are taking advantage of the inconsistencies, vulnerabilities and careless mistakes caused by a lack of vision, inadequate awareness and education about these issues and inept processes.

Internet of Things

To make matters far worse, things in the IoT (Internet of Things) and the advanced connectivity now afforded across devices, systems and services rendered to both the individual and the corporation means that many crimes today involve IT systems at some point. Whether it’s a robbery, scam, bank fraud, simple white collar crime or advanced espionage, we have well and truly arrived at the next frontier for crime – cyberspace.

Enter the world of pentesting

Penetration testing (pen-testing or pentesting) is a method of testing, measuring and enhancing established security measures on information systems and support areas. It is also known as a security assessment 1.
Typically, there are two types of pen testing conducted : black-box or white-box.

However, remember that the point of pen testing is not to show off your hacking skills. Pen testing is about helping to secure the system by simulating an attack.

With black-box testing, you are simulating the attack without having a lot of information about the target. With white-box testing however, you have background information because you might work with the affected company to locate the vulnerabilities together.

Whether you choose to go down either the black-box or white-box route depends on your client requirements. Black-box testing appears grittier and more challenging. However, remember that the point of pen testing is not to show off your hacking skills. Pen testing is about helping to secure the system by simulating an attack.

Time is of the essence

Hackers do not typically have time limits placed on them – they may have started targeting your company and systems as far as a year back or even more. Pen testers, however, typically have a 2 – 4 week window to get their job done.

If you are conducting pen testing, you can do so in two ways: actively or passively.

Active pen testing is usually done with the support of a number of tools, for example, Maltego . If you took a more passive approach, you’d just use your browser to collect information on your target.

Footprinting
The first step in any pen testing exercise is footprinting or information gathering. Attacks in the online world are almost like attacks in the physical world.

For example, if you were to rob a house, what type of information would you collect?

You’d be interested in things like :

  • the address of the house;
  • what kind of security you’ve noticed in that suburb;
  • how many windows in the house are typically left open;
  • the usual movements of the inhabitants of the house – how often they leave and the times they leave and return;
  • the number of people in the house and whether they are old or young; and
  • what kind of security detail the house has, such as alarms, motion detectors, the use of grilles on doors and windows, whether extra locks are used on doors and whether closed circuit cameras are used.

To take this example forward in terms of an organisation’s systems and infrastructure, the address of the house would refer to the IP address of the website. The windows and doors refer to the ports and services in the computer system. Alarms refer to the intrusion detection systems loaded. Dogs or security guards would refer to the Intrusion Prevention System. The grilles and automated garage doors would refer to the firewall installed.

Data, data, data

You’ll be surprised, when taking a passive approach, by how much can be accomplished just using your browser. You’re effectively collecting information from the internet. This comprises both technical and non technical types of data.

The non technical data would include things like :-

  • social media websites;
  • news websites;
  • information on the location of the target;
  • the map of the specific location and surrounding areas;
  • phone numbers;
  • email addresses of the Chief Executive or other named executives working at the company.

The attacks that could be done include attacks on the company website, social engineering as well as wireless attacks.

Technical data would enable you to get more details about the infrastructure of the target and could come from:

  • job search websites;
  • press releases; and/or
  • the target website itself.

For example, let’s say that your company is looking for a network engineer. In your job advertisement, you might post details about the role. You might be looking for “a network engineer who has experience in managing Windows 2012 servers, Windows 7, Cisco routers and Juniper firewalls… etc”. In listing these details, you inadvertently expose, to potential attackers, relevant information about your systems.

With huge amounts of data on the internet that can be linked back to you or your company, all it takes is a little bit of time and effort to put together a digital map of you or your company.

This means that you need to be careful about the quality of information you share and the level of detail given. With huge amounts of data on the internet that can be linked back to you or your company, all it takes is a little bit of time and effort to put together a digital map of you or your company.

When planning an attack, the more information you can gather, the easier it will be.

In any attack, your main focus should be the areas of vulnerability. The most relevant pieces of information that you collect on the target and the attack covers three aspects : confidentiality, integrity and availability.

Confidentiality

This is about ensuring that data is only accessible to authorised people and considering how this is done. This includes the use of usernames and passwords for site access as well as a logging-in requirement. The requirement to log in helps in identifying the privilege level of each user.

If you carry out an attack to test this aspect (for example, by using a password cracking software), you then gain access to the user online. You are also able to obtain the data that either belongs to that user or that his user privilege allows him access to. How much data you are able to access is dependent on the permission levels granted.

Integrity

Integrity refers to making sure that the data and the system have not been tampered with or altered in any way. To give you an example, you may be able to successfully access another user’s account on the system.

Let’s say this is an executive in the Accounting department, who is authorised to edit and modify entries in the accounting database. With that person’s access, you are able to make changes on this system such as delete a zero or two in the accounting data. Adding a zero to a person’s salary would mean raising that person’s salary by ten times.

Availability

This refers to the ability to control when a person is able to access the system. If you are able to get into the system, you may be able to shut all the servers down or worse, delete all the data.

What would the effect be of a national bank having their automated teller machines shut down for one day or one hour during peak hours? What effect would that have and what kind of losses may be suffered?

When carrying out an attack, you need to be aware of all potential vulnerabilities in order that you may exploit them. These vulnerabilities could be segmented into low, medium and critical vulnerabilities. Undoubtedly, your attacker will hone in on the critical vulnerabilities in order to inflict the most amount of damage possible.

For example, the typical default password is 123456. Many people choose to use passwords that they can remember but these can also be easily guessed by others. For example, belly123 or belly 2015. If the user details you are trying to crack is protected by a weak password and if that user is someone with high level access to the system (such as the administrator), your successful password cracking will then mean that you gain access to the entire system, effectively having free rein to do as you wish.
There are papers, reports and articles which go into more detail about known vulnerabilities. Alternatively, you can also do your own vulnerability research by looking at the resources companies like Microsoft may provide.

Post attack

Should you be unfortunate enough to endure a website attack, the first thing you need to do is unplug the cable. This is the cable to the server on which your website is hosted.

This isolates the attack and prevents further attacks. You don’t know if the attacker has already gained access to other servers, modified any of the affected data or installed backdoors. You are unaware if your emails have been either read or downloaded.

What happens when you find out your website has been attacked and you know this because your website has been defaced? In truth, you are already too late.

Why? A website defacement means the attack has been a success. If your website is hosted by a third party, such as WordPress, the first thing to do is to change your password, shut your website down (which means to take it offline), contact the server owner and report the incident so that the investigative process may begin.

To get an idea of how an attack may be conducted, read about the attack on Tesla’s site, app and twitter feeds conducted via AT&T which took place in April 2015. Thomas Fox-Brewster, who covered the story, pointed out a few of the weaknesses of their site and network :-

  • it is still possible to social engineer employees at huge telecoms firms;
  • domain registrars can be abused; and
  • two factor authentication was lacking in this instance.

The clear advantage of pen testing over other vulnerability management plans is that it is a proactive step taken. You test your own site to verify weaknesses. If you are a business owner or you have a relevant service offering for which you are relying on the internet to communicate, market and brand yourself, pen testing is a much needed tool in your IT security arsenal.

If you think this post is interesting, please help spread the word – share this!

Sign up to our newsletter for free

Further reading
·         Most Common Attacks Affecting Today’s Websites by Alycia Mitchell
·         Penetration testing on the cheap and not so cheap by Roger A Grimes

Belly Rachdianto

Belly Rachdianto

Belly Rachdianto has been delivering IT security courses in Indonesia, Malaysia, Singapore, Hong Kong, Myanmar and Sri Lanka for both local and multinational companies including Dell, Microsoft, IBM, Intel, Maybank, CIMB Bank, Shell, Macao Police Department, Singtel and more. Having worked on an extensive array of large-scale, mission-critical projects, systems integration, network design and implementation as well as security assessment, Belly has deep skill and experience in all aspects of network operating systems platforms, internetworking devices, security and multi-service network convergence. He has won the Instructor of the Year award in 2014 as well as the “Circle of Excellence” Instructor award from 2010 – 2012 from EC Council USA.

1 Technopedia

Headline image courtesy Bell Designs





There are no comments

Add yours

x
freshmail.com powered your email marketing