Penetration Testing: The What, the Why, the How
As with most industries, the security field is rife with jargon and technical terms that only the initiated fully understand. On top of that, there are buzz phrases, such as “Dark Web” and “Blockchain”, that make marketing executives dance with delight while the security experts in the corner roll their eyes in exasperation. One of these terms that is often used, yet not as often understood, is “penetration testing”.
Depending on who you talk to, “penetration testing” means one of three things: vulnerability scanning; traditional penetration testing; or red team testing. Thus, to avoid confusion, we will define these different terms, why each is important, and how to integrate each of them into a comprehensive security program.
Vulnerability scanning is the process of using a fully automated scanner to search for commonly known issues or patterns that might signify the presence of a vulnerability. For a network vulnerability scan, scanners usually look for service banners to identify the version of the software running on the remote host and compare that with published databases of known issues. For a website scan, scanners rely on known patterns of responses, such as the term “sqlexception” anywhere in a response to indicate a potential SQL injection vulnerability. Automated scanners may perform basic proof of concept exploits to help filter out false positives.
Regular vulnerability scanning is considered a baseline security measure by compliance standards for any company with at least one custom built website or managed network device (including a managed website). Because it is mostly automated, ongoing scanning is also cheaper than the alternatives.
Penetration testing targets a specific scope, often a subnet/range of network hosts, a single website, or a subset of employees for social engineering, and attempts to fully identify and exploit vulnerabilities.
Penetration testing identifies whole classes of vulnerabilities that vulnerability scanning can’t, such as missing access control issues and disclosure of sensitive data, to name a few. Moreover, penetration testing provides context for identified vulnerabilities, such as the impact to the business if particular issues are exploited or how one exploit leads to multiple other ones.
While penetration testing often utilizes vulnerability scanning as part of its arsenal of tricks and tools, penetration testing is a mostly manual exercise. As a result, it is also more expensive than vulnerability testing.
Most compliance standards dictate relevant websites or network ranges (PCI focuses on hosts that handle credit card information, for example) should be tested at least twice a year as well as after any “significant changes”. However, “significant change” is usually left up to the company to define for themselves.
Red Team Testing
One of the latest trends in the world of ethical hacking, red team testing takes penetration testing to the next step. Rather than focusing on a single website or a single network range, red team testing focuses on the whole organization. No websites, network hosts, or employees are considered out of scope in a red team test.
As a result, red team testing can take anywhere from 3 months to a full year to execute. While it is comprehensive in its approach, it is also the most expensive option for security testing. Moreover, red team testing is the most effective when an organization has a well built, defense process (often called a “blue team”) to detect, and potentially even disrupt, the red team’s operation. This allows the red team engagement to both provide important security awareness on the easiest ways into the organization as well as provide important training for the blue team.
Organizations that have reached the level of maturity where red team testing makes sense will usually have no more than one red team engagement per year.
The Cybersecurity and Infrastructure Security Agency (CISA) published a list of the year’s most exploited 30 vulnerabilities. In a sad twist, all of the vulnerabilities on the list have published patches from their respective vendors.
UC San Diego Health recently announced that they suffered from a data breach as a result of a phishing attack from back in December, 2020. Data disclosed includes names, addresses, medical information and test results, social security numbers, payment details, and usernames and passwords. Moreover, the hospital reported that suspicious activity was detected on March 12th, but it took until April 8th for the security team to officially take action.
Speaking of data breaches, the cost of data breaches has hit an all time high of $4.24 million per breach, according to an IBM report. This represents a record high and an astounding 10% increase over the previous year. Remote work was one of the key factors as the average cost of a breach where remote work was a factor was $1.07 million more than without it and companies with 50% or more of employees working remotely took an average of 58 days longer to identify and contain breaches.
Whether or not to pay the extortion fee after a ransomware attack can be a controversial issue. At this point, though, it appears unlikely that the federal government will ban companies from making the ransomware payments, if they choose to do so. Nevertheless, this debate will continue to rage as the average ransom fee grew by 171% in 2020 and as many insurance companies stop reimbursing ransomware payments.
For those keeping score at home, there are apparently new ransomware gangs on the block. Based on activity on Russian hacker forums, Flashpoint reported that two new gangs have emerged, Haron and BlackMatter, that are also claiming to be the successors for DarkSide and REvil.