Why security professionals need to get more creative with penetration testing (and how to do it)

Criminals are evolving with their techniques for hacking and breaching corporate assets, so security managers need to as well. Here are some ways companies are going beyond standard pen testing in order to increase awareness

By Maria Korolov 

Security professionals have long been running penetration tests against their firewalls and other security systems to find weaknesses that need to be addressed.

The Common Vulnerability Scoring System is an industry standard, but has been around for a while.

The bad guys, however, aren’t limiting themselves to the traditional perimeter attacks anymore. They’re using spear phishing, phone calls and on-site visits and other techniques to get at corporate data.

“As cyber criminals evolve, we must, as well,” said Demetrios Lazarikos, security strategist and former chief information security officer for Sears Online.

Spear phishing

Everyone already knows not to click on misspelled, unsolicited emails from foreign royalty. Today’s adversaries are smarter. Their emails use proper English and are indistinguishable from the emails from the real companies.

“Let’s say that there is a press release that goes public that says that company XYZ has just switched health provider to Blue Cross Blue Shield,” said Bob Walder, founder and chief research officer at Austin-based NSS Labs. “The bad guys are going to look at that and say, all right, company XYZ, I’m going to send an email and spoof it so that it looks like it came from Blue Cross Blue Shield, and says something like ‘Do you need help with your enrollment?’ It will be relevant to your employees.”

[Social engineering in penetration tests: 6 tips for ethical (and legal) use]

Defending against this kind of attack is more a matter of user education and less one of technology, he added.

After the initial education campaign, he recommended a non-threatening testing strategy, such as league tables showcasing the employees who were impervious to the scams.

“You don’t want to set yourself up as an adversary,” he said. “You can make it lighthearted, give out prizes. So people doing the dumb stuff don’t get called out, but they think if they make an effort they might win next time.”

Another benefit of putting a positive spin on penetration testing is to ensure that top management isn’t caught up in the next and publicly embarrassed.

“It’s ironic, but most of the time it’s the senior execs and the CIOs who don’t have time to read email and they scan something and click without thinking,” he said.

One of the companies using targeted emails in its penetration testing is Medford, MA-based Century Bank.

“We attempt to phish and social engineer our users several times a year,” said Adam Glick, the bank’s information security officer. “The assessment includes setting up a fake internal web server, adjusting internal DNS, and sending out a spoofed email luring users to change their expiring password or claim their free millions of dollars.”

Beyond phishing

Century Bank doesn’t stop at the emails.

Penetration testers will call employees pretending to be from IT and ask for their passwords, or try to enter secure areas dressed as employees or external maintenance workers.

“These tests are becoming paramount as phishing and social engineering are becoming ever increasing avenues for malicious players,” Glick said. “Proactively training your users and empowering them to recognize these scams is decidedly your best defensive weapon.”

Glick said that his bank uses an outside service, Framingham, MA -based Towerwall, to do the testing.

Avon, CT-based OneBeacon Insurance Group also uses a third-party testing service, NTT Com Security, based in Ismaning, Germany.

“Typically, we think of testing attacks directly at computer systems, but for a while, we have known that it is much easier to at least start the attack vector by focusing on the social engineering aspects,” said OneBeacon’s chief information security officer Joseph Topale. “Several years ago, our penetration test was expanded and continues to expand to cover the emerging social engineering pieces.”

These days, that includes not only phishing emails, but also phone calls and custom-built spoof websites, he said.

And it can get ever more creative than that.

Chris Camejo, director of assessment services at NTT Com Security, recalled one client with a particular focus on physical security in sensitive areas of their facility.

“What they’ve done is have a program set up where they’ll give someone a $100 bill and have them go into a secure area without a badge on,” he said. “The first person who says, ‘Where’s the badge?’ they get the $100 bill.”

This is an important part of security testing that is easy to overlook because it can sometimes be very easy to get into secure areas, he said.

“If you have a cup of Starbucks in one hand and a Blackberry in your ear and you just waggle your elbows at the door and look pathetic, they’ll let you in because it’s obvious a really important phone call,” he said.

Even companies that don’t have critical systems on-site may not understand how much important data can be accessible to someone who just walks in, he said.

“Companies don’t realize how much information they leave lying around the office,” he said. “Backup tapes. laptops. authentication tokens. keys. There’s so much stuff that people leave sitting around – I’ve seen boxes of microfiche documents with reams of Social Security numbers on them just sitting on people’s desks.”

Some companies have other avenues of access, as well, which a determined hacker can track down.

“We’ve been called in on forensic engagements on financial institutions that preformed wire transfers initiated by faxes sent in by the appropriate individuals, signed by apparently the right person,” said Mike Weber, vice president of Coalfire Labs, a Louisville, CO-based security vendor.

Multi-prong attacks

When one approach doesn’t work by itself, and a target is particularly attractive, hackers will layer on their attacks.

To guard against them, penetration testers must, as well.

Take, for example, Core Security Consulting Services, a penetration testing vendor hired to break into a credit card payment processing company. The team was able to get as far as the database files, but only had a day to figure out where the credit card numbers were stored – and there were too many files to go through them all.

“We needed a hook,” said Digeo Manuel Sor, manager at Core Security. “ So one of us went to a restaurant to buy some sandwiches and sodas, and the other one ran a text search looking for our credit card number in the files – we didn’t have to check all the files, just the last kilobytes.”

[Hackers, security pros talk penetration testing, social engineering]

A penetration test can also have several layers right from the start.

“A lot of companies request a specific type of social engineering test, such as phishing or pretext calling, or physical social engineering, where we talk our way into a secure area,” said Coalfire’s Weber. “We find is that those threats by themselves are easy to identify and question. But when we blend them, we get a whole lot better success.”

For example, a physical infiltration of a company might be preceded by an official-looking email announcing the visit.

“A blended social engineering attack tends to be a weak spot in many organizations,” said Travis Howe, director of security and compliance at Conga, a document management company based in Broomfield, Colorado, and a Coalfire customer. “Unfortunately, if someone wants to compromise the organization, as a security professional inside an organization, I don’t have the purview of choosing how I’m going to be attacked.”

This article was recently published in CSO Online

Is Blind Trust Making You Unsafe?

Personal and business relationships rely on trust to function, but blind trust in the digital world is downright dangerous.

We’re asked to trust companies all the time. We trust them with personal details and they promise to keep them safe. It’s the same story in the enterprise. One company will entrust another to backup and store data, keeping it accessible for employees, but shutting out criminals and spies. Sometimes that trust proves to be misplaced, with disastrous results.

On a personal level your account on a specific website may be hacked, but your exposure is not necessarily limited. If you use the same password elsewhere, or you used a social media account to log in, then it could be exposed too. Criminals may be able to steal your identity, or dupe your friends and family. They will almost certainly sell your data to others.

On a business level the crown jewels of the company may be exposed to rivals or criminals. Defenses are usually set up to tackle the cyber-attacks that come head-on. If someone gains access through another vendor or partner with legitimate credentials to access your system, then you may never even realize that your security has been breached.

It looks as though the recent theft of customer accounts from Target may have come through an HVAC contractor. More than a hundred million customer accounts were compromised, thanks to that allegedly ‘trusted’ third party. The big retailer and the NSA have something in common with their risk profiles: both were Snowdened.

There are basic ways to combat data theft. For starters, don’t use your social media accounts as log-in proxies to open new accounts. Two-factor authentication should be a basic standard, sensitive data and computers should be encrypted, and there has to be some oversight so that exposures can be detected and mitigated.

If your business relies on third-parties, then the onus is on you to perform due diligence. Don’t make assumptions about security standards. Don’t bury your head in the sand. Ask the difficult questions, check the documentation, and scrutinize processes and procedures.

Do you know who is in your network at any given moment? Can you verify, track, and control that access? Are you certain that all the vendors and partners you do business with meet your standards?

If the answer to any of those questions is no, then you have some work to do.

By Michelle Drolet, founder and CEO, Towerwall
Special to Wired’s Innovation Insights

This article was recently published in Wired’s Innovation Insights

 

Towerwall Heartbleed Vulnerability Alert

Good Afternoon:

The IT infrastructure your organization may use for day-to-day business may be vulnerable because of the Heartbleed vulnerability.

Sophos a Towerwall partner has prepared a podcast of the Heartbleed vulnerability, which addresses who is likely affected, workarounds and an offer to help determine if you are vulnerable.

http://nakedsecurity.sophos.com/2014/04/10/sscc-142-heartbleed-explained-patches-evaluated-apple-chastised-podcast/

If you think you may be affected and don’t know how to tell if you are, or if you’re unsure whether you have identified all affected systems, Towerwall can conduct a discovery scan of your IP address space.  We can identify each and every service that is protected with OpenSSL and test each service for this vulnerability.

If you would like our help, please contact us. 774-204-0700 or http://www.towerwall.com/contact/

Always,

Michelle Drolet