All posts by Michelle Drolet

Why security professionals need to get more creative with penetration testing (and how to do it)

Criminals are evolving with their techniques for hacking and breaching corporate assets, so security managers need to as well. Here are some ways companies are going beyond standard pen testing in order to increase awareness

By Maria Korolov 

Security professionals have long been running penetration tests against their firewalls and other security systems to find weaknesses that need to be addressed.

The Common Vulnerability Scoring System is an industry standard, but has been around for a while.

The bad guys, however, aren’t limiting themselves to the traditional perimeter attacks anymore. They’re using spear phishing, phone calls and on-site visits and other techniques to get at corporate data.

“As cyber criminals evolve, we must, as well,” said Demetrios Lazarikos, security strategist and former chief information security officer for Sears Online.

Spear phishing

Everyone already knows not to click on misspelled, unsolicited emails from foreign royalty. Today’s adversaries are smarter. Their emails use proper English and are indistinguishable from the emails from the real companies.

“Let’s say that there is a press release that goes public that says that company XYZ has just switched health provider to Blue Cross Blue Shield,” said Bob Walder, founder and chief research officer at Austin-based NSS Labs. “The bad guys are going to look at that and say, all right, company XYZ, I’m going to send an email and spoof it so that it looks like it came from Blue Cross Blue Shield, and says something like ‘Do you need help with your enrollment?’ It will be relevant to your employees.”

[Social engineering in penetration tests: 6 tips for ethical (and legal) use]

Defending against this kind of attack is more a matter of user education and less one of technology, he added.

After the initial education campaign, he recommended a non-threatening testing strategy, such as league tables showcasing the employees who were impervious to the scams.

“You don’t want to set yourself up as an adversary,” he said. “You can make it lighthearted, give out prizes. So people doing the dumb stuff don’t get called out, but they think if they make an effort they might win next time.”

Another benefit of putting a positive spin on penetration testing is to ensure that top management isn’t caught up in the next and publicly embarrassed.

“It’s ironic, but most of the time it’s the senior execs and the CIOs who don’t have time to read email and they scan something and click without thinking,” he said.

One of the companies using targeted emails in its penetration testing is Medford, MA-based Century Bank.

“We attempt to phish and social engineer our users several times a year,” said Adam Glick, the bank’s information security officer. “The assessment includes setting up a fake internal web server, adjusting internal DNS, and sending out a spoofed email luring users to change their expiring password or claim their free millions of dollars.”

Beyond phishing

Century Bank doesn’t stop at the emails.

Penetration testers will call employees pretending to be from IT and ask for their passwords, or try to enter secure areas dressed as employees or external maintenance workers.

“These tests are becoming paramount as phishing and social engineering are becoming ever increasing avenues for malicious players,” Glick said. “Proactively training your users and empowering them to recognize these scams is decidedly your best defensive weapon.”

Glick said that his bank uses an outside service, Framingham, MA -based Towerwall, to do the testing.

Avon, CT-based OneBeacon Insurance Group also uses a third-party testing service, NTT Com Security, based in Ismaning, Germany.

“Typically, we think of testing attacks directly at computer systems, but for a while, we have known that it is much easier to at least start the attack vector by focusing on the social engineering aspects,” said OneBeacon’s chief information security officer Joseph Topale. “Several years ago, our penetration test was expanded and continues to expand to cover the emerging social engineering pieces.”

These days, that includes not only phishing emails, but also phone calls and custom-built spoof websites, he said.

And it can get ever more creative than that.

Chris Camejo, director of assessment services at NTT Com Security, recalled one client with a particular focus on physical security in sensitive areas of their facility.

“What they’ve done is have a program set up where they’ll give someone a $100 bill and have them go into a secure area without a badge on,” he said. “The first person who says, ‘Where’s the badge?’ they get the $100 bill.”

This is an important part of security testing that is easy to overlook because it can sometimes be very easy to get into secure areas, he said.

“If you have a cup of Starbucks in one hand and a Blackberry in your ear and you just waggle your elbows at the door and look pathetic, they’ll let you in because it’s obvious a really important phone call,” he said.

Even companies that don’t have critical systems on-site may not understand how much important data can be accessible to someone who just walks in, he said.

“Companies don’t realize how much information they leave lying around the office,” he said. “Backup tapes. laptops. authentication tokens. keys. There’s so much stuff that people leave sitting around – I’ve seen boxes of microfiche documents with reams of Social Security numbers on them just sitting on people’s desks.”

Some companies have other avenues of access, as well, which a determined hacker can track down.

“We’ve been called in on forensic engagements on financial institutions that preformed wire transfers initiated by faxes sent in by the appropriate individuals, signed by apparently the right person,” said Mike Weber, vice president of Coalfire Labs, a Louisville, CO-based security vendor.

Multi-prong attacks

When one approach doesn’t work by itself, and a target is particularly attractive, hackers will layer on their attacks.

To guard against them, penetration testers must, as well.

Take, for example, Core Security Consulting Services, a penetration testing vendor hired to break into a credit card payment processing company. The team was able to get as far as the database files, but only had a day to figure out where the credit card numbers were stored – and there were too many files to go through them all.

“We needed a hook,” said Digeo Manuel Sor, manager at Core Security. “ So one of us went to a restaurant to buy some sandwiches and sodas, and the other one ran a text search looking for our credit card number in the files – we didn’t have to check all the files, just the last kilobytes.”

[Hackers, security pros talk penetration testing, social engineering]

A penetration test can also have several layers right from the start.

“A lot of companies request a specific type of social engineering test, such as phishing or pretext calling, or physical social engineering, where we talk our way into a secure area,” said Coalfire’s Weber. “We find is that those threats by themselves are easy to identify and question. But when we blend them, we get a whole lot better success.”

For example, a physical infiltration of a company might be preceded by an official-looking email announcing the visit.

“A blended social engineering attack tends to be a weak spot in many organizations,” said Travis Howe, director of security and compliance at Conga, a document management company based in Broomfield, Colorado, and a Coalfire customer. “Unfortunately, if someone wants to compromise the organization, as a security professional inside an organization, I don’t have the purview of choosing how I’m going to be attacked.”

This article was recently published in CSO Online

Towerwall Information/Vulnerability Alert Vol 13.69: Cisco Security Notice

Cisco Security Notice

Cisco WebEx Business Suite HTTP GET Parameters Include Sensitive Information

CVE ID: CVE-2014-0708
Release Date: 2014 March 18 19:07  UTC (GMT)
Last Updated: 2014 March 19 17:58  UTC (GMT)SummaryA vulnerability in Cisco WebEx Business Suite could allow an unauthenticated, remote attacker to view sensitive information transmitted in GET parameters of URL requests.

 

The vulnerability is due to inclusion of sensitive information in URLs as GET parameters. An attacker could exploit this vulnerability by viewing application URL requests that contain the sensitive information in GET parameters.

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0708

 

This vulnerability was reported to Cisco by Jim LaValley.

Affected Products

Product More Information CVSS
Cisco WebEx Meeting Center CSCul98272 5.0/4.8

What Is a Cisco Security Notice?

The Cisco Product Security Incident Response Team (PSIRT) publishes Cisco Security Notices to inform customers of low- to mid-level severity security issues involving Cisco products.

Customers who wish to upgrade to a software version that includes fixes for these issues should contact their normal support channels. Free software updates will not be provided for issues that are disclosed through a Cisco Security Notice.

For additional information about Cisco PSIRT publications, see the Cisco Security Vulnerability Policy athttp://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

Customers Using Third-Party Support Organizations

Customers may have Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers. For these products, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

WEB APPLICATION PENETRATION TEST

Web applications have become common targets for attackers. Attackers can leverage relatively simple vulnerabilities to gain access to confidential information most likely containing personally identifiable information.

While traditional firewalls and other network security controls are an important layer of any Information Security Program, they can’t defend or alert against many of the attack vectors specific to web applications. It is critical for an organization to ensure that its web applications are not susceptible to common types of attack.

Best Practice suggests that an organization should perform a web application test in addition to regular security assessments in order to ensure the security of its web applications.

Towerwall Web Application Testing methodology is based on the Open Web Application Security Project (OWASP) methodology.   Call us for more information: 774 204 0700.

This is an opt in security alert list to be removed reply with remove.