It is generally accepted that no connected IT system can be totally invulnerable, but the next best thing is to learn about the system’s weak points before anyone else discovers them.
That is why so many organizations use the services of penetration testers. “Penetration testing” – or “pentesting” for brevity – means employing people with skill and experience to seek out weak points in a company’s security – not in order to do damage, but rather to inform management and find ways to seal any gaps.
Penetration Testing will be critical as the number of IoT products expands and connects to the Internet.
A pentester might use various tricks such as a cross-site scripting, SQL injection, a man-in-the-middle attack to capture a user’s session cookie, or a social engineering attack that gets someone to click on a link. The link can transparently download malware such as a key logger, or code that leads to remote control of the system. With roughly 70 to 80 percent of pentests revealing at least one critical vulnerability in the client’s infrastructure, it’s deeply satisfying to bring vulnerabilities to light.
Any organization has a range of IT environments, each with its own strengths and vulnerabilities. Here are some examples.
Internet of Things (IoT) attacks. A fourfold growth in IoT is predicted in the next four years: when devices are connected, they create exponential value by communicating with each other. Communicating devices can learn to boost productivity and better suit our needs, but they may add vulnerabilities such as remote code execution, unauthorized access, authentication bypass, or stealing unencrypted data or any personally identifiable information. An attacker could look for weaknesses in device firmware, the ability to download unsigned updates, or the use of low-security FTP protocol, etc. Lack of strong passwords is common – one website allowed access to 73,000 security camera locations, because they used the default password.
SCADA networks control vital public utilities, and rely on legacy equipment designed for efficiency and reliability, but not for security. Security solutions are typically bolted-on, introducing points of vulnerability. Some SCADA networks are isolated from the Internet, but this may encourage a false sense of security, because telecommunications networks offer many backdoors and holes. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 245 attacks in 2014, with one third of these against the energy sector.
Network attacks are more likely to exploit older vulnerabilities. One report found that 44 per cent of breaches came from vulnerabilities two to four years old. Server misconfiguration is another attack vector. Remote access and virtual private networks (VPNs) are tempting because many businesses don’t restrict access or keep VPN software up to date.
Web App attacks. eWeek reports that SQL injections are responsible for 8.1 per cent of all data breaches. It is possible to probe if SQL database commands can be injected into a data entry field, and cause a web application to deliver data, destroy data, plant malicious code, delete tables, or remove users. Attackers could send phishing links via a cross-site scripting (XSS) attack. This can cause the relay of harmful scripts through a vulnerable application from an otherwise trusted URL.
Mobile App attacks. Mobile traffic is more vulnerable in that it does not require a hard connection: a fake cell tower or rogue base station might be used to attract connections from targeted devices. The number of mobile users and time they spend on their mobile devices is larger than that of desktop users and it is now the leading channel for being online. But to meet this demand, many organizations prematurely port their traditional applications to mobile, leaving lots of vulnerabilities.
A competent pentester is not only trained to be able to commit the attacks described above, but also has sufficient experience and creativity to combine these attacks in endless novel ways that may never occur to an internal security team. Good pentesters will start with a good idea about what to look for.
There is a choice of test methods, including: Black-box, where no prior information about the environment is given. This can help reveal what is discoverable from outside and where to shield; Grey-box, where some information is provided to ensure that specific aspects of the infrastructure will be tested, while also revealing what is discoverable from the outside; White-box, where extensive information about the environment is given in order to enable a worst-case attack – the sort only possible with inside information – for maximum pressure on your defenses.
A good pentesting team will provide a report that ascribes a level of risk to each vulnerability, allowing the client to prioritize security measures to ensure minimal affordable risk. Attack can indeed be the best form of defense.
Edited by
Ken Briodagh
