On Thursday, October 26th A-LIGN held an Ask Me Anything (AMA) Q&A forum on Reddit, to conclude National Cyber Security Awareness Month by providing further insight into the data breach landscape. Members of our penetration testing team answered questions regarding penetration testing, hacking, and information security. Below are the top five questions asked during the forum and the answers provided by Managing Consultant, Kelly Matt, and Senior Consultants Van Bettis and Josh Valentine.
1. Are there any common problems that you find when conducting a penetration test? What tools are used to access a system?
The most common technical problems we find are SSL vulnerabilities, TLS, and encryption-level vulnerabilities. Default credentials are definitely used to access a system, even as simple as a WordPress default or a legacy system that was never changed. This is very common on printers and other polycom systems. We find that most organizations also lack a robust vulnerability management program.
2. Does it matter which type of 2-factor authentication you use (SMS, authenticator apps, physical devices)? Are some of them more secure from various attacks?
Absolutely! Text messaging is very susceptible to attacks. Many government entities and compliance regimes are no longer allowing multi-factor authentication (MFA) to be text-based. As long as you stay away from text-based MFA, you are in a much better state. If your options are either not doing anything or using text, I would still recommend using text. We recommend using MFA everywhere you can. Google Authenticator is open source and can be used anywhere. It can be tedious, but it’s worthwhile.
3. Have there been any hacks that you have been particularly proud of?
Using cross-site scripting as an initial attack vector, along with vulnerability stacking to compromise the database’s users. Once an affected user logged into the system, their credentials were immediately sent to an offsite location controlled by us. Vulnerability stacking is when you use multiple vulnerabilities to elevate an attack vector.
Vulnerabilities that were used in the attack: Cross-site scripting (XSS) and cross tenant access (accessing unauthorized tenant accounts from another tenant).
4. How does it feel to work in a field where you must “predict” what others may do? How hard is it to find solutions to the vulnerabilities that we see around?
Being an information security professional can feel overwhelming at times. The space is constantly evolving and changing and it would seem that Moore’s Law may, in fact, apply here too.
I have found that proactive processes that help identify and manage risks are of critical importance. The threat landscape is constantly evolving and a system that was perfectly safe this morning can have a Zero-day by the afternoon.
If you build a strong security foundation with measurable repeatable processes it is not that hard to defend against many of the most common attacks and vulnerabilities we see. Most of this starts with good IT hygiene and a strong culture of security.
5. When you hear of something like the Equifax breach what do you think? What could they have done differently?
Equifax had a vulnerability management program that missed a critical vulnerability allowing remote code execution. So yes, they had a program in place, however, it needed to be reviewed to ensure it was comprehensive in doing what they thought it was doing. They became security-complacent, and the breach was indicative of that. A third-party penetration test could have caught this vulnerability, no questions asked.
Have any questions regarding penetration testing and how to secure your organization from a data breach? Contact A-LIGN’s experienced penetration testers at firstname.lastname@example.org or 888-702-5446 for more information.