When it comes to compliance audits, one should never follow the “one-size-fits-all” mentality. The type of audit you need often depends on your organization’s industry, specific client requests or type of data stored. “Which Compliance Audit is Right for Me?”
Phishing scams are a serious threat to an organization, and they’re increasing in scope, complexity and number – but that doesn’t mean you’re helpless to defend yourself. In fact, it’s easier than ever to proactively protect your organization from threats by following some simple tips.
Cybersecurity examinations are an important undertaking for your organization, its health and projected future. With no shortage of firms and examination types to choose from, preparing to undergo an audit or assessment can feel like a massive undertaking. Is the firm cutting corners reliable? Is the accessor able to deliver on their lofty promises? And how can you tell if they’re providing quality work?
One of the best ways to test your information security posture is to simulate realistic attacks through a penetration test. Penetration testing is designed to test the information security of the technologies and systems in place at your organization, identifying vulnerabilities that can lead to a data breach or security incident. “Test the Security of Your Information Systems: A Penetration Testing Case Study”
The hacking industry was alive and well in 2015, and it’s funny how the majority of attack vectors haven’t changed in the past five years. I thought it would be interesting to share information gathered from expert pen testers regarding the top three vulnerabilities uncovered in 2015 as well as insight into prevention.
The winner… drum roll please… for the most commonly exploitable vulnerability in 2015 penetration tests:
- SQL Injection
- Cross-site Scripting (XSS)
- Misconfigured Server Settings
No surprises there, right? I have seen these same vulnerabilities since I started interfacing with security clients in 2006. I’ve categorized prevention and insight into these vulnerabilities as follows:
SQL Injection (SQLi)
If in 20 penetration tests, you are able to successfully exploit an SQLi vulnerability on 2 of them, that means for 10% of the companies assessed, one could steal their ENTIRE database via their web portal. If these numbers are reflective of websites as a whole, that means that 10% of the companies across the world have either already lost or will lose all of their sensitive data to attackers, which is a staggering thought. No wonder it still ranks as #1 on the Open Web Application Security Project (OWASP) top 10. This makes it #1 on our list too due to the possible damage done and the ease of exploit.
SQLi is easy to fix too. The best way to do this is to use a safe API which provides a parameterized interface or just completely avoids the use of the interpreter. If a parameterized API isn’t available, then escape the special characters that are inputted and put in a whitelist of acceptable input. Not a blacklist though, that is too easy to get around.
Cross-site Scripting (XSS)
19 of the 20 penetration performed had one (or many) XSS vulnerabilities – either reflected XSS or stored XSS. These are easy to exploit for hackers, just an email/blog post/clicked link away from compromising a client machine. When a clever hacker pairs an XSS vulnerability with a well- crafted phishing email, he is almost guaranteed to compromise some client PCs and accounts.
Regarding prevention, the recommendation is to escape all untrusted input from a webpage. If your users can input something into a page, then so can a hacker.
The escaped input should also be paired with another whitelist of acceptable input.
Misconfigured Server Settings
This one is so easy to prevent and yet can cause a lot of damage if in place. Many of the websites I looked at allowed for me to “retrieve” sensitive information through custom crafted URL queries. I had one site that allowed me to browse to protected web content just by inputting some special characters after the URL. Another site allowed me to see who was logged into the server at the time.
Misconfigured server settings are also a quick fix. A repeatable hardening process for all web servers usually catches any problem. The OWASP has some great guides to configuring a server correctly here: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration.
These top three security fixes, as you can see, are almost banal. They don’t involve expensive hardware or strategies, but they do involve a culture of security, policies, and best practices. In fact, many of these findings come from point-in-time test environments, such as those complying to PCI, vs. organizations trying to establish a long-term information security management system framework or ISMS, like the ISO 27001 standard seeks to do. At least the entities tested had a pen test and fixed the vulnerabilities.
An ongoing culture of security and establishing and updating/improving InfoSec policies can help to avoid these vulnerabilities in your organization.
Have questions about Penetration Testing?
Contact our cybersecurity professionals or call 888-702-5446.
Author: Stuart Rorer, Senior Consultant at A-LIGN.
“Big Box Store ABC Has Been Hacked, Customer Card Information Exposed!”
“E-Commerce Giant Acme Inc., Suffers Cyber Intrusion”
Headlines like these are appearing each day, most of which seem to apply to big box stores and large public companies. With the rise of these attacks, companies are scrambling to enhance their cybersecurity and protect their data from the next big breach. While preparing to defend themselves against cyber-attacks, companies easily discover the large expense that can go with it. After assessing the costs, some companies, especially smaller ones, begin to wonder if the cost is worth it.
From past conversations, I have heard many managers say they felt that their company was too small, or not as well-known as larger companies so they would not be considered for being a target. I call this hiding behind the illusion of insignificance.
It is an easy mistake, but many people fail to realize that when it comes to finding a target, very seldom do cyber criminals care how large or small a company is. The cyber-attacker has many tools at his/her beck-and-call, many of which are automated. While there are some attackers who want to target a specific entity for a cause or purpose, many instead are just as happy finding something they can exploit. To illustrate the matter, a quick example is given below.
Hacking Because They Can
Released on an online public hacking forum is the news of a new exploit that affects a popular web server platform. After skimming the details, the attacker locates the version numbers which are affected. Using an automated tool, or even a bot, the attacker starts probing large network areas for servers with the vulnerable version of software. Checking back later in the day, he/she is exuberant in finding well over 500 targets to choose from in such a short period of time. The tool was not able to differentiate between a large or small company, it just scanned a range of addresses and looked for a version number. It is for this very reason that no one can assume that they will not be attacked based on their public presence or the size of their company.
Knowing that no company is discriminated against in the process of target finding, the question still remains on what can be done to protect a company’s information and not break the budget while doing so. While some resort to hiring a full staff of information security professionals for their company, others do not have the funds to dedicate towards providing the salaries of a full team. This is where companies can use penetration testing services to evaluate their information security posture to identify weaknesses before the “bad guy” does.
A-LIGN’s Penetration Testing Services
A-LIGN’s penetration testers duplicate many of the techniques that computer criminals will try against your company. During their assessment, they will look for holes in the infrastructure and try to exploit what is there to show the client the depth of vulnerabilities their company is exposed to. The level of exploitation is agreed upon by the client and A-LIGN prior to testing so as not to create any unnecessary disruptions. After the testing period is over, the results are presented in a report format so they can be reviewed. Once reviewed, the company can begin to take action to fix the issues that were found, in hopes of preventing a true attack from occurring.
Preventing, and defending against cyber-attacks is not an easy task but is critical in today’s cybersecurity landscape. There are many proposed methods and solutions, but a penetration test is a tried and true approach to evaluate your security. Companies are like the human body: when it comes to a treatment plan, there is not always a one size fits all solution. It is important not to rely on being small or less recognized than other companies as a form of protection. In making decisions for protecting your information, it is important to know what is vulnerable and where. Having a penetration test can help to make this assessment and can help provide the details needed to make better decisions in defending your infrastructure.