One of the best ways to test your information security posture is to simulate realistic attacks through a penetration test. Penetration testing is designed to test the information security of the technologies and systems in place at your organization, identifying vulnerabilities that can lead to a data breach or security incident. “Test the Security of Your Information Systems: A Penetration Testing Case Study”
In April 2016, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard (PCI DSS) version 3.2. With the updates came clarification to requirements, additional guidance, and the additional seven new requirements. “PCI DSS v3.2 and the Penetration Testing Requirements for Service Providers”
On Thursday, October 26th A-LIGN held an Ask Me Anything (AMA) Q&A forum on Reddit, to conclude National Cyber Security Awareness Month by providing further insight into the data breach landscape. Members of our penetration testing team answered questions regarding penetration testing, hacking, and information security. Below are the top five questions asked during the forum and the answers provided by Managing Consultant, Kelly Matt, and Senior Consultants Van Bettis and Josh Valentine.
1. Are there any common problems that you find when conducting a penetration test? What tools are used to access a system?
The most common technical problems we find are SSL vulnerabilities, TLS, and encryption-level vulnerabilities. Default credentials are definitely used to access a system, even as simple as a WordPress default or a legacy system that was never changed. This is very common on printers and other polycom systems. We find that most organizations also lack a robust vulnerability management program.
2. Does it matter which type of 2-factor authentication you use (SMS, authenticator apps, physical devices)? Are some of them more secure from various attacks?
Absolutely! Text messaging is very susceptible to attacks. Many government entities and compliance regimes are no longer allowing multi-factor authentication (MFA) to be text-based. As long as you stay away from text-based MFA, you are in a much better state. If your options are either not doing anything or using text, I would still recommend using text. We recommend using MFA everywhere you can. Google Authenticator is open source and can be used anywhere. It can be tedious, but it’s worthwhile.
3. Have there been any hacks that you have been particularly proud of?
Using cross-site scripting as an initial attack vector, along with vulnerability stacking to compromise the database’s users. Once an affected user logged into the system, their credentials were immediately sent to an offsite location controlled by us. Vulnerability stacking is when you use multiple vulnerabilities to elevate an attack vector.
Vulnerabilities that were used in the attack: Cross-site scripting (XSS) and cross tenant access (accessing unauthorized tenant accounts from another tenant).
4. How does it feel to work in a field where you must “predict” what others may do? How hard is it to find solutions to the vulnerabilities that we see around?
Being an information security professional can feel overwhelming at times. The space is constantly evolving and changing and it would seem that Moore’s Law may, in fact, apply here too.
I have found that proactive processes that help identify and manage risks are of critical importance. The threat landscape is constantly evolving and a system that was perfectly safe this morning can have a Zero-day by the afternoon.
If you build a strong security foundation with measurable repeatable processes it is not that hard to defend against many of the most common attacks and vulnerabilities we see. Most of this starts with good IT hygiene and a strong culture of security.
5. When you hear of something like the Equifax breach what do you think? What could they have done differently?
Equifax had a vulnerability management program that missed a critical vulnerability allowing remote code execution. So yes, they had a program in place, however, it needed to be reviewed to ensure it was comprehensive in doing what they thought it was doing. They became security-complacent, and the breach was indicative of that. A third-party penetration test could have caught this vulnerability, no questions asked.
Have any questions regarding penetration testing and how to secure your organization from a data breach? Contact A-LIGN’s experienced penetration testers at firstname.lastname@example.org or 888-702-5446 for more information.
Due to the increasingly significant threat of cybercrime on businesses and consumers, New York has released cybersecurity requirements for financial services companies in the state of New York. While the SEC currently mandates that organizations need to implement “reasonable safeguards to protect a client’s nonpublic information,” the new law provides more clarity for organizations to mitigate cyberthreats. In turn, this regulation will be used to better protect consumer information and better manage the threat landscape.
- Cybersecurity Program: Organizations are required to establish a cybersecurity program designed to protect the information systems within the organization. The main functions of the cybersecurity program are:
- Identify and assess cybersecurity risks
- Develop policies and procedures to mitigate cyberthreats
- Detect and respond to cyberthreats
- Meet regulatory reporting needs
- Cybersecurity Policy: Organizations must implement and maintain written policies that denote the policies and procedures in place to protect nonpublic information. The following areas are applicable:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identify management
- Business continuity and disaster recovery planning and resources
- Systems operation and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and Third Party Services Provider management
- Risk assessment
- Incident response
- Chief Information Security Officer: Organizations will be obligated to designate an individual to oversee and enforce the cybersecurity program and its policies.
- Penetration Testing and Vulnerability Assessments: Organizations must conduct an annual penetration test, along with bi-annual vulnerability assessments.
- Risk Assessment: Organizations should conduct regular risk assessments to help inform the design of the established cybersecurity program. Risk assessments need to be updated regularly to remain relevant in the event of changes in industry or internal operational structure.
- Multi-Factor Authentication: Organizations must utilize multi-factor authentication, or risk-based authentication, to protect sensitive information. Multi-factor authentication must be used when an individual accesses internal networks from an external network, unless there is authorization from the CISO in writing denoting equivalent or superior controls.
Organizations are obligated to meet the requirements set within the regulation, unless:
- The organization has fewer than ten employees in New York, including independent contractors, or
- Earns less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations, or
- Earns less than $10,000,000 in year-end total assets, calculated per GAAP
Effective March 1, 2017, financial services companies will be required to meet these cybersecurity requirements. Organizations will be required to annually prepare and submit Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations beginning February 15, 2018.
Organizations have one year from the effective date to comply with the following sections:
- Chief Information Security Officer
- Penetration Testing and Vulnerability Assessments
- Risk Assessment
- Multi-Factor Authentication
- Provide regular cybersecurity awareness for all personnel that is updated to reflect risks identified in the risk assessment.
Firms that are unable to comply with these regulations could face penalties or sanctions for non-compliance. Is your organization prepared to handle these challenges? A-LIGN’s experienced assessors can help your organization in meeting the New York State Department of Financial Services Cybersecurity Regulations. Contact our professionals today at email@example.com or 1-888-702-5446.
The hacking industry was alive and well in 2015, and it’s funny how the majority of attack vectors haven’t changed in the past five years. I thought it would be interesting to share information gathered from expert pen testers regarding the top three vulnerabilities uncovered in 2015 as well as insight into prevention.
The winner… drum roll please… for the most commonly exploitable vulnerability in 2015 penetration tests:
- SQL Injection
- Cross-site Scripting (XSS)
- Misconfigured Server Settings
No surprises there, right? I have seen these same vulnerabilities since I started interfacing with security clients in 2006. I’ve categorized prevention and insight into these vulnerabilities as follows:
SQL Injection (SQLi)
If in 20 penetration tests, you are able to successfully exploit an SQLi vulnerability on 2 of them, that means for 10% of the companies assessed, one could steal their ENTIRE database via their web portal. If these numbers are reflective of websites as a whole, that means that 10% of the companies across the world have either already lost or will lose all of their sensitive data to attackers, which is a staggering thought. No wonder it still ranks as #1 on the Open Web Application Security Project (OWASP) top 10. This makes it #1 on our list too due to the possible damage done and the ease of exploit.
SQLi is easy to fix too. The best way to do this is to use a safe API which provides a parameterized interface or just completely avoids the use of the interpreter. If a parameterized API isn’t available, then escape the special characters that are inputted and put in a whitelist of acceptable input. Not a blacklist though, that is too easy to get around.
Cross-site Scripting (XSS)
19 of the 20 penetration performed had one (or many) XSS vulnerabilities – either reflected XSS or stored XSS. These are easy to exploit for hackers, just an email/blog post/clicked link away from compromising a client machine. When a clever hacker pairs an XSS vulnerability with a well- crafted phishing email, he is almost guaranteed to compromise some client PCs and accounts.
Regarding prevention, the recommendation is to escape all untrusted input from a webpage. If your users can input something into a page, then so can a hacker.
The escaped input should also be paired with another whitelist of acceptable input.
Misconfigured Server Settings
This one is so easy to prevent and yet can cause a lot of damage if in place. Many of the websites I looked at allowed for me to “retrieve” sensitive information through custom crafted URL queries. I had one site that allowed me to browse to protected web content just by inputting some special characters after the URL. Another site allowed me to see who was logged into the server at the time.
Misconfigured server settings are also a quick fix. A repeatable hardening process for all web servers usually catches any problem. The OWASP has some great guides to configuring a server correctly here: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration.
These top three security fixes, as you can see, are almost banal. They don’t involve expensive hardware or strategies, but they do involve a culture of security, policies, and best practices. In fact, many of these findings come from point-in-time test environments, such as those complying to PCI, vs. organizations trying to establish a long-term information security management system framework or ISMS, like the ISO 27001 standard seeks to do. At least the entities tested had a pen test and fixed the vulnerabilities.
An ongoing culture of security and establishing and updating/improving InfoSec policies can help to avoid these vulnerabilities in your organization.
Have questions about Penetration Testing?
Contact our cybersecurity professionals or call 888-702-5446.
Author: Stuart Rorer, Senior Consultant at A-LIGN.
“Big Box Store ABC Has Been Hacked, Customer Card Information Exposed!”
“E-Commerce Giant Acme Inc., Suffers Cyber Intrusion”
Headlines like these are appearing each day, most of which seem to apply to big box stores and large public companies. With the rise of these attacks, companies are scrambling to enhance their cybersecurity and protect their data from the next big breach. While preparing to defend themselves against cyber-attacks, companies easily discover the large expense that can go with it. After assessing the costs, some companies, especially smaller ones, begin to wonder if the cost is worth it.
From past conversations, I have heard many managers say they felt that their company was too small, or not as well-known as larger companies so they would not be considered for being a target. I call this hiding behind the illusion of insignificance.
It is an easy mistake, but many people fail to realize that when it comes to finding a target, very seldom do cyber criminals care how large or small a company is. The cyber-attacker has many tools at his/her beck-and-call, many of which are automated. While there are some attackers who want to target a specific entity for a cause or purpose, many instead are just as happy finding something they can exploit. To illustrate the matter, a quick example is given below.
Hacking Because They Can
Released on an online public hacking forum is the news of a new exploit that affects a popular web server platform. After skimming the details, the attacker locates the version numbers which are affected. Using an automated tool, or even a bot, the attacker starts probing large network areas for servers with the vulnerable version of software. Checking back later in the day, he/she is exuberant in finding well over 500 targets to choose from in such a short period of time. The tool was not able to differentiate between a large or small company, it just scanned a range of addresses and looked for a version number. It is for this very reason that no one can assume that they will not be attacked based on their public presence or the size of their company.
Knowing that no company is discriminated against in the process of target finding, the question still remains on what can be done to protect a company’s information and not break the budget while doing so. While some resort to hiring a full staff of information security professionals for their company, others do not have the funds to dedicate towards providing the salaries of a full team. This is where companies can use penetration testing services to evaluate their information security posture to identify weaknesses before the “bad guy” does.
A-LIGN’s Penetration Testing Services
A-LIGN’s penetration testers duplicate many of the techniques that computer criminals will try against your company. During their assessment, they will look for holes in the infrastructure and try to exploit what is there to show the client the depth of vulnerabilities their company is exposed to. The level of exploitation is agreed upon by the client and A-LIGN prior to testing so as not to create any unnecessary disruptions. After the testing period is over, the results are presented in a report format so they can be reviewed. Once reviewed, the company can begin to take action to fix the issues that were found, in hopes of preventing a true attack from occurring.
Preventing, and defending against cyber-attacks is not an easy task but is critical in today’s cybersecurity landscape. There are many proposed methods and solutions, but a penetration test is a tried and true approach to evaluate your security. Companies are like the human body: when it comes to a treatment plan, there is not always a one size fits all solution. It is important not to rely on being small or less recognized than other companies as a form of protection. In making decisions for protecting your information, it is important to know what is vulnerable and where. Having a penetration test can help to make this assessment and can help provide the details needed to make better decisions in defending your infrastructure.