Stuck in traffic as you head to work, your Twitter feed goes on overdrive. It is another hacking story that has hit your sector. But this time round, it is your organization. As a board member, you break into a sweat, wondering how the CIO will explain this one. Could we have known the loopholes that these criminals have exploited? What’s the damage to our organization in terms of financial implications, penalties and reputation?
In 2015, the tenth annual Cost of Data Breach Study conducted by Ponemon Institute found that the average consolidated total cost of a data breach was $3.8 million, and that the average cost per compromised record was $154. Kaspersky’s report on Damage Control: The Cost of Security Breaches stated that enterprises will spend approximately $551,000 to recover from a breach, plus additional $69,000 in indirect costs. This is no chicken feed! I think that if more organizations were willing to divulge the actual costs, this figure would be much higher.
Why conduct a penetration test?
Kaspersky reports that the top three major consequences of a breach include loss of access to business-critical information, damage to company reputation and temporary loss of ability to trade. To prevent the above, penetration testing (“pentesting”) is one effective way of demonstrating that exploitable vulnerabilities within your organization’s IT infrastructure have been identified, allowing suitable protective measures to be taken such as patches, configuration changes or access control. Japan has announced this month that next year they will set up a penetration testing arm called Industrial Cybersecurity Promotion Agency, to identify vulnerabilities in physical control systems that could lead to real-world damage the 2020 Olympic Games.
Apart from being a standard feature for any IT security team wanting to understand how strong their defenses are, pentests are an essential component of any infosec management system of an IT organization that is (or wants to be) certified under ISO 27000. They will contribute to risk assessment, risk treatment and continual improvement. Similarly, requirement 11 of the PCI DSS covers the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks. So whatever industry you may be in, there may be a regulatory or government requirement to comply through penetration testing.
Is there a right way to pentest?
A pentest involves simulating a malicious attack on an organization’s cyber security arrangements, by using a combination of methods and tools. I believe that to perform pentesting in the right way it has to encompass the process, technology and people elements in IT. According to the PCI DSS penetration testing guide, pentesting is a three step affair. The first step is pre engagement where scoping, documentation and past reviews are reviewed, as well as rules of engagement and success criteria defied. Then comes engagement where the actual tests are conducted including post-exploitation after initial compromise. Finally, post engagement activities are conducted including remediation best practices, retesting identified vulnerabilities and cleaning up the environment.
While penetration testing is a time consuming affair, it should be scheduled as part of IT security audits probably twice a year but should also be conducted if there has been a major change on the IT infrastructure such as a major systems upgrade, patching after a security alert or when new systems or organizational arms go live.
The right tools for pentesting
Generally, the two main types of penetration testing tools are reconnaissance tools and exploitation tools. The former would include scanners like Nessus, OpenVAS and Nmap, password crackers like Cain & Abel or John the Ripper and packet crafting tools such as Hping, Scapy and Yersinia. I would recommend that pentesters use a combination of tools for this work to increase their chances of finding weak spots. Exploitation tools then are deployed based on reconnaissance findings, and include Metasploit, Core Impact Pro and w3af as well as payload tools like Meterpreter or msfvenom.
Getting the best out of pentesting
The output from a successful pentest would be a report of exploited vulnerabilities as well as the required corrective action. Any organization should be committed to put the resources in place to address the issues highlighted from this report within the shortest time period. If no action is taken, then there is really no point in doing the tests. And if the report is too voluminous with no prioritization, chances are that no one will be motivated to act. It is also important that IT organizations engage suitable external ethical hackers from time to time to simulate real world attacks since it is likely that their own internal pentesters are unlikely to be spending all their time learning the latest methodologies.
NIC’s weakest link happens to be a password that is 16 characters long, which at times is hard to remember. As a managed service provider specializing in security among other fields, we are passionate about pentests. Contact us and get best in class ethical hackers who will quickly let you know the critical vulnerabilities existing in your infrastructure and how to eliminate them.