Tag: Pentest

  • Your Security Gear Is Not Enough

    Perhaps I am a little biased considering what we do at Raxis, but I am convinced that it isn’t a good idea to bet the farm on the latest security gear to defend your organization.

    In 2017 alone, we’ve all seen many major hacks, including substantial releases from Shadow Brokers and WikiLeaks.  There’s a lot already lost, such as voter registration data and consumer credit information.

    Don’t get me wrong, I think the latest fancy security solution can help.  However, our team at Raxis is seeing many attacks that are not being stopped by current gear.  For example, we’ve breached applications through manually fuzzing API calls using a method that most hardware can’t protect against.  The latest web application firewall might be able to stop these attacks, but most organizations don’t configure it appropriately to do so.  In some cases, it’s a logic error that we’re able to exploit to gain information from the backend systems without making any illegal calls.

    And even worse, we’ve seen, time and time again, where security operations centers send an email out with no further action taken.

    Our experience also has shown that nearly every organization has a far weaker security posture internally.  Once the perimeter is breached, from using a stolen password to gaining shell access through a web service call, pivoting to other machines is often quite trivial.  None of this is hard to exploit, but fortunately none of it is hard to fix.  

    The problem is not the difficulty of the fix, it is knowing what needs to be fixed.  In almost every case, the hacks we find are very simple to execute, and our customer had no idea they existed.

    The fix for these hacks usually is not spending $100K on a new fancy next generation firewall with all of the bells and whistles.  It’s a simple code change or a system that was missed in patch management.  Perhaps this is too good to be true; but, keep in mind that hackers go after the path of least resistance.  It is far easier to breach your competitor with the Windows 2003 server install than to spend significant time researching how to get past your reasonably secure system.So keep buying your security gear.  Combine it with a penetration test on every single piece of code that runs in production, and we’ll help you find the vulnerabilities you missed. 

  • Vulnerability Scan Vs Penetration Test: What’s The Difference

    Many people seem confused when it comes to understanding the difference between a vulnerability scan and a penetration test. This article will examine the differences between the two and help guide you with decision points in making the right choice for your needs.

    Vulnerability Scan

    A vulnerability scan is conducted using an automated tool that is purpose built to identify potential security gaps on a remote system. This ‘vulnerability scanner’ sends targeted traffic to ports and services on systems and analyzes the responses in an attempt to identify the presence of a vulnerability. At the completion of the scan, a report is generated. The engineer that initiated the scan designates what type of report to generate depending on the specific requirements with regards to verbosity, margin of error, intended purpose, or other business drivers. Some reports are hundreds of pages detailing each individual “finding” while others are as simple as a two page summary.Because a vulnerability scanner has a limited means with which to validate the presence of a vulnerability, the accuracy of the output may be suspect. Depending upon the scanner configuration and the target system, a report may contain a myiad of false positives or fail to identify legitimate vulnerabilities. The end result is that a security engineer has a laundry list of possible flags to chase down and attempt to verify the validity of the issues as well as develop a solution.

    Penetration Test

    A penetration test is a real-world exercise at infiltrating your network systems. To such ends, a security engineer will utilize many tools (including in some cases a vulnerability scan). Wheras vulnerability scanning is a largely automated process, penetration testing involves manual and targeted testing using specific toolsets and custom scripts. Using a combination of techniques and technical knowledge, the penetration tester focuses their efforts on areas of exposure that likely constitute a legitimate risk to an organization’s security.Having identified likely insertion points, the penetration tester will actively attack gaps in the network’s security posture. The execution of a practical attack using the same methodologies that an actual attacker would employ is the most effective way by which to ascertain the real world exposure of a given system or network.As the engineer begins to infiltrate the system he or she will take detailed notes and screen shots documenting the process. The goal is to articulate to the customer the nature of the exposure, and how its presence helped to facilitate a compromise.A seasoned penetration tester will provide a detailed report outlining the various vulnerabilities as well as the severity of each finding within the context of the business, something that a vulnerability scanner cannot provide. The result is an actionable report that provides validation of exposures and targeted guidance on remediation measures.

    Which is Best?

    A true penetration test by a qualified engineer is most often the best overall value for a business. Not only does the stakeholder gain an understanding of the workflow of a real-world attack they also get specific guidance from the perspective of an attacker on what measures would be most effective in thwarting validated attacks. This is articulated in the context of the business drivers of the organization. The end result is that the security organization can focus their efforts where they are most effective and prioritize remediation tasks based on real-world data.A penetration test is more expensive because of the thoroughness of the assessment and the greater value of the outputs. A vulnerability scan is a good starting point and may achieve the bare minimum of satisfying compliance mandates. An organization that understands the difference between compliance and security, however, will endeavor to move beyond automated outputs and seek to understand the practical nature of their security posture.

    Are All Penetration Tests The Same?

    The short answer is no. When you are shopping for a penetration test there are several things you should consider:

    1. Get a sample report – some companies are much more informative in their documentation and a sample report will reflect what you should expect to receive.
    2. History – ask about the team and their experience working with organizations of a similar caliber.
    3. Diversification – find out the background of the team members; the technical expertise brought to bear during the test should be appropriate to the technologies that your organization utilizes.
    4. Duration of test – based on your specific situation ask how long the assessment should take to perform. This may be governed in part by the scope of assessment or other logistical factors.
    5. Their level of specialization – do they only offer penetration testing or do they also provide other products and services.

    Each of these questions will give you insight to the quality of assessment you’ll receive. Especially in security, the relationship between cost and value is subject to variation. Determine if the team is going to spend adequate time on your assessment and if their security engineers have the expertise for your specific situation. Compare reports and insure the report will satisfy your ability to properly remediate the findings. And finally, don’t be afraid to ask to speak to a security engineer and dive deep in questioning their methodologies and experience with the type of testing you need. A competent penetration testing provider will not shy away from such discussions and will welcome the opportunity to add value to your security program.

  • Ransomware – What you can do to avoid being a victim

    Ransomware is the hot topic today. Malicious actors infect your system with sinister code that hijacks your information. In its most pure form it encrypts your data and yanks it from within your very grasp. Leaving behind only a message – a ransom note. If you ever wish to see your precious data ever again, you will pay. If you don’t pay, your data will be deleted and you will find yourself in the unemployment line.It’s the kind of thing that keeps business owners and managers up at night.The question is – what do you do to guard against it? Once the ransom appears on your screen, you’re done. There are several steps you should be taking to safeguard against ransomware.

    1. Prevention

    The number one thing you should do to guard against ransomware is to seal up the cracks. Find a good penetration testing company and have your internal and external networks evaluated. The right penetration testing company is going to come in with no credentials and attempt to exploit every weakness your network has. Don’t confuse this with a vulnerability scan – a true penetration test (pen test) approaches your system just like a real hacker. A real person is working your network and looking for exploits.Include social engineering (email phishing, vishing and spear phishing specifically) to your assessment. Ransomware often infiltrates your system by malicious code unintentionally installed by an employee. Using a found USB stick, visiting a malicious website, giving up credentials to an official sounding phone call, clicking a link in an email, etc. etc…. All of these are inadvertent ways an employee may infect their system.The report and remediation recommendations you will get from a pen test are priceless for patching the holes in your security. Evaluate your pen test company carefully. Ask to see sample reports and determine the depth of analysis you will truly get. Do not be guided by price alone.Along with assessing the network for vulnerabilities you should also consider a robust endpoint protection solution with an awareness of ransomware and zero-day vulnerabilities.Patching as a component of a comprehensive vulnerability management program should also be considered as a foundational element in any ransomware mitigation strategy.

    2. Anticipation

    Remember the saying – “failing to plan is planning to fail”. Ransomware is becoming more and more prevalent. You need to know what data you have, where you have it, and when it was last backed up. A completely audited data system will be much easier to restore. This will also help you get a grip on what has been compromised.

    3. Backup, Cloud backup and Services

    Once the thief has your data, the jig is up. Your data is encrypted, and there is a ransom to get it back. You’re not going to hack the encryption. If you pay – you’ll usually get your data back (not to mention a target on your back). If you don’t pay – they delete the data and you’re likely out of business.Once the attack happens you have three choices – pay the ransom, go out of business or restore from a backup.You DO backup, right? Surprisingly many companies don’t, and the ones that do often don’t have good practices in place for consistency. It’s critical this backup be separate from your network. You have a few options with backups:1 – Consistent internal backups to off-site drives isolated from the network.2 – Cloud based backupsWhile many experts agree that ransomware has not yet made the leap to the cloud, the issue is getting the data back in time for a reasonable restore. Normal data transfers aren’t reasonable with typical large companies. There are services available that will overnight a hard drive to your door once you’ve been attacked.

    4. Restoration Plan

    You need a plan in place to restore the data once you get it. Regardless of how you choose to backup and restore – you need this plan. You will have to wipe the entire system and systematically restore it. You also need to keep in mind the data you are restoring has the same vulnerability that got you hacked in the first place. So a smart hacker is likely to get right back in – and the game of cat and mouse continues.You can’t afford to keep playing the game. Restore the system and immediately get it assessed and patched. By now you should see why step 1 is so crucial to avoiding ransomware. You are also likely seeing why step 2 is important.Ransomware is here to stay for a while. It’s the new age stagecoach heist. The hi-tech way of bank robbery. Your best defense is a strong offense, good preparation and a plan for business continuity if and when it happens to you.

  • Penetration Testing Pricing

    Updated: April 9, 2018

    How Much Should You Pay for A Pen Test?

    It’s my job to ensure that we’re priced right and delivering a strong value for what we charge.  Yet, I’m continually amazed at the price differential I am seeing for penetration tests (pen tests).  With prices ranging from $1,500 to hundreds of thousands of dollars, I can imagine how difficult it might be for our customers to understand how penetration testing pricing works.Similar to many things that you buy, generally the higher cost products tend to be better than the lower cost products.  While this is likely true in the pen testing world too, how do you know what is adequate for your needs?  Even though there’s a need for high dollar tests at the highest category, most companies don’t need to spend $250,000 on a multi-month penetration test.  For just one week of penetration testing, pricing ranges from $1,500 to about $15,000 for a full retail price.  However, not all pen tests are equal.Here’s a breakdown of why pen testing prices are so different.  There are other elements that might come into play, such as on-site vs. remote and remediation testing, however this list focuses on the penetration test work itself.

    Skill Set

    Not all pen testers are the same, and the proposed pen test pricing should reflect that.  For example, some pen testers are incredible at hacking Windows systems, but are not nearly as strong when it comes to Linux or mobile technology.  Make certain that the team is well versed in all technologies that you have in scope.  Many environments have a huge mix of Linux, Windows, Android, iOS, Mac OS X, Cisco IOS, Wireless networks, and others.  Your pen tester needs to have skills in all of the areas that affect your environment to perform a valid test.

    Time Dedicated to the Job

    The amount of time that a penetration tester spends on a job can really vary, leaving lots of room in how the jobs are quoted. Some pen testers believe that a week, two weeks, or even months are required to get a comprehensive test completed on your network. If you’re quoted anything less than a week, I would hope that it’s an extremely small scope of just a few IPs with no services running on them.  Otherwise, I’d be skeptical.  The key here is to make sure the time spent on the job makes sense with what you’ve deemed in scope for the test.  Keep in mind a single IP with a large customer facing web portal with 10 user roles will take a lot more time than 250 IP addresses that only respond to ping.

    Methodology

    There’s a few different ways to complete a penetration test.  I’ve broken them down into types for reference.

    • Type A would be to search for the low hanging fruit and gain access to a system as quickly as possible. The goal would be to pivot, gain additional access to other systems, ensure retention of the foothold, and finally exfiltrate data. This is a true penetration test and demonstrates exactly what would happen in the event of a real world breach. Some companies call this a “deep” penetration test as it gains access to internal systems and data. It’s the type of test that we prefer to do and what I would recommend as this is what the real adversarial hackers are doing.
    • Type B searches for every possible entry point and validates that the entry point actually is exploitable. This validation is most often completed by performing the exploit and gaining additional privileges. The focus with this type is to find as many entry points as possible to ensure they are remediated. The underlying system might be compromised, but the goal is not to pivot, breach additional systems, or to exfiltrate data. This type is often useful for regulatory requirements as it provides better assurance that all known external security vulnerabilities are uncovered.
    • Type C is really more of a vulnerability scan where the results from the scanner report are validated and re-delivered within a penetration testing report. Many of your lower cost firms are delivering this as a penetration test, although it really isn’t one. It’s just a paid vulnerability scan, and, in some cases, that might be all you need. We offer a vulnerability scan called the BSA on an automatic, recurring basis and it is very useful in discovering new security risks that are caused by changes to the environment or detecting emerging threats. No, it’s not a pen test 😉

    My recommendation would be to ensure both Type A and B are part of your pen test.  This means that even a small IP range will have a week long test at a minimum, but it is the most comprehensive way to pen test your environment and best meets regulatory requirements as well.  Type A will ensure that a test is completed allowing pivoting and exfiltration of information.  Type B will get you that comprehensive test of any vulnerabilities found to ensure that you’re fixing real issues and not false positives.

    Don’t Go too Low

    If someone is offering you a pen test for less than $3,000 for an entire week of effort, I would be very skeptical that you’re getting an actual penetration test. The ethical hackers that perform these tests are costly, and as they don’t work for a salary that would fit the bill rate.  Remember that these resources need to understand networking, operating systems, applications, and security all at the same time.  In addition, there is also cost overhead from operating a business that should be considered.Regardless, penetration testing is a vital part of a strong security program.  Most regulations and security professionals recommend it be performed annually.  It’s better to be hacked by a pen testing vendor than the alternative, so give us a call at Raxis, and we’ll be glad to help you improve your security by uncovering any hidden security risks.