Security vendors are experts at peddling cyber fear porn to sell their latest products and technologies to desperate executives looking for a silver bullet to an admittedly tough problem. Protecting enterprise infrastructure and data requires balancing so many often conflicting requirements and variables that IT and security teams are understandably susceptible to simple solutions to a complex problem, even costly ones.
Even so, no matter how robust the security strategy seems on paper, it's impossible to know its effectiveness until it's attacked. As Mike Tyson said, "Everybody has a plan until they get punched in the mouth," and when it comes to security, a sustained attack by knowledgeable, persistent attackers is a veritable haymaker. However, the worst time to find out the strength of your front door is when a horde is battering it. Fortunately, there are less stressful and destructive ways of ascertaining your enterprise security than an attack.
Penetration tests, aka pen tests, are a type of ethical hacking in which authorized cyber mercenaries attempt to breach an organization's defenses, record the results, i.e. vulnerabilities and offer mitigating fixes. Pen tests are an aggressive supplement to passive, reactionary security measures like intrusion detection systems, security event monitoring and password audits. As such, pen tests are more likely to provide tangible, actionable feedback about an organization's risks and mitigations. As the saying goes, “When your headlights aren’t on, the best rearview mirror available isn’t likely to improve your driving," and pen tests amount to a powerful headlight illuminating an organization's security posture.
Summarized pen test results are ominous
Pen tests are typically conducted by specialist firms with hackers for hire. Many of these aggregate and summarize their findings in reports that provide a synopsis of enterprise vulnerability to attack, the most common and successful exploits and trends of attack frequency and severity. I'll review data from several reports, starting with the most recent from Positive Technologies summarizing its work with 28 clients in 2019.
The report was limited to external pen tests in which outside attackers seek to compromise internal systems and excluded internal pen tests simulating insiders trying to breach systems without authorization. The company also omitted tests it felt weren't representative of an organization's overall security either because of significant constraints placed on the pen testers or the small number targets. Unlike other reports, Positive Technologies did not include attacks on Wi-Fi networks or those using social engineering to trick employees into downloading malicious software. Even so, the results paint a grim picture, as the following numbers illustrate:
- 93% success rate (26/28) at penetrating the local network.
- An average of two penetration methods per company, with one ill-prepared organization having 13 openings.
- One-sixth of tests revealed traces of previous (real, not pen tests) attacks.
- On average, penetrating a network took four days, but one entry took only 30 minutes.
- 71% of successful penetrations could be achieved by an unskilled hacker.
- 77% of penetrations came through Web applications, with Web vulnerabilities spotted at 86% (24/28) of companies.
The fact that such a small percentage of attacks required any sophistication or multiple steps of escalation is both disturbing and hopeful since although these leave enterprises exposed to an enormous population of script kiddies, it also means the holes are easy to plug.
The entry point for the vast majority of successful attacks was a poorly configured Web server, most often by either brute force attacks to acquire login credentials or exploiting flaws in Web application code. Bruteforce credential attacks also frequently worked on publicly-facing database servers, remote access gateways and file transfer servers.
PTsecurity categorized the detected vulnerabilities using the Common Vulnerability Scoring System, a measure that is used to rank a vulnerability's severity. It found that 57% of the Web vulnerabilities and half the password policy errors were critical, compared to only a quarter of the software configuration flaws. Most of these relied on security bugs that have been fixed. For example, one Web application used an outdated version of a PHP framework with a remote execution flaw used to run a payload that established an HTTP connection to a remote host that could then access the internal network.
Similar results from other pen test summaries
The results from Positive Technologies agree with pen test reports from other security companies such as Rapid7, Lares and Coalfire. Lares found that the most common pen test entry points from its engagement are:
- Brute Forcing Accounts With Weak and Guessable Passwords
- Kerberoasting, namely, brute force attacks on downloaded encrypted Kerberos authentication tickets used by Windows Domain Controllers to expose plain-text credentials.
- Excessive File System Permissions
- WMI Lateral Movement, namely exploiting the Windows management interface to execute malicious code, modify system settings.
- Inadequate Network Segmentation
- Inappropriate Access Control
- Post-Exercise Defensive Control Tuning, which is a broad category covering insufficiently tuning and reacting to alerts from existing SIEM systems and thereby missing malicious activity that is already being detected.
- Malicious Multifactor Enrollment or MFA Bypass, namely exploiting weaknesses in an organization's MFA self-enrollment process.
- Phish-in-the-Middle (PiTM) in which a compromised email account is used to remotely distribute malicious code that unsuspecting recipients are tricked into executing.
Coalfire's list of top pen test vulnerabilities highlights many of the same mistakes.
Unlike PTsecurity, Coalfire found that most external pen test vulnerabilities weren't high risk, but, understandably internal attackers were much more likely to exploit holes with severe consequences. The number of critical vulnerabilities generally decreased over the past year, however, serious application flaws doubled. The report doesn't have enough information to ascertain a reason for the dramatic increase, but the sample size (623 tests) rules out statistical variance, yet it seems unlikely that programmers suddenly got sloppier.
However, according to RiskBased Security's summary of publicly disclosed data breaches found the extent of data loss is getting worse. It found a 15% increase in the average severity score over the past quarter, with 26% of data breaches so far in 2020 exposing at least 10,000 records.
Coalfire found that phishing attacks were particularly successful. It tested a typical social engineering attack designed to trick email recipients into giving up login credentials and found at least one victim at 71% of its clients. Worse still, at 20% of the clients, attackers had a fifty-fifty shot at success, with half of the employees providing their username and password. Rapid7 found that laborious phishing attacks often aren't necessary to capture login credentials since in 72% of its pen tests, attackers could acquire passwords via brute force methods including generic password spraying, using known defaults or easily guessed passwords ("abc123", "password", etc.).
Whether the subject is your tax return, business financial records or IT security status, the results of most audits are usually alarming. However, unlike typical security audits that examine policy documents and operational processes, pen tests provide an accurate simulation of an actual attack, exposing flaws and their consequences. Like bank audits, the most realistic and accurate pen tests are unannounced, have executive-level sponsorship and deliver actionable recommendations.
Most IT leaders know what needs to be done to improve security, but things like installing a multifactor authentication system, outsourcing email to a SaaS provider that can better prevent phishing attacks, implementing automated patch management processes and hardening Web applications and servers costs time and money. The results of pen test might provide the fear necessary to motivate executives into turning their cyber-security platitudes into actions.