The Virtual CISO

Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Why Penetration Tests Are So Essential

Avoiding the Massive Potential Costs of a Data Breach
Why Penetration Tests Are So Essential

Corporate network security breaches, which can prove costly to remediate and expose a company to lawsuits, are frequently the result of vulnerabilities that could have been fixed for a relatively low cost.

See Also: 5 Requirements for Modern DLP

One of the most effective ways to identify vulnerabilities is to conduct a risk assessment. And the guts of a good risk assessment is a brute force penetration test.

Based on my experience with pen test engagements, the most successful are those that quickly reveal gaps and vulnerabilities that can lead to the classification of remediation groupings. An example might be exposures to POS attacks like BlackPOS, Chewbacca, Backoff, etc., on multiple networks in a retail chain that would suggest active exposures.

Case Study: Finding Vulnerabilities

In one recent case, I was part of an external cybersecurity advisory team that conducted a limited security review of a company's computer infrastructure. The effort was seeded with 49 IP addresses, 34 email addresses and 13 websites.

From the initial data, our team was able to discover more sites that led to a presence on the corporate network. Our team's simulated attackers were able to compromise 50 user credentials and 21 computers and gain subsequent access to both their POS system as well as their order entry system.

The assessment was conducted in three phases: external, phishing and internal.

The external phase was successful in identifying actionable threats against their network, including remote code execution via JBoss and SQL injection. The majority of the external attack surface was discovered on the company's web applications. The company's anti-phishing capabilities successfully stopped two of our phishing attack attempts.

But during the internal phase, our team's white hack attackers moved around laterally within the entire network via the external access provided by the JBoss issue.

While the company's security team excelled at stopping our phishing attempts, none of the other penetration activity outside those two attempts was blocked anywhere.

The Findings

Our team was two connections away from achieving complete domain control over the company's entire network. This sampling suggested a critical level of cybersecurity risk to all of their network-based computer operations. Our team submitted a specific set of recommendations to mitigate that risk.

During our limited engagement, our team:

  • Discovered multiple "links" enabling us to bypass the company's security appliance;
  • Found six high-risk vulnerabilities, including SQL Inject and Command Execution, indicating that a comprehensive review of the entire network would reveal additional high-risk vulnerabilities';
  • Was able to compromise 21 computers and were gain credentials to compromise 100 more during the test;
  • Had system privileges on all compromised systems, which enabled full admin privileges everywhere and across all networks; ;
  • Was able to compromise 50 user credentials and hashes - 50 clear text passwords and hashes of accounts - that we were able to use to log into OWA (Web version of Outlook) and several other systems that we tested, including the company's POS and order entry systems;
  • Was also able to log into Outlook mail on those compromised accounts and move laterally in the network while accessing the external OWA to validate that external path;
  • Was two connections away from achieving complete domain control over the entire network.

So, in summary, we found 13 actionable issues of varying classification severity that when remediated would significantly reduce the risk of successful cyberattacks.

Fixes Are Affordable

Keep in mind: A six-week red-team pen test and vulnerability assessment costs roughly $50,000, and software that would improve the ability to detect and respond to threats would cost about $150,000 a year.

This is a reasonable amount of money to spend when compared to the potential cost of a payment card-related data breach, including lawsuits and hefty remediation costs.

For example, big box retailer Target spent $18.5 million just to settle 47 state lawsuits, not to mention other hefty costs, after its mega-breach. And Home Depot paid $19.5 million for lawsuit settlements and fines after its breach.

Spending a relatively small amount to ensure that known vulnerabilities and protection gaps are addressed is, indeed, a good investment.

About the Author

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.