Why testing is vital to keep organizations secure [Q&A]

penetration testing

Everyone knows that businesses systems are a target for a range of attackers. But it's easy to become complacent about security and finding vulnerabilities can be difficult.

Testing your security is therefore vital, and can uncover things that you might not otherwise be aware of.

We spoke to Richard Hughes, head of technical cyber security at security and managed services company A&O IT Group to find out some of the things enterprises can do to keep themselves secure and how 'red team' testing events can uncover some surprising vulnerabilities.

BN: Why can security testing, like phishing exercises for example, prove controversial?

RH: You're referring to the Network Rail incident, right? That's an interesting one because what they did is absolutely a real life scenario. You have to have that assessment as true to life as possible as it's supposed to be a realistic attack simulation. So that's a technique that we would usually employ, anything that you think someone will click on you will try as that's exactly what a real attacker would have done.

BN: A lot of attacks, like the current wave of courier scams, are a bit scattergun aren't they?

RH: The courier one is quite big at the moment, trying to get you to install applications on your mobile phone, which if you do that then all bets are off. COVID is big at the moment too, the attackers are intelligent, they know what to put in those emails to get the best responses.

Constant training and refreshing of staff knowledge is needed to keep them thinking about it. If an attack is particularly targeted then the chances are of avoiding it are much less, but there are a number of things you can do. We have a training course that we run, just taking people through some examples of stuff that we've found in real examples, and we highlight why you should actually notice that there's a phishing scam, or we highlight what type of email will try to instill a certain sense of urgency to catch people off guard, like, "You're going to be charged X amount unless you reply to this or click this straight away."

But if I want to target you specifically I'm going to get your information on LinkedIn profiles and Instagram photos and anything else you published online. I'm going to try and understand what your position is at work, I'm going to understand who you may be dealing with. It might be that this would take weeks or potentially months, but almost certainly we're going to get you on something.

BN: A lot of security issues at the moment arise from mis-configurations, how can testing target those?

RH: You can do a separate assessment type, in which you will look at configuration of services or cloud environments to set as benchmarks. This can be done at different levels, level one for the majority of companies is normally acceptable. Obviously if you were a military installation or something particularly high security, then you would go to much higher levels.

Configuration review is really important in firewalls because those rules are getting changed quite frequently. It's important to always keep a register of what rules you've got and why you've got them. If you think it's a temporary rule that rule should expire and there should be a regular process of actually stepping through that. Even when rules do expire you should actually re-evaluate them at least on an annual basis.

BN: How about software? Your operating system may get updated regularly but you accounts system might not.

RH: One thing you can do is Cyber Essentials certification, this is backed by the UK's National Cyber Security Centre, and is something that a lot of companies will ask for if they want to do business with you.

You also have to be prepared to deal with zero day threats and act on them quickly. So, it's not really good having a monthly patching, or even less frequent, schedule. Someone needs to be responsible and to understand what the patches they should be looking at. But you'll find a lot of smaller businesses don't have any security team or anyone in IT for that matter. So they're not aware when Microsoft is doing something for Exchange, where the desktops maybe it's a bit more obvious. So they fall by the wayside and I think we cannot state enough how critical it is to patch as tightly as possible.

There are other complications with software-as-a-service, where you didn't get the option to check if something is right for you, because you weren't expecting that to change. Having said that, for the majority of smaller businesses then software-as-a-service, providing that you're satisfied with the supplier handling what’s happening, is probably a better way to go. When we're doing assessments we see fewer issues there, because when that service is being provided nine times out of 10 they are on the ball to upgrade the software.

BN: What about guarding against insider threats?

RH: That's kind of twofold, because there are malicious insiders, but also a greater volume is the unintentional insider threat when your member of staff, for example, clicked on a phishing email when they shouldn't. The greatest threat is intentionally malicious software that's trying to exfiltrate data. Desktop machines should be locked down by policies so that you know only trusted members of staff can install software.

It's important that old accounts have been shut down too, so you need to have a decent joiners and leavers process and that includes changing roles within the company as well. Of course it becomes much more complicated when dealing with people working from home, where we've just seen the attack surface grow exponentially, and in the cloud, where systems can be accessed from anywhere and you cannot really control devices that have been granted access.

BN: How about physical risks, are they often overlooked?

RH: It's amazing how many people are sitting in office buildings that are not very well secured. Companies think about their firewalls and intrusion prevention systems on the network, but don't realize that someone might just walk into the building and plug a box in to that protection. If I can enter a building and I've got a drop box -- which is a small computer -- that I can introduce onto the network, the perimeter defenses won't work because I'm inside already.

I don't think we've actually had a 'red team' event yet where we haven't been able to get inside a company without being detected. We've had major banks where we've just walked off into the street in their offices and we've stayed way after everyone's gone home. We've then literally done desk searches for people who have written down passwords. And remember, as I said earlier, attackers are clever. If they hit a brick wall, or hurdle, then they'll pause at that point and take time to think how they're going to get past it.

Image credit: Den Rise/ Shutterstock

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.